Gateway gets stripped from DHCP Reply through OpenVPN tunnel
I have a bridged OpenVPN setup. This is my server config:
port 1194
proto udp
dev tap0
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
# brtctl upscript
script-security 2
up /etc/openvpn/up.sh
tls-server
server-bridge
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
The server is running on a Debian machine running in network A, the client is running on a OpenWRT router in network B. On network A, the tap0 interface is bridged with the local network, containing a DHCP server and a gateway to the internet. On network B, the tap0 interface is bridged with a separate network without DHCP-server or internet access. The idea is that the OpenVPN tunnel provides internet access for network B.
In this setup, the OpenVPN server doesn't allocate IP addresses for use by the clients. Instead, it just lets the DHCP server in the local network deal with that. This works because this is a bridged (TAP), not routed (TUN) setup.
So, DHCP does work over the tunnel. The clients on network B's side get their IP addresses directly from the DHCP server on network A's side. The problem is that it looks like the default gateway gets stripped from the DHCP reply, because it is empty on the machines on network B.
For example, this is what I get on a Windows client connected to network B:
Ethernet adapter Ethernet:
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.2.123(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : vrijdag 25 juli 2014 22:49:38
Lease Expires . . . . . . . . . . : zaterdag 26 juli 2014 10:49:38
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 192.168.2.1
DNS Servers . . . . . . . . . . . : 8.8.8.8
NetBIOS over Tcpip. . . . . . . . : Enabled
I found this: https://community.openvpn.net/openvpn/ticket/312#comment:3
This suggests that this is documented behavior, but I don't know how to disable this. I tried using the directive route-nopull
on the client-side, but it doesn't appear to have any effect.
Also, I can't use redirect-gateway
directives since I need to get the gateway right on the machines bridged with the OpenVPN client's tap0 adapter, not on the OpenVPN client itself.
My client-side config as follows:
config openvpn sample_client
option enabled 1
option client 1
option dev tap
option proto udp
list remote "server.com 1194"
option resolv_retry infinite
option nobind 1
option persist_key 1
option persist_tun 1
option ca /etc/openvpn/ca.crt
option cert /etc/openvpn/client.crt
option key /etc/openvpn/client.key
option ns_cert_type server
option comp_lzo yes
option verb 3
option route-nopull 1
Keep in mind that is in OpenWRT's UCI format.
EDIT:
Just found this in the logs:
daemon.notice openvpn(sample_client)[5062]: Extracted DHCP router address: 192.168.2.1
This is exactly the behavior I want to disable.
Also found this:
If --server-bridge is used without any parameters, it will enable a DHCP-proxy mode, where connecting OpenVPN clients will receive an IP address for their TAP adapter from the DHCP server running on the OpenVPN server-side LAN. Note that only clients that support the binding of a DHCP client with the TAP adapter (such as Windows) can support this mode. The optional nogw flag (advanced) indicates that gateway information should not be pushed to the client.
Interesting. I did not set nogw
. Could it be that is is implicitly set or something? Can I 'unset' it explicitly?
EDIT: Found this: https://forums.openvpn.net/topic13494.html
Someone with the same problem, thread from a year ago. No answers.
Solution 1:
According to OpenVPN documentationserver-bridge
is a shortcut expression for
mode server
tls-server
push "route-gateway dhcp"
and
server-bridge nogw
is a shortcut expression for
mode server
tls-server
Interestingly push "route-gateway dhcp"
activates a DHCP-proxy that stripes out the default gateway option in DHCP response from the original DHCP server. This can be seen in OpenVPN logdaemon.notice openvpn[4879]: Extracted DHCP router address: a.b.c.d
Your solution would be to use server-bridge nogw and the DHCP response contains the default route option again.
Solution 2:
Just had this problem myself and found this, without a useful solution. After a few hours i figured it out!
Just use this:
mode server
tls-server
and remove:
server-bridge
And the DHCP will pass directly to the client!