New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Option to setup in Bridge Mode #45

Open
bitcoinissue opened this Issue Jun 8, 2016 · 56 comments

Comments

Projects
None yet
@bitcoinissue

bitcoinissue commented Jun 8, 2016

Hello,

First, this script is incredible. So simple, straight forward, and works right out of the box. Thank you so much!

I had a question though, I've been attempting to get OpenVPN running in bridge mode, so when I connect to the VPN I can see the bonjour information of all the machines on my LAN. I have a bunch of network shares, a SAN, and a bunch of machines, all Mac based, that would be nice to see populated on a finder level when other people VPN into our network.

I've been kind of following these guides, attempting to make them work. I've gotten pretty far, able to get the bridge up and running, but sometimes the Raspberry Pi locks up completely when I start the OpenVPN service, or I get Handshake errors and no internet connectivity. I can't seem to get through the last few feet of actually making it work

https://www.aaflalo.me/2015/01/openvpn-with-tls-in-bridged-mode/
http://www.wedebugyou.com/2013/01/how-to-use-bonjour-over-vpn/
http://www.server-world.info/en/note?os=CentOS_6&p=openvpn

Would it be possible to add this functionality into your script? It seems relatively straight forward, but I just can't seem to make it work with any of the other guides out there.

Thanks again, this project is amazing. So simple and works so well!

@bitcoinissue

This comment has been minimized.

bitcoinissue commented Jul 27, 2016

Just wanted to leave a reply with how I finally got the bridged OpenVPN server to work on the RPI

I followed this guide almost exactly : http://www.emaculation.com/doku.php/bridged_openvpn_server_setup

Only additional things I did was enable IPV4 Packet Fowarding in /etc/sysctl.conf
http://www.ducea.com/2006/08/01/how-to-enable-ip-forwarding-in-linux/

And added the following lines to my OpenVPN server conf
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"

And it works!!

@chrisjenx

This comment has been minimized.

chrisjenx commented Aug 2, 2016

A tap version would be awesome! Thanks for the great work!

@3cHeLoN

This comment has been minimized.

3cHeLoN commented Sep 25, 2016

@bitcoinissue could you post your server.conf file and systemctl scripts? I have a hard time figuring out which settings I should use from the link you provided and which settings in the old server.conf are essential for the way pivpn sets up openvpn.

@redfast00 redfast00 referenced this issue Oct 9, 2016

Closed

bridge mode #90

@JurassicTommy

This comment has been minimized.

JurassicTommy commented Oct 23, 2016

I would love to see this implemented in the installer! Sure you can do it manually, but it feels so hacky and dirty.

@fyellin

This comment has been minimized.

fyellin commented Dec 14, 2016

I'm going to echo @3cHeLoN's request. @bitcoinissue, please post your config files and scripts. I'd dearly love tap mode.

@0-kaladin 0-kaladin self-assigned this Dec 15, 2016

@fyellin

This comment has been minimized.

fyellin commented Dec 15, 2016

I'm able to run OpenVPN on my tomato router, and it automatically creates the configuration files.

For the server's configuration file, the difference is:

tun:
server 255.255.255.0
dev tun21
push "route 255.255.255.0"
tap:
server-bridge 255.255.255.0
dev tap22

If for example, your device was 192.168.100.100, then
tun-address = 192.170.0.0
network-address = 192.168.100.0
this-ip-address = 192.168.100.100
dhcp-start, dhcp-end = 192.168.100.240 192.168.100.250 (or some range in your net)

The only difference between the client ovpn is "dev tap" vs "dev tun".

I'm not sure what network configuration need to be done, though.

@glonch

This comment has been minimized.

glonch commented Dec 27, 2016

Greetings all...

I really would like to set this up, but having a hard time following along (understand the high level concepts of VPN but bridging settings are throwing me for a loop). Is there a step by step rundown for PiVPN out there?

(Casting my vote for this to be added as a setup script feature too)

@0-kaladin

This comment has been minimized.

Member

0-kaladin commented Dec 27, 2016

It shouldn't be too difficult to add this to the install script. Just need time more than anything else. I'd guess a month or two. Depending on if I prioritize over the unattended install feature.

@glonch

This comment has been minimized.

glonch commented Dec 27, 2016

Totally understand! Excellent job!

@Sungray

This comment has been minimized.

Sungray commented Jan 11, 2017

@bitcoinissue I've been trying to make this work all day, and I have, kinda.

The only issue is that when the pi starts, the eth0 interface gets the server IP, and the br0 gets another IP address apparently from dhcp, and nothing works. I also noticed br0 gets a different mac address than eth0.

Then if I stop and start the openvpn service, everything is suddenly looking good and everything works. br0 gets the IP address, eth0 doesn't have one, I can access the internet from the pi and open the vpn connexion. I guess this is an issue with the script not being able to remove the ip address from eth and attribute it to br at startup, but no idea why, especially since it works afterwards...

Any idea ?

@0-kaladin

This comment has been minimized.

Member

0-kaladin commented Feb 8, 2017

I have a need for this now. So in my free time (if such a thing truly exists) expect this done in short order.

@mjnks

This comment has been minimized.

mjnks commented Feb 26, 2017

Will bridged mode as part of the install script be available soon? I have limited networking experience and would like to setup my VPN to allow access to my entire home network remotely. I attempted to get it working myself, but no luck.

@nemxwasp

This comment has been minimized.

nemxwasp commented Mar 13, 2017

Agreed! Another vote for bridged mode! The pivpn installer is awesome and incredibly simple but I need to be able to operate in bridged mode. I tried a few of the guides I found to operate in bridged mode but am having no luck. I tried the emaculation guide provided by bitcoinissue but installed pivpn first then jumped to the section in the guide where it sets up bridged mode (not the whole guide). I trashed all network connectivity and had to reinstall my pi os lol! I am debating trying the entire emaculation guide but I love the simplicity of pivpn like being able to add and revoke clients but mostly how easy it is to install (In my quest for bridged mode I have reset my pi and reinstalled pivpn at least 12 times this week lol) Like others I need to be on my home subnet to access shares, printers, etc.. as well as use wake on lan broadcast to turn on my machines since I don't leave them on all the time. Thanks in advance!

@d0nlab

This comment has been minimized.

d0nlab commented Mar 14, 2017

+1 for bridged mode
Having access to all services on my network through VPN would be helpful

@scottd83

This comment has been minimized.

scottd83 commented Mar 21, 2017

Edited/removed my original comment: I misread that you guys were talking about using the tap rather then tun making my comment irrelevant!

@f-ben

This comment has been minimized.

f-ben commented Apr 5, 2017

Ist there any news on this one?

@matej86

This comment has been minimized.

matej86 commented Apr 6, 2017

I need the TAP mode too. Also a web based GUI would be a very nice feature so the server could be configurable from every device on the network

@mmarbut

This comment has been minimized.

mmarbut commented May 16, 2017

ok I got it up and running

I started by running pivpn setup then I ran through the tutorial here and made some changes to the script and the conf files.
http://www.emaculation.com/doku.php/bridged_openvpn_server_setup

This guide will use the following example private IP address numbering (adjust this to your numbering):

IP address for RP : 192.168.1. 3
Netmask: 255.255.255.0
Broadcast address: 192.168.1.255
Router's IP address: 192.168.1.1

We'll use the text editor “nano” to create a script called “openvpn-bridge” that performs the Ethernet bridging. Enter

nano /etc/openvpn/openvpn-bridge
Copy and paste the following script into that (empty) file.

#!/bin/sh

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="192.168.1.3"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.1.255"
eth_gateway="192.168.1.1"

case "$1" in
start)
    for t in $tap; do
        openvpn --mktun --dev $t
    done

    brctl addbr $br
    brctl addif $br $eth

    for t in $tap; do
        brctl addif $br $t
    done

    for t in $tap; do
        ifconfig $t 0.0.0.0 promisc up
    done

    sleep 10

    ifconfig $eth 0.0.0.0 promisc up

    sleep 5

    ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast

    sleep 2

    route add default gw $eth_gateway
    ;;
stop)
    ifconfig $br down
    brctl delbr $br

    for t in $tap; do
        openvpn --rmtun --dev $t
    done

    ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast

    route add default gw $eth_gateway
    ;;
*)
    echo "Usage:  openvpn-bridge {start|stop}"
    exit 1
    ;;
esac
exit 0

I made the script executable by entering

chmod 744 /etc/openvpn/openvpn-bridge

then I edited the server configuration file.

port 1194
proto udp
dev tap0
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh2048.pem
duplicate-cn
remote-cert-tls client
server-bridge 192.168.1.3 255.255.255.0 192.168.1.51 192.168.1.61
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
client-to-client
keepalive 10 120
tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 3

then i edited the openpn service

nano /lib/systemd/system/openvpn@.service

Copy these two lines:

ExecStartPre=/etc/openvpn/openvpn-bridge start
ExecStopPost=/etc/openvpn/openvpn-bridge stop

Paste the two lines at the bottom of the [Service] section so that its last three lines look like

WorkingDirectory=/etc/openvpn
ExecStartPre=/etc/openvpn/openvpn-bridge start
ExecStopPost=/etc/openvpn/openvpn-bridge stop

I confirmed that /etc/sysctl.conf had net.ipv4.ip_forward = 1

and then rebooted

I edited the OVPN file I created following your tutorial so that dev was set to tap

dev tap

and tested everything

@afcdmc

This comment has been minimized.

afcdmc commented May 28, 2017

I also need to have the bridge option to have the option to use all my Bonjour services remotely!! I tried for a whole day to makes this work!! but couldn't connect at all!!! It Would be GREAT to have this option incorporated in the install script!! This is a Great Script but whit the option to be on the same network range remotely as my local network it would be a Lifesaver for me!!!
Keep up the great Work!! Hope to se an update or a tutorial on how to do it manually step by step using pipvpn as the starting point!!

@shusain93

This comment has been minimized.

shusain93 commented May 30, 2017

I'd actually recommend anyone who does this makes a tun-tap server. Duplicate your PIVPN config and rename your original to something like tun-server.conf and your new one to tap-server.conf. Set your tap server to a different port and configure it that way. Mobile devices don't support TAP so you need TUN.

@911pcdoc

This comment has been minimized.

911pcdoc commented Jun 1, 2017

I also would like to see the tap / bridge option in the installer

@redfast00

This comment has been minimized.

Member

redfast00 commented Jun 1, 2017

@0-kaladin: how about two OpenVPN config files that will each start a server on a different port, one with tun, one with tap? Or alternatively, prompt the user at the end of the script if they want to setup another server config?

@tim-west

This comment has been minimized.

tim-west commented Jun 23, 2017

@0-kaladin: Great work on the script. It makes the whole process so easy! I'm excited to see you are working on this feature and I was just wondering how it was coming along and whether you had an idea of when it would be complete?

@tuf07378

This comment has been minimized.

tuf07378 commented Jun 23, 2017

@mmarbut I followed your steps to do the same and got local access working but it appears that internet traffic is not being passed through as I can't access anything external when connected to the VPN. Did you have to configure anything else to establish internet access?

@mmarbut

This comment has been minimized.

mmarbut commented Jun 24, 2017

is your Pi able to get out to the internet? it sounds like ether an issue with DNS or firewall. did you do this push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
is your gateway correct?

if you are using windows try this in command prompt: ipconfig /all | findstr /R "DNS\ Servers"
also you can NSLOOKUP and type in the web address it might show you were you are getting hung up.
finally you are connecting from outside the network where the RP resides right?

@ayr-ton

This comment has been minimized.

ayr-ton commented Aug 30, 2017

There's someone already working on a fork with this feature?

@redfast00

This comment has been minimized.

Member

redfast00 commented Aug 30, 2017

There's nobody working on this, do you want to take a stab at it?

@ayr-ton

This comment has been minimized.

ayr-ton commented Sep 4, 2017

@redfast00 Yep, I would like. I will see what I can do given my free time (:

@lars-sorensen

This comment has been minimized.

lars-sorensen commented Oct 4, 2017

I would really like this!

@amandamana

This comment has been minimized.

amandamana commented Nov 14, 2017

I'm also looking forward to trying this when it supports tap.

@AlbioB

This comment has been minimized.

AlbioB commented Dec 25, 2017

Thanks @mmarbut I confirm it's working following your steps.

@911pcdoc

This comment has been minimized.

911pcdoc commented Jan 4, 2018

any updates on tap / bridge mode?

@pokono

This comment has been minimized.

pokono commented Jan 11, 2018

+1

1 similar comment
@tmladek

This comment has been minimized.

tmladek commented Jan 11, 2018

+1

@cfcolaco cfcolaco referenced this issue Jan 17, 2018

Closed

pivpn and upnp #416

@JamesTX10

This comment has been minimized.

JamesTX10 commented Jan 29, 2018

Would love to see this built into the installer. Need a bridged TAP and a TUN server so I can get bridged support from my PC and TUN access from Android.

@ayr-ton

This comment has been minimized.

ayr-ton commented Feb 2, 2018

So do you folks think is a good idea to spin up two different daemons? One for TAP and one for TUN? And ask about the ports and the possibility of running one or another or both during the installation?

@rgulden

This comment has been minimized.

rgulden commented Jun 12, 2018

Hello! Just wondering, is creating a script to allow this still something in the works? Or does anyone have a good tutorial on how to enter bridge mode? Thanks!

@AlbioB

This comment has been minimized.

AlbioB commented Jun 12, 2018

@rgulden you can follow @mmarbut tutorial which works flawlessy!

@rgulden

This comment has been minimized.

rgulden commented Jun 12, 2018

@AlbioB I tried to follow it with no success. Does it work with the newest versions of PIVPN, also, if you have successfully accomplished yourself, would you mind sharing your step by step? Thanks!

@tmladek

This comment has been minimized.

tmladek commented Jun 13, 2018

@rgulden I can also attest to @mmarbut's tutorial, worked with the latest version of pivpn. My step by step would be identical to @mmarbut's.

Maybe try troubleshooting the issues you're having?

@rgulden

This comment has been minimized.

rgulden commented Jun 14, 2018

@tmladek Hey thanks for the response! Maybe my issue is im using it on a Ubuntu VM instead of a PI. The interface is ens160 instead of eth0, but i did edit that in the script. Also, did you completely copy and paste his sample server.conf or did you just add the things he added? Thanks!

@ayr-ton

This comment has been minimized.

ayr-ton commented Jun 26, 2018

Just for giving visibility, I have stopped working on the tap/tun feature. If someone wants to adopt this, feel free. o/

@larrybahr

This comment has been minimized.

larrybahr commented Jul 7, 2018

@rgulden did you ever get your issue resolved? I am using an Ubuntu VM as well and am getting the following error on a client when connecting to the server: "Sat Jul 07 12:07:37 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Jul 07 12:07:37 2018 TLS Error: TLS handshake failed
"

Everything worked when it was using TUN, but after following @mmarbut steps the server will not accept clients. openvpn is running on the server with no errors as far as I can tell.

@rzolau

This comment has been minimized.

rzolau commented Aug 3, 2018

Just curious if any progress has been made on this issue. Pivpn definitely deserves support for bridged mode. Awesome software btw!

@JamesTX10

This comment has been minimized.

JamesTX10 commented Aug 8, 2018

This broke for me yesterday after having been working for months. I was running two servers TUN and TAP. I wiped and started over. TUN working. Made the listed changes and added the TAP server config. Rebooted and could not connect to either server. Disabled the TUN server, rebooted and then I could connect to the TAP server fine but had no internet. Rebooted the Pi again and then could not connect to the TAP server at all.

@AlbioB

This comment has been minimized.

AlbioB commented Aug 8, 2018

@JamesTX10 Did you update something?

@JamesTX10

This comment has been minimized.

JamesTX10 commented Aug 8, 2018

Unattended updates were enabled during the initial setup so it is possible that something was updated. I rebuilt it again and it seems to be working fine now. Would really love to have the TAP Bridge option in the installer.

@xbxolivesupport

This comment has been minimized.

xbxolivesupport commented Aug 28, 2018

How do I put my router in bridge mode? If you have an idea please share with me.

If you are using Belkin router and you face a problem with your router visit here

belkin router setup
I also solved my router issue with this site.

@AngiesBloke

This comment has been minimized.

AngiesBloke commented Sep 6, 2018

I've used PiVPN for a couple of years with mobile devices, I'm delighted with it. In the last few weeks I have tried a dozen times to build the bridge (TAP) configuration, on 'Raspbian Stretch Lite (2018-06-27)' starting from a working PiVPN (TUN). I have used Rasp Pi Model B, Rasp Pi 2 Model B and Rasp Pi 3 Model B. Poor results with all. In case there might be a significant difference between Raspbian releases I have also tried Raspbian Jessie Lite (2017-04-10) and had the same results.

After completing the TAP build (as per examples here and elsewhere) I manage to connect from a Windows 10 machine but not to be able to see any other LAN devices, nor with any access the Internet. Then after restarting the OpenVPN service or rebooting the Rasp Pi I am no longer able to reconnect at all, no longer able to reach the Rasp Pi with SSH. That leads to a whole new rebuild each time, then the same sort of outcome again.

There are many guides out there, I have tried plenty, but always with the same (or very similar) results. Sometimes I have been able to connect a few times, but generally the whole TAP configuration is pretty unstable for me.

There just doesn't seem to be a build that works easily or consistently. Is that the general opinion?

A scripted installer for TAP would be fantastic. The TUN script is very straightforward and works first time, every time.

@larrybahr

This comment has been minimized.

larrybahr commented Sep 7, 2018

@AngiesBloke I have had the same experience. I'm able to connect but no Internet or LAN access. Having this automated would be awesome

@ddorato

This comment has been minimized.

ddorato commented Sep 11, 2018

@mmarbut How do I set up the config to only route traffic to the specific host rather then all the traffic (aka Split Tunnel)

@FelixSeidel

This comment has been minimized.

FelixSeidel commented Nov 20, 2018

@rgulden did you ever get your issue resolved? I am using an Ubuntu VM as well and am getting the following error on a client when connecting to the server: "Sat Jul 07 12:07:37 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Jul 07 12:07:37 2018 TLS Error: TLS handshake failed
"

Everything worked when it was using TUN, but after following @mmarbut steps the server will not accept clients. openvpn is running on the server with no errors as far as I can tell.

Unfortunately I get exactly the same error ... has anyone already found a solution for this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment