Option to setup in Bridge Mode #45
Comments
Just wanted to leave a reply with how I finally got the bridged OpenVPN server to work on the RPI I followed this guide almost exactly : http://www.emaculation.com/doku.php/bridged_openvpn_server_setup Only additional things I did was enable IPV4 Packet Fowarding in /etc/sysctl.conf And added the following lines to my OpenVPN server conf And it works!! |
A |
@bitcoinissue could you post your server.conf file and systemctl scripts? I have a hard time figuring out which settings I should use from the link you provided and which settings in the old server.conf are essential for the way pivpn sets up openvpn. |
I would love to see this implemented in the installer! Sure you can do it manually, but it feels so hacky and dirty. |
I'm going to echo @3cHeLoN's request. @bitcoinissue, please post your config files and scripts. I'd dearly love tap mode. |
I'm able to run OpenVPN on my tomato router, and it automatically creates the configuration files. For the server's configuration file, the difference is: tun: If for example, your device was 192.168.100.100, then The only difference between the client ovpn is "dev tap" vs "dev tun". I'm not sure what network configuration need to be done, though. |
Greetings all... I really would like to set this up, but having a hard time following along (understand the high level concepts of VPN but bridging settings are throwing me for a loop). Is there a step by step rundown for PiVPN out there? (Casting my vote for this to be added as a setup script feature too) |
It shouldn't be too difficult to add this to the install script. Just need time more than anything else. I'd guess a month or two. Depending on if I prioritize over the unattended install feature. |
Totally understand! Excellent job! |
@bitcoinissue I've been trying to make this work all day, and I have, kinda. The only issue is that when the pi starts, the eth0 interface gets the server IP, and the br0 gets another IP address apparently from dhcp, and nothing works. I also noticed br0 gets a different mac address than eth0. Then if I stop and start the openvpn service, everything is suddenly looking good and everything works. br0 gets the IP address, eth0 doesn't have one, I can access the internet from the pi and open the vpn connexion. I guess this is an issue with the script not being able to remove the ip address from eth and attribute it to br at startup, but no idea why, especially since it works afterwards... Any idea ? |
I have a need for this now. So in my free time (if such a thing truly exists) expect this done in short order. |
Will bridged mode as part of the install script be available soon? I have limited networking experience and would like to setup my VPN to allow access to my entire home network remotely. I attempted to get it working myself, but no luck. |
Agreed! Another vote for bridged mode! The pivpn installer is awesome and incredibly simple but I need to be able to operate in bridged mode. I tried a few of the guides I found to operate in bridged mode but am having no luck. I tried the emaculation guide provided by bitcoinissue but installed pivpn first then jumped to the section in the guide where it sets up bridged mode (not the whole guide). I trashed all network connectivity and had to reinstall my pi os lol! I am debating trying the entire emaculation guide but I love the simplicity of pivpn like being able to add and revoke clients but mostly how easy it is to install (In my quest for bridged mode I have reset my pi and reinstalled pivpn at least 12 times this week lol) Like others I need to be on my home subnet to access shares, printers, etc.. as well as use wake on lan broadcast to turn on my machines since I don't leave them on all the time. Thanks in advance! |
+1 for bridged mode |
Edited/removed my original comment: I misread that you guys were talking about using the tap rather then tun making my comment irrelevant! |
Ist there any news on this one? |
I need the TAP mode too. Also a web based GUI would be a very nice feature so the server could be configurable from every device on the network |
ok I got it up and running I started by running pivpn setup then I ran through the tutorial here and made some changes to the script and the conf files. This guide will use the following example private IP address numbering (adjust this to your numbering): IP address for RP : 192.168.1. 3 We'll use the text editor “nano” to create a script called “openvpn-bridge” that performs the Ethernet bridging. Enter nano /etc/openvpn/openvpn-bridge
I made the script executable by entering
then I edited the server configuration file.
then i edited the openpn service
Copy these two lines:
Paste the two lines at the bottom of the [Service] section so that its last three lines look like
I confirmed that /etc/sysctl.conf had net.ipv4.ip_forward = 1 and then rebooted I edited the OVPN file I created following your tutorial so that dev was set to tap
and tested everything |
I also need to have the bridge option to have the option to use all my Bonjour services remotely!! I tried for a whole day to makes this work!! but couldn't connect at all!!! It Would be GREAT to have this option incorporated in the install script!! This is a Great Script but whit the option to be on the same network range remotely as my local network it would be a Lifesaver for me!!! |
I'd actually recommend anyone who does this makes a tun-tap server. Duplicate your PIVPN config and rename your original to something like tun-server.conf and your new one to tap-server.conf. Set your tap server to a different port and configure it that way. Mobile devices don't support TAP so you need TUN. |
I also would like to see the tap / bridge option in the installer |
@0-kaladin: how about two OpenVPN config files that will each start a server on a different port, one with |
@0-kaladin: Great work on the script. It makes the whole process so easy! I'm excited to see you are working on this feature and I was just wondering how it was coming along and whether you had an idea of when it would be complete? |
@mmarbut I followed your steps to do the same and got local access working but it appears that internet traffic is not being passed through as I can't access anything external when connected to the VPN. Did you have to configure anything else to establish internet access? |
is your Pi able to get out to the internet? it sounds like ether an issue with DNS or firewall. did you do this push "redirect-gateway def1" if you are using windows try this in command prompt: ipconfig /all | findstr /R "DNS\ Servers" |
@AlbioB I tried to follow it with no success. Does it work with the newest versions of PIVPN, also, if you have successfully accomplished yourself, would you mind sharing your step by step? Thanks! |
@tmladek Hey thanks for the response! Maybe my issue is im using it on a Ubuntu VM instead of a PI. The interface is ens160 instead of eth0, but i did edit that in the script. Also, did you completely copy and paste his sample server.conf or did you just add the things he added? Thanks! |
Just for giving visibility, I have stopped working on the tap/tun feature. If someone wants to adopt this, feel free. o/ |
@rgulden did you ever get your issue resolved? I am using an Ubuntu VM as well and am getting the following error on a client when connecting to the server: "Sat Jul 07 12:07:37 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Everything worked when it was using TUN, but after following @mmarbut steps the server will not accept clients. openvpn is running on the server with no errors as far as I can tell. |
Just curious if any progress has been made on this issue. Pivpn definitely deserves support for bridged mode. Awesome software btw! |
This broke for me yesterday after having been working for months. I was running two servers TUN and TAP. I wiped and started over. TUN working. Made the listed changes and added the TAP server config. Rebooted and could not connect to either server. Disabled the TUN server, rebooted and then I could connect to the TAP server fine but had no internet. Rebooted the Pi again and then could not connect to the TAP server at all. |
@JamesTX10 Did you update something? |
Unattended updates were enabled during the initial setup so it is possible that something was updated. I rebuilt it again and it seems to be working fine now. Would really love to have the TAP Bridge option in the installer. |
How do I put my router in bridge mode? If you have an idea please share with me. If you are using Belkin router and you face a problem with your router visit here belkin router setup |
I've used PiVPN for a couple of years with mobile devices, I'm delighted with it. In the last few weeks I have tried a dozen times to build the bridge (TAP) configuration, on 'Raspbian Stretch Lite (2018-06-27)' starting from a working PiVPN (TUN). I have used Rasp Pi Model B, Rasp Pi 2 Model B and Rasp Pi 3 Model B. Poor results with all. In case there might be a significant difference between Raspbian releases I have also tried Raspbian Jessie Lite (2017-04-10) and had the same results. After completing the TAP build (as per examples here and elsewhere) I manage to connect from a Windows 10 machine but not to be able to see any other LAN devices, nor with any access the Internet. Then after restarting the OpenVPN service or rebooting the Rasp Pi I am no longer able to reconnect at all, no longer able to reach the Rasp Pi with SSH. That leads to a whole new rebuild each time, then the same sort of outcome again. There are many guides out there, I have tried plenty, but always with the same (or very similar) results. Sometimes I have been able to connect a few times, but generally the whole TAP configuration is pretty unstable for me. There just doesn't seem to be a build that works easily or consistently. Is that the general opinion? A scripted installer for TAP would be fantastic. The TUN script is very straightforward and works first time, every time. |
@AngiesBloke I have had the same experience. I'm able to connect but no Internet or LAN access. Having this automated would be awesome |
@mmarbut How do I set up the config to only route traffic to the specific host rather then all the traffic (aka Split Tunnel) |
Unfortunately I get exactly the same error ... has anyone already found a solution for this? |
Not sure if this will help anyone but if you are trying to connect two identical networks i.e., 192.168.1.0/24 (local) and 192.168.1.0/24 (remote) you are going to run into trouble setting up a bridge-TAP. It is possible to do, but from my experience it was more trouble than it is worth. Try changing either the local or remote network to anything else and it should come together fairly easily and all the odd windows network services will start working properly, etc. |
I decided to give bridging (TAP) another shot, glad to say it's now working for me. I'm beginning to think that the RPi I was using for Pi-Hole, TUN and TAP servers was just not up to all three tasks at once. Either that or I had some bad config set up to make them all work together. I separated the 3 applications to 3 individual RPi's and rebuilt the TAP server from scratch. Sadly I've not much time for a deep dive into the do's and don'ts but I can confirm a working TAP server on RPi 3 Model B+, a 32 GB SDHC card (Sandisk Ultra, Class 10) and Raspbian Stretch Lite (2019-04-08). This quad-core RPi may have been overkill so my next job was to build the same thing on a lesser model - an RPi Model B. All works perfectly. Here are my tips. I used the build posted above by @mmarbut on (16-May-2017), starting with PiVPN from http://www.pivpn.io/. I tailored the server config for my own network. Ensure you use the server ID generated by your base PiVPN build when you tailor /etc/openvpn/server.conf - this nugget not explicitly stated in the original post from @mmarbut. Otherwise big thanks to him (or her) for that guide. The base PiVPN install generated server nd client configs which did not include compression. I added the line comp-lzo to each config. I updated the RPi's routing table, as explained at: https://www.comparitech.com/blog/vpn-privacy/raspberry-pi-vpn/ As Pi-Hole is in use on my network I set the DNS for the TAP VPN server to the LAN IP address of Pi-Hole, not a public DNS or my router's (ISP's) DNS. I set port forwarding on my router to translate a couple of random ports to port 1194 on each of my RPi VPN servers. I set these in the VPN client configs accordingly. That way TAP incoming hits my TAP VPN server, TUN incoming hits my TUN VPN server. My Windows 10 laptop can access all my home network resources (web GUIs and SMB/CIFS shares) from outside my network, and also break out onto the Internet. A simple 'What's my IP' proves it's working. And of course, you're wasting your time if you try to access your home network from your home network. The LAN IP ranges simply must not be the same. Your mileage may vary. |
Check your router port forwarding. I've had the same error and found an error in my router config. |
I spent most of yesterday debugging this. As far as I can tell the issue is with the script that set up the 'br0' bridge. It starts conflicting and it cuts ssh access because the the IP conflicting. The bridge is supposed to run on the same IP as the main eth0 interface, but on the newer OS (I'm running baster) it gets his own IP and it starts conflicting. Any idea to start digging? |
|
See my later post, dated 10 June 2019. All working fine for me now. No changes to bridging script were needed, |
Alright I got PiVPN bridge working, but not by the bridge script listed above. I kept on trying but never got it working. So I patched together a new way of doing things via multiple tutorials and the one listed above as well. Be warned I've been learning this as I go so this guide is from about 3 weeks of messing around the internet and searching for guides. This was done on Raspbian Stretch Lite (2019-04-08), it should work on the newest Raspbian Buster but I cannot confirm that it works on there. I started out with the standard pivpn install.
Make sure if you have a dh file to put where its located in the dh section of the config I then installed bridge-utils to help bridge this new connection. I followed this up by editing the /etc/network/interfaces
After that there was only one more thing I had to do to get the bridge up and running. The connection will work until a reboot is done. The tap0 interface will stop working after a reboot, it will start again if you restart the openvpn service. But that gets annoying to do every time so I made a script. Then I created the file. I then added the script to the rc.local file. You can go ahead and reboot now and the tap0 interface should always be running after reboot. After you create a regular PiVPN profile make sure to edit the This should work, if it doesn't then I can check my configs and whatnot. |
I tried both scripts and none of them seem to works today. I'm able to connect but get assigned an IP 169.254.x.x each times... with viscosity any ideas? |
This issue/feature request was created in June 2016. Afaiaa, nothing has changed since. Are there any plans? Will this feature be supported soon without having to modify the OpenVPN configuration files directly? @0-kaladin @redfast00 (sorry to wake you up, but can we get a clear statement from you pls?) |
Sorry to be blunt, but I explicitly said in the readme I am no longer supporting this software due to lack of time. I do however see that someone removed this notice, so it's not your fault you didn't read it. |
This is sad to hear, however, thanks for the response. |
@welljsjs, @redfast00 is not maintaining the project anymore and @0-kaladin as vanished and i have tried to reach him a lot of times without success, so it makes me the only one driving this project. To be completely honest with you ... I am not at all prioritizing in favor of a lot other tasks and bugs that come up. This is a somewhat complex task for a couple of specific use cases and it requires time to develop, test, maintain and i don't have the time to do it myself. The reason why this is still open is exactly because this is an opensource project and everyone is welcome to contribute to it so ... do you wanna roll up your sleeves? feel free to do it, I won't discard the PR if it comes, ill test it and review it and merge if its ok. @redfast00, hope all is well with you! i did removed it because I am actively maintaining it and sailing the boat, just. its not his fault its not there anymore, but it doesn't make sense to have it there either when the project is actually being actively maintained, having bug fixes and new features getting out frequently. but you know how ppl work .. 90% don't even read the issue template right in front of their eyes, so i don't really trust that most of them read the readme either ... @welljsjs should have investigated the status of the project and who is driving it before tagging you. Kind regards, |
@4s3ti Bridge mode is not available by design on WireGuard. |
Sure, I'm aware of that, that's why I was asking for a clear statement because this issue seemed a little abandoned.
Might be. I just read the comments on this issue and found that redfast00 was (once) involved in the discussion. As he is still a member of the repo, I simply expected him to be the right person to talk to. Admittedly, I didn't have a look at the latest commits to see who's still contributing. However, I feel like we shouldn't start talking about this in this issue. I appreciate your reply though @4s3ti.
I would if I could. Though at the time being, I don't really have enough knowledge about bridging. However, I'm happy to contribute if I manage to get it to work. |
Hello,
First, this script is incredible. So simple, straight forward, and works right out of the box. Thank you so much!
I had a question though, I've been attempting to get OpenVPN running in bridge mode, so when I connect to the VPN I can see the bonjour information of all the machines on my LAN. I have a bunch of network shares, a SAN, and a bunch of machines, all Mac based, that would be nice to see populated on a finder level when other people VPN into our network.
I've been kind of following these guides, attempting to make them work. I've gotten pretty far, able to get the bridge up and running, but sometimes the Raspberry Pi locks up completely when I start the OpenVPN service, or I get Handshake errors and no internet connectivity. I can't seem to get through the last few feet of actually making it work
https://www.aaflalo.me/2015/01/openvpn-with-tls-in-bridged-mode/
http://www.wedebugyou.com/2013/01/how-to-use-bonjour-over-vpn/
http://www.server-world.info/en/note?os=CentOS_6&p=openvpn
Would it be possible to add this functionality into your script? It seems relatively straight forward, but I just can't seem to make it work with any of the other guides out there.
Thanks again, this project is amazing. So simple and works so well!
The text was updated successfully, but these errors were encountered: