netware5
Very Senior Member
Hi guys,
I am trying to set up an OpenVPN server in TAP mode behind router, but no success so far. I am doing something wrong, but cannot understand what. Any suggestions will be highly appreciated.
Here is the description what I have and what I want to achieve.
Background
My home network is 192.168.xx.0/24. The router's LAN side IP is 192.168.xx.1. The router is RT-N66U with Merlin's 380.64 FW. The router serves as DHCP and DNS server for the whole LAN. An OpenVPN 2.3.14 server is listening on router's WAN side. The OpenVPN server is configured in TAP mode listening on WAN side TCP port (Ethernet bridging) and pushes to clients directives to redirect all traffic through the tunnel. So, when client (Windows 10 OpenVPN 2.4) connects to the server it becomes part of the LAN with IP address 192.168.xx.yy an can browse all LAN devices. This configuration runs trouble free since 2013.
What I wish?
In order to significantly increase the tunnel speed I decided to install a dedicated OpenVPN server inside the LAN keeping the concept - TAP interface (Ethernet bridging) and redirecting all client's traffic through the tunnel.
What I did?
I created a dedicated Ubuntu 16.04 server as a guest virtual machine within the host OS of my home NAS (FreeBSD) using VirtualBox. Now the LAN configuration is as follows:
Router IP: 192.168.xx.1 (also serving as DHCP and DNS server)
Host OS IP: 192.168.xx.51
Ubuntu Server 16.04 VM (dedicated for OpenVPN server) IP: 192.168.xx.5
Successfully installed Ubuntu VM, installed and configured OpenVPN 2.4 server, created br0 interface and bridged eth0 with tap0. The Ubuntu VM is visible and accessible within the LAN, taking its IP by DHCP from the router. I can SSH to it, ping it, etc. Successfully forwarded the OpenVPN listening IP port (TCP) from router's WAN side to Ubuntu's LAN IP port (TCP). The OpenVPN server is visible, accessible and connectable from outside.
What is the problem?
OpenVPN client connects successfully with OpenVPN server. The keys, certificates, encryption, etc. are OK. Windows TAP adapter obtained the right LAN IP address, but for some reasons is unable to set its default gateway. The Windows ipconfig command shows that the Windows TAP adapter does not have gateway (empty field). So the traffic is not redirected. The client cannot ping any LAN device (router, VM's host and the VM itself). This is obvious because the windows TAP adapter has no gateway assigned.
I am suspicious that something went wrong with Ubuntu's firewall and the packets received from the tunnel are not routed to the LAN and vice versa. Unfortunately there is no clear tutorial in Internet how to set up Ubuntu 16.04 OpenVPN server in TAP mode behind router. There are a lot of tutorials how to do this in TUN mode, but not in TAP mode. There are also some tutorials for TAP mode, but they are either for older Ubuntu versions or for OpenVPN server that acts also as LAN-WAN router or both. Ubuntu 16.04 uses ufw as a front end for iptables and I have no experience with it. I am not very experienced with iptables too. Until now all my OpenVPN servers were configured on routers using GUI. I tried every tutorial found, but failed.
I am trying to set up an OpenVPN server in TAP mode behind router, but no success so far. I am doing something wrong, but cannot understand what. Any suggestions will be highly appreciated.
Here is the description what I have and what I want to achieve.
Background
My home network is 192.168.xx.0/24. The router's LAN side IP is 192.168.xx.1. The router is RT-N66U with Merlin's 380.64 FW. The router serves as DHCP and DNS server for the whole LAN. An OpenVPN 2.3.14 server is listening on router's WAN side. The OpenVPN server is configured in TAP mode listening on WAN side TCP port (Ethernet bridging) and pushes to clients directives to redirect all traffic through the tunnel. So, when client (Windows 10 OpenVPN 2.4) connects to the server it becomes part of the LAN with IP address 192.168.xx.yy an can browse all LAN devices. This configuration runs trouble free since 2013.
What I wish?
In order to significantly increase the tunnel speed I decided to install a dedicated OpenVPN server inside the LAN keeping the concept - TAP interface (Ethernet bridging) and redirecting all client's traffic through the tunnel.
What I did?
I created a dedicated Ubuntu 16.04 server as a guest virtual machine within the host OS of my home NAS (FreeBSD) using VirtualBox. Now the LAN configuration is as follows:
Router IP: 192.168.xx.1 (also serving as DHCP and DNS server)
Host OS IP: 192.168.xx.51
Ubuntu Server 16.04 VM (dedicated for OpenVPN server) IP: 192.168.xx.5
Successfully installed Ubuntu VM, installed and configured OpenVPN 2.4 server, created br0 interface and bridged eth0 with tap0. The Ubuntu VM is visible and accessible within the LAN, taking its IP by DHCP from the router. I can SSH to it, ping it, etc. Successfully forwarded the OpenVPN listening IP port (TCP) from router's WAN side to Ubuntu's LAN IP port (TCP). The OpenVPN server is visible, accessible and connectable from outside.
What is the problem?
OpenVPN client connects successfully with OpenVPN server. The keys, certificates, encryption, etc. are OK. Windows TAP adapter obtained the right LAN IP address, but for some reasons is unable to set its default gateway. The Windows ipconfig command shows that the Windows TAP adapter does not have gateway (empty field). So the traffic is not redirected. The client cannot ping any LAN device (router, VM's host and the VM itself). This is obvious because the windows TAP adapter has no gateway assigned.
I am suspicious that something went wrong with Ubuntu's firewall and the packets received from the tunnel are not routed to the LAN and vice versa. Unfortunately there is no clear tutorial in Internet how to set up Ubuntu 16.04 OpenVPN server in TAP mode behind router. There are a lot of tutorials how to do this in TUN mode, but not in TAP mode. There are also some tutorials for TAP mode, but they are either for older Ubuntu versions or for OpenVPN server that acts also as LAN-WAN router or both. Ubuntu 16.04 uses ufw as a front end for iptables and I have no experience with it. I am not very experienced with iptables too. Until now all my OpenVPN servers were configured on routers using GUI. I tried every tutorial found, but failed.
Last edited:
