OpenVPN/TAP Bridge

Hi guys,

Been lurking for some time and can’t seem to figure this out.

I’ve got the following:
RPi 2B running OSMC 4.14.34-4 (as this is the last version that supports my Realtek Wi-Fi dongle) as a Plex frontend client. On the backend I have an OpenVPN server running, currently in TUN mode.

The VPN Server is running currently with 1 client profile, and the server is configured in TUN mode.

My desired objectives for the project is to:
1 - have a seamless VPN Server operating in the backend while the Pi operates as an always-on Plex client (installed at my parents place)
2 - allow me free access to the LAN as if I was directly connected
3 - no interruption/breaking of mapped drives/SMB shares

I’ve currently achieved objective 1, however the other 2 are proving a bit more challenging…

I’ve come to the conclusion I should modify the server to be running in TAP mode, I’ve managed to create a tap0 interface by bridging the wlan0 interface to the tap0 interface, however this then breaks the connection of the Pi to the LAN.

My addresses are as follows:
External IP: DDNS
Pi IP (static): 192.168.0.45
Pi DG: 192.168.0.1
Pi Broadcast: 192.168.0.255
OpenVPN pool start: 10.8.0.1

When connecting to the server I am allocated a 10.8.0.x address. I have pushed routes to the clients so I am able to ping servers on the LAN, however my SMB shares are broken.

Has anyone got any advice on modifying the server.conf file to enable me to meet all 3 objectives? Should I be looking at running a different OS on the Pi to more easily meet these objectives?

Thanks.

This would not be a limitation of OSMC, its plain openvpn config and respective routing rules in your LAN.

Are your SMB shares on your openvpn server?

If you are using TAP mode (Layer 2) both LAN networks would need to be in the same subnet. I doubt your current setup is made in that way.
Personally I believe TUN mode (Layer 3) with proper routing is a easier setup, unless you use a non routeable protocol.

As @fzinken has already said, a (layer 3) TUN connection should work. Why it doesn’t work is difficult to tell with the information you have provided.

From the Pi, can you access the remote network or not? You said:

but provide no more information. However, you later state:

If you have a TAP connection, as well as having both sides on the same subnet (192.168.0.x in this case), you need to avoid IP address clashes (eg both routers on 192.168.0.1).

If you have different subnets on each end of the VPN, my best guess is that you didn’t NAT incoming VPN traffic to the server when setting up the TUN interface, so all the 10.8.0.x traffic tries to return via eth0.

My thoughts exactly, not sure if this has something to do with “connman”

I have one share on my server, yes. I’m also trying to mount an SMB share on a LAN-connected CCTV DVR which I would like to be able to access (x.x.x.60)

I have DHCP reservation set on my DHCP server (home router) that will not distribute IP addresses above x.x.x.100, so I can set the openvpn pool to 101-x. Implementing TUN and pushing the correct routes would still give me a 10.x.x.x address would it not?

Now you are confusing us. Are you now planning to use TUN (Layer 3 with routing) or TAP (Layer 2 bridge with switching)?

I would’ve thought implementing a TAP (L2 bridge) to be the most elegant solution, rather than messing around with re-mapping samba shares (this would also give my remote client a 192.168.0.x address would it not?) - if this is the case I would rather plan to use TAP.

Yes, that would be the case if you use TAP, therefore it would be more “elegant” but it surely it would be more complicated and you would have to plan both LAN carefully with different IP’s for devices on both side (e.g. using 192.168.0.1-128 for LAN A and 192.168.0.129-254 on LAN B).

Yep so basically I don’t intend to be logging into this server very often, it’s pretty much for occasional remote tech support for my parents, so I will not be needing a pool of more than 10 (for example). My current LAN DHCP pool is 192.168.0.2-100, so I plan to use .101-.110 for remote client IPs.

Have I got this right or am I misunderstanding?

Well hard to say if you got this right! As written by @dillthedog if you use a switched environment you would have to do IP planning so that no IP conflict can exists between both LANs. With TAP Bridge basically there is only a single LAN between your side an your parents side.

Okay now I think I’m a bit confused. When you say the TAP bridge creates a single LAN, do you mean to say it bridges my remote LAN and local LAN?

It was my understanding that I receive an IP from the VPN server (which consequently severs my remote LAN connections). The TAP bridge function then bridges my VPN Server network IP to the tap0 interface IP (VPN Server LAN IP). This is why I suggested setting my VPN Server IP pool at x.x.x.101-110 should remove any possibility of IP address conflicts

Correct TAP (Layer 2, switching) , TUN (Layer 3, routing)

What you want is TUN with either proper NAT or simpler just with proper routing

Riiiiiiight okay. And would that mean further work to be done RE the SMB shares?

Well as written either proper NAT or proper routing.

Make a quick drawing which IP your SMB servers, your VPN Server and your Pi have and how they are connected then we can tell you what to do.
Also a grab-logs -A from the Pi will help to understand how the sources are configured

I can’t figure out how to view the logs, they’ve been uploaded to “https://paste.osmc.tv/html” - any ideas?

That link indicates that logs have not been uploaded, likely because they are too big. Restart your device twice to purge the old logs and upload again.

Got it, thanks!

http://paste.osmc.tv/hanovapaho

So PC-A represent the Pi at your parents side?
What is it’s LAN IP? What is it’s OVPN IP?
Do you have
push "route 192.168.0.0 255.255.255.0 vpn_gateway"
route 192.168.X.0 255.255.255.0 (X being IP range of your parents network)
in your server config?