You are not logged in.

#1 2021-06-12 11:27:29

hexadecagram
Member
Registered: 2011-05-20
Posts: 61

[SOLVED] Interaction of Linux LAN members with OpenVPN clients

Hi all,

I've got OpenVPN running in bridged mode (with the "--dev tap" and "--server-bridge" options enabled) on a homemade FreeBSD 13.0 router.
When I attempt to ssh TO one of the OpenVPN clients from one of the non-clients inside my LAN, it works and it doesn't.

If the connection originates from BSD-based systems (MacOS, FreeBSD, and FreeNAS) or Win10 systems, I have no problems.
If the system is running a recent Linux kernel, I have problems.

ICMP and UDP work fine but when I sniff a TCP connection attempt from my various Linux machines (Arch, Manjaro, Debian, etc.), I see:

  • A SYN sent to the MAC address of the OpenVPN client's tap interface,

  • A SYN+ACK sent from the MAC address of the FreeBSD bridge interface, and

  • A RST sent to the MAC address of the OpenVPN client's tap interface.

On the other hand, my BSD-based and Win10 systems send an ACK and not a RST as the final step of the three-way handshake and complete the connection.
SSH is just one example. It seems any TCP service will exhibit the same behavior, wholly contingent on whether the originating system is running Linux or not.

I would surmise that modern Linuxen verify the MAC addresses of response frames to ensure that they are coming from expected hosts and refuse them if they do not.

It seems to me that the bridge may be misconfigured on the router. I have asked about how to address this on the FreeBSD Forums.
The only other option I can think of is to disable the MAC verification feature on each Linux machine in my LAN. How can I do this?
Do I have any other options?

Last edited by hexadecagram (2021-06-14 05:12:35)

Offline

#2 2021-06-12 18:46:05

hexadecagram
Member
Registered: 2011-05-20
Posts: 61

Re: [SOLVED] Interaction of Linux LAN members with OpenVPN clients

Turns out this was an OpenVPN server misconfiguration and nothing to do with Linux, ArchLinux OR FreeBSD. I posted a solution on the FreeBSD Forums, where it would be most relevant to where I have already raised the subject; I see no need to start a new thread on the OpenVPN Forums.

Last edited by hexadecagram (2021-06-14 05:13:38)

Offline

Board footer

Powered by FluxBB