So, as these things go, I spent 2 days looking at my OpenVPN config files and bridging setup before finding the solution to my problem was elsewhere.
A little background: I created a new OpenVPN VM using the Debian Squeeze net install CD, configured it to match what was already working on a physical Windows XP box, but only had limited success. I was able to connect to the VPN, ping the OpenVPN server on the network, but couldn’t connect to anything else. Trying to ping another server from the VPN client, and running tcpdump on that other server showed that it was receiving ICMP requests and replying, but they were not making it back to the VPN client. I tried a hundred different ways of creating the bridge on the OpenVPN server, but nothing worked. Finally, good old Google found the answer. The ESXi virtual switch drops promiscous packets by default. To fix it, open the vSphere Client, click on the ESXi host on the left side, click on the “Configuration” tab on the right, click “Networking” in the Hardware box, click on “Properties…” at the top-right of your “Virtual Switch: vSwitch#” graphic. Now on the “Tools” tab of this popup window, select the “vSwitch” and click the “Edit…” button. In this popup, click on the “Security” tab and change “Promiscuous Mode” from “Reject” to “Accept”. Click “OK” then “Close” and you should be all set.
Other than that, it’s really pretty basic – do an install with nothing but SSH, then add bridge-utils and openvpn. Also add vim and locate for convenience if you like.
# apt-get install bridge-utils openvpn vim locate
I set up the bridge manually instead of using the scripts that come with OpenVPN. Here is my /etc/network/interfaces:
iface lo inet loopback
iface br0 inet static
pre-up /usr/sbin/openvpn --mktun --dev tap0
pre-up /sbin/ifconfig eth0 0.0.0.0 promisc up
pre-up /sbin/ifconfig tap0 0.0.0.0 promisc up
pre-up /usr/sbin/brctl addbr br0
pre-up /usr/sbin/brctl stp br0 off
pre-up /usr/sbin/brctl setfd br0 0
pre-up /usr/sbin/brctl addif br0 eth0
pre-up /usr/sbin/brctl addif br0 tap0
Configure OpenVPN according to the instructions at openvpn.net. Here’s my server.conf:
management 10.100.1.18 5555 /etc/openvpn/mgmt_passwd.txt
server-bridge 10.100.1.18 255.255.255.0 10.100.1.30 10.100.1.39
push "dhcp-option DNS 10.100.1.2"
push "dhcp-option WINS 10.100.1.2"
keepalive 10 120
The management line is optional, but it allows connections to the management console so you can see who is connected etc. There is a pretty nice GUI tool here you can use from a Windows box on the network if you want.
Other than those settings, all you have to do is follow the instructions for creating the keys using the easy-rsa scripts and you should be fine…