OpenVPN bridge script - proposed changes -MAC address

Anything not about Mac emulation.

Moderators: Cat_7, Ronald P. Regensburg

Post Reply
mjd_tech
Space Cadet
Posts: 3
Joined: Mon Dec 17, 2018 11:49 pm

OpenVPN bridge script - proposed changes -MAC address

Post by mjd_tech »

I have used the openvpn-bridge script in several installations.
I install a Raspberry Pi, configure it, and set some port forwarding rules on the router.

One thing I have noticed:
The openvpn-bridge script sets up a TAP interface.
This interface will have a random MAC address.
Then the bridge interface, br0, is created using eth and tap.

br0 will assume the MAC address of either the eth or tap interface, based on which has the lowest hex value.
This is not ideal.
see: https://backreference.org/2010/07/28/li ... mic-ports/

On some routers, this randomness of mac address can actually break the port forwarding rules, and the vpn won't work.

What we want is for br0 to always be the same mac address as the ethernet
We can use the ip link command to do this,

First, where we set variables for the ethernet, add a new variable for the mac address, for example:

Code: Select all

eth="enp0s3"
eth_mac="54:ee:75:a7:11:e4"
eth_ip_netmask="192.168.5.100/24"
eth_broadcast="192.168.5.255"
eth_gateway="192.168.5.1"
Then, set the mac address just before bringing the bridge up...

Code: Select all

ip addr add $eth_ip_netmask broadcast $eth_broadcast dev $br
ip link set $br address $eth_mac
ip link set $br up
So now the bridge always gets the same mac address as the ethernet.
Other devices on the network, particularly routers, are happy.

So I propose the openvpn-bridge script in the wiki be modified with these changes.
So far, this has worked for me with no downside.
I have not tested this in a virtual machine as per the wiki page,
but I see no reason why this would not work in a VM just as well as on bare metal.
mjd_tech
Space Cadet
Posts: 3
Joined: Mon Dec 17, 2018 11:49 pm

Re: OpenVPN bridge script - proposed changes -MAC address

Post by mjd_tech »

So I set up a VirtualBox VM using the wiki instructions.
I added the mods to the openvpn-bridge script to force br0 to use same mac address as the ethernet.

It worked fine, as expected

Some observations:
All my Virtualbox VMs have a (virtual) ethernet adapter with MAC address beginning with 08:00:27
That's a pretty low number.
Chances are, When a TAP interface is created, its random MAC address will be higher.
So the bridge will get the MAC address of the ethernet adapter, without needing to force it.

Just for giggles, I created 500 TAP interfaces with this script:

Code: Select all

#!/bin/bash
{
for i in {1..500}; do
    sudo ip tuntap add tap9 mode tap
    ip --brief link | awk '/^tap9/ {print $3}'
    sudo ip tuntap del tap9 mode tap
    sleep 0.5
done
} | tee taps.txt
This creates a file with the MAC address for each TAP interface
I viewed the file like so:

Code: Select all

sort taps.txt | less -N
I found 15 Addresses out of 500 were lower than 08:00:27
That's 3%
So in a VM, there is a 97% chance the bridge will assume the MAC address of the ethernet, if you do not force it.

A raspberry pi (at least the ones I have), has a MAC address beginning with b8:27:eb
There were 372 out of 500 tap interfaces with a MAC address lower than that, roughly 75%
So only a 25% chance the bridge will get same MAC as the ethernet.

Ok, this was not a scientifically rigorous test. :smile:

The main reason for all this is so the VPN server LAN interface always has the same MAC address,
whether openvpn server is running or not. And always the same MAC after reboots. Same MAC all the time.

Some routers (I'm looking at you Arris) will drop port forwarding rules if the MAC address on the openvpn server changes.

As a side note, on Rapsberry Pi running Raspbian, the network is managed by dhcpcd.
I set the static IP and DNS server stuff with the GUI on the desktop top panel.
Then in the ovenvpn-bridge script, right at the beginning of the start) case I put

Code: Select all

sudo systemctl stop dhcpcd
Then, right at the end of the stop) case I put

Code: Select all

sudo systemctl start dhcpcd
This keeps dhcpcd out of the picture while the tap and bridge interfaces are created /deleted.
Otherwise those interfaces will try to get a dhcp address.
Come to think of it, probably don't need sudo for these commands but it works.

I enable ssh and vnc server on the pi and set the router with 3 port forwarding rules: openvpn, ssh, vnc
NucAr
Tinkerer
Posts: 67
Joined: Mon Aug 13, 2012 1:42 am

Re: OpenVPN bridge script - proposed changes -MAC address

Post by NucAr »

Thanks a lot for these improvements. There have been some quirks in Debian and VirtualBox lately. When I sort these out, I'll update the guide.
Post Reply