Can't access other clients in OpenVPN tap network inside VLAN (VLAN works currectly)

A few days ago I decided to setup a VLAN (VLAN77) and an OpenVPN layer2/tap server in it for gaming. The goal is to be able to connect from my gaming PC(192.168.0.101) to that VLAN using OpenVPN and clients from WAN to also be able to connect to that VLAN using OpenVPN and be able to play games while everyone is confined in the 192.168.10.0 network therefore not being able to access my local stuff that is on 192.168.0.0. My setup is:

  • 1 server PC (connected to trunk port) (192.168.0.50)
    • pfSense VM (192.168.0.1)
    • OpenVPN VM (192.168.10.2)
    • Other VMs
  • 1 main/gaming PC running Linux (connected to trunk port) (192.168.0.101)
    • Windows VM
    • Test VMs for direct connection to VLAN77 (running RockyLinux)
      netconfig for 1 of them (/etc/sysconfig/network-scripts/ifcfg-enp1s0.77)
      DEVICE=enp1s0.77
      ONBOOT=yes
      VLAN=yes
      NM_MANAGED=no
      IPADDR=192.168.10.40
      NETMASK=24
      GATEWAY=192.168.10.1
      
  • 1 laptop for testing (connected to untagged/access port with PVID 77) -gets IP by DHCP in VLAN77 net
My VLAN config (switch, router, server)

Server (Rocky Linux) / pfSense VM host

/sys/class/net/br0/bridge/vlan_filtering

0

/etc/sysconfig/network-scripts/ifcfg-enp5s1

DEVICE=enp5s1
UUID=5c593283-788c-4c66-a590-6fcc3a0e2a49
TYPE=Ethernet
NAME=enp5s1
ONBOOT=yes
NM_MANAGED=no
BRIDGE=br0

/etc/sysconfig/network-scripts/ifcfg-br0

TYPE=Bridge
DEVICE=br0
NAME="Bridge br0"
UUID=d2d68553-f97e-7549-7a26-b34a26f29318
ONBOOT=yes
NM_MANAGED=no
IPADDR=192.168.0.50
PREFIX=24
GATEWAY=192.168.0.1
DNS1=192.168.0.20
DNS2=1.1.1.1
BOOTPROTO=static
DEFROUTE=yes

OpenVPN VM (Rocky Linux): (Debian doesn’t work for some reason)

This can be 1 interface without the bridge. I just need the bridge to bridge enp1s0.77 with a TAP interface for OpenVPN.
/etc/sysconfig/network-scripts/ifcfg-enp1s0.77

DEVICE=enp1s0.77
ONBOOT=yes
BOOTPROTO=none
VLAN=yes
BRIDGE=br0

/etc/sysconfig/network-scripts/ifcfg-br0

TYPE=Bridge
DEVICE=br0
NAME="Bridge br0"
ONBOOT=yes
BOOTPROTO=none
NM_MANAGED=no
IPADDR=192.168.10.2
NETMASK=24
GATEWAY=192.168.10.1
DNS1=1.1.1.1

Switch

Port 1 - server w/ {pfSense}/{other VMs}
Port 3 - my PC
Port 7,8 - test ports for VLAN (auto get connected to VLAN77 when DHCP)

VLAN77:

Tagged/Trunk: Port 1,3
Untagged/Access: Port 7,8
Not member: Port 2,4,5,6

PVID:

Port 1-6: 1
Port 7-8: 77

pfSense

VLAN Interfaces :

Interface VLAN tag Priority Descirption
vtnet0 (lan) 77 Gaming VPN Network

Interface Assignments:

Interface Network Port
WAN re0 (98:de:d0:83:00:3e)
LAN vnet0 (52:54:00:ae:b2:2c)
VLAN77 VLAN77 on vtnet0 - lan (Gaming VPN Network)

Rules: (basically allow all for now for testing, but later I’ll disable rule 1 and enable rule 2)

VLAN77: (E: Enable [V] / Disable [X]; A/B: [A] - allow / [B] - block)

E A/B Protocol Source Port Dest Port Gateway
V A IPv4 VLAN77 Net * * * *
X B IPv4+6 * * This Firewall RouterSwitch Management_Ports *
V A IPv4+6 * * VLAN77 Net * *



VLANs are working correctly. (The laptop and the test VMs in my main PC are in 192.168.10.0 network and can ping each other but can’t ping my main LAN when I disable the rule that allows traffic from VLAN77 to LAN in pfSense for VLAN77(The first rule in the last table in the post I linked above) . So VLAN works.)


However when I connect to the OpenVPN server I CAN’T ping anyone and CAN’T connect to anyone in VLAN77. I CAN connect with everyone outside of VLAN77 (because I haven’t blocked it yet). The directly connected VMs and laptop also CAN’T ping anyone connected to VLAN77 through OpenVPN. I even tried hosting web server on 1 of the directly connected to the VLAN VMs and tried connecting to it from my main PC with an active OpenVPN connection to check if the issue was only with ping.

Here is my OpenVPN server conf (tap0 is statically added interface):

server.conf
verb 3
port 1194
proto udp
dev tap0

server-bridge 192.168.10.1 255.255.255.0 192.168.10.100 192.168.10.254

ifconfig-pool-persist /etc/openvpn/ipp.txt

# Auth
cert /etc/openvpn/server_vdWvipFvZXBYLr3N.crt
key /etc/openvpn/server_vdWvipFvZXBYLr3N.key
ca /etc/openvpn/ca.crt
dh /etc/openvpn/dh.pem
auth SHA512
#tls-auth /etc/openvpn/ta.key 0

sndbuf 0
rcvbuf 0

client-to-client

duplicate-cn

keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
#group nobody
persist-key
persist-tun
status status-tap.log
crl-verify /etc/openvpn/crl.pem

# The line below allows us to run scripts.
script-security 2
/etc/sysconfig/network-scripts/ifcfg-openvpn_tap
DEVICE=tap0
ONBOOT=yes
BOOTPROTO=none
TYPE=Tap
BRIDGE=br0

I disabled Firewalld and SELinux so that’s not the problem. I also installed iptables and tried this sudo iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o br0 -j MASQUERADE (every chain is policy ACCEPT). BTW what is the alternative firewalld command?

OpenVPN client log

2022-07-03 08:31:17 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless “allow-compression yes” is also set.
2022-07-03 08:31:17 DEPRECATED OPTION: --cipher set to ‘AES-256-CBC’ but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add ‘AES-256-CBC’ to --data-ciphers or change --cipher ‘AES-256-CBC’ to --data-ciphers-fallback ‘AES-256-CBC’ to silence this warning.
2022-07-03 08:31:17 OpenVPN 2.5.7 [git:makepkg/a0f9a3e9404c8321+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 31 2022
2022-07-03 08:31:17 library versions: OpenSSL 1.1.1p 21 Jun 2022, LZO 2.10
2022-07-03 08:31:17 WARNING: No server certificate verification method has been enabled. See How To Guide: Set Up & Configure OpenVPN Client/server VPN | OpenVPN for more info.
:closed_lock_with_key: Enter Private Key Password: ****************************************************************
2022-07-03 08:31:20 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
2022-07-03 08:31:20 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.10.2:1194
2022-07-03 08:31:20 UDP link local: (not bound)
2022-07-03 08:31:20 UDP link remote: [AF_INET]192.168.10.2:1194
2022-07-03 08:31:20 [server_vdWvipFvZXBYLr3N] Peer Connection Initiated with [AF_INET]192.168.10.2:1194
2022-07-03 08:31:21 TUN/TAP device tap0 opened
2022-07-03 08:31:21 net_iface_mtu_set: mtu 1500 for tap0
2022-07-03 08:31:21 net_iface_up: set tap0 up
2022-07-03 08:31:21 net_addr_v4_add: 192.168.10.100/24 dev tap0
2022-07-03 08:31:21 Initialization Sequence Completed
^C2022-07-03 08:31:44 event_wait : Interrupted system call (code=4)
2022-07-03 08:31:44 net_addr_v4_del: 192.168.10.100 dev tap0
2022-07-03 08:31:44 SIGINT[hard,] received, process exiting

OpenVPN server log

Jul 03 08:30:21 gamingvpn systemd[1]: Starting OpenVPN service for server…
Jul 03 08:30:21 gamingvpn openvpn[4021]: OpenVPN 2.4.12 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 17 2022
Jul 03 08:30:21 gamingvpn openvpn[4021]: library versions: OpenSSL 1.1.1k FIPS 25 Mar 2021, LZO 2.08
Jul 03 08:30:21 gamingvpn openvpn[4021]: NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
Jul 03 08:30:21 gamingvpn openvpn[4021]: WARNING: --ifconfig-pool-persist will not work with --duplicate-cn
Jul 03 08:30:21 gamingvpn systemd[1]: Started OpenVPN service for server.
Jul 03 08:30:21 gamingvpn openvpn[4021]: Diffie-Hellman initialized with 2048 bit key
Jul 03 08:30:21 gamingvpn openvpn[4021]: CRL: loaded 1 CRLs from file /etc/openvpn/crl.pem
Jul 03 08:30:21 gamingvpn openvpn[4021]: TUN/TAP device tap0 opened
Jul 03 08:30:21 gamingvpn openvpn[4021]: TUN/TAP TX queue length set to 100
Jul 03 08:30:21 gamingvpn openvpn[4021]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Jul 03 08:30:21 gamingvpn openvpn[4021]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Jul 03 08:30:21 gamingvpn openvpn[4021]: UDPv4 link local (bound): [AF_INET][undef]:1194
Jul 03 08:30:21 gamingvpn openvpn[4021]: UDPv4 link remote: [AF_UNSPEC]
Jul 03 08:30:21 gamingvpn openvpn[4021]: UID set to nobody
Jul 03 08:30:21 gamingvpn openvpn[4021]: MULTI: multi_init called, r=256 v=256
Jul 03 08:30:21 gamingvpn openvpn[4021]: IFCONFIG POOL: base=192.168.10.100 size=155, ipv6=0
Jul 03 08:30:21 gamingvpn openvpn[4021]: IFCONFIG POOL LIST
Jul 03 08:30:21 gamingvpn openvpn[4021]: Initialization Sequence Completed
Jul 03 08:31:20 gamingvpn openvpn[4021]: 192.168.0.101:50127 TLS: Initial packet from [AF_INET]192.168.0.101:50127, sid=ed4f6d24 2c9add82
Jul 03 08:31:20 gamingvpn openvpn[4021]: 192.168.0.101:50127 VERIFY OK: depth=1, CN=cn_Q7Y5kdxk139Eon81
Jul 03 08:31:20 gamingvpn openvpn[4021]: 192.168.0.101:50127 VERIFY OK: depth=0, CN=FieryRider
Jul 03 08:31:20 gamingvpn openvpn[4021]: 192.168.0.101:50127 peer info: IV_VER=2.5.7
Jul 03 08:31:20 gamingvpn openvpn[4021]: 192.168.0.101:50127 peer info: IV_PLAT=linux
Jul 03 08:31:20 gamingvpn openvpn[4021]: 192.168.0.101:50127 peer info: IV_PROTO=6
Jul 03 08:31:20 gamingvpn openvpn[4021]: 192.168.0.101:50127 peer info: IV_NCP=2
Jul 03 08:31:20 gamingvpn openvpn[4021]: 192.168.0.101:50127 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:AES-256-CBC
Jul 03 08:31:20 gamingvpn openvpn[4021]: 192.168.0.101:50127 peer info: IV_LZ4=1
Jul 03 08:31:20 gamingvpn openvpn[4021]: 192.168.0.101:50127 peer info: IV_LZ4v2=1
Jul 03 08:31:20 gamingvpn openvpn[4021]: 192.168.0.101:50127 peer info: IV_LZO=1
Jul 03 08:31:20 gamingvpn openvpn[4021]: 192.168.0.101:50127 peer info: IV_COMP_STUB=1
Jul 03 08:31:20 gamingvpn openvpn[4021]: 192.168.0.101:50127 peer info: IV_COMP_STUBv2=1
Jul 03 08:31:20 gamingvpn openvpn[4021]: 192.168.0.101:50127 peer info: IV_TCPNL=1
Jul 03 08:31:20 gamingvpn openvpn[4021]: 192.168.0.101:50127 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit EC, curve: prime256v1
Jul 03 08:31:20 gamingvpn openvpn[4021]: 192.168.0.101:50127 [FieryRider] Peer Connection Initiated with [AF_INET]192.168.0.101:50127
Jul 03 08:31:20 gamingvpn openvpn[4021]: FieryRider/192.168.0.101:50127 MULTI_sva: pool returned IPv4=192.168.10.100, IPv6=(Not enabled)
Jul 03 08:31:21 gamingvpn openvpn[4021]: FieryRider/192.168.0.101:50127 PUSH: Received control message: ‘PUSH_REQUEST’
Jul 03 08:31:21 gamingvpn openvpn[4021]: FieryRider/192.168.0.101:50127 SENT CONTROL [FieryRider]: ‘PUSH_REPLY,route-gateway 192.168.10.1,ping 10,ping-restart 120,ifconfig 192.168.10.100 255.255.255.0,peer-id 0,cipher AES-256-GCM’ (status>
Jul 03 08:31:21 gamingvpn openvpn[4021]: FieryRider/192.168.0.101:50127 Data Channel: using negotiated cipher ‘AES-256-GCM’
Jul 03 08:31:21 gamingvpn openvpn[4021]: FieryRider/192.168.0.101:50127 Outgoing Data Channel: Cipher ‘AES-256-GCM’ initialized with 256 bit key
Jul 03 08:31:21 gamingvpn openvpn[4021]: FieryRider/192.168.0.101:50127 Incoming Data Channel: Cipher ‘AES-256-GCM’ initialized with 256 bit key
Jul 03 08:31:46 gamingvpn openvpn[4021]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)

I executed 3 commands while I was connected:

  • ping 192.168.0.101
  • ping 192.168.10.1
  • ping 192.168.10.2

The last 2 failed!

When I pinged 192.168.10.1 while connected to OpenVPN and failed I monitored the bridge on the VM host (that hosts pfSense and OpenVPN) that bridges VM virtual nics with enp5s1 with sudo tcpdump -i br0 -nn src net 192.168.0.0/24 and icmp and got:

01:01:24.589756 IP 192.168.0.101 > 192.168.10.2: ICMP 192.168.0.101 udp port 50041 unreachable, length 77
01:01:24.589788 IP 192.168.0.101 > 192.168.10.2: ICMP 192.168.0.101 udp port 50041 unreachable, length 77
01:01:30.665772 IP 192.168.0.101 > 192.168.10.2: ICMP 192.168.0.101 udp port 50041 unreachable, length 200
01:01:30.665840 IP 192.168.0.101 > 192.168.10.2: ICMP 192.168.0.101 udp port 50041 unreachable, length 200

You should be masquerading traffic coming in from openvpn and out on local net, not the other way round…

Should I even be masquerading anything at all in case of bridged/TAP config?

Every guide (even the official docs) mention masquerading when using a TUN config but don’t for TAP. The only place I found masquerading mentioned for TAP is here and I’m not sure whether I should do it on the client PC or the OpenVPN server and what exactly I should masquerade. The guide I liked says to do this sudo iptables -t nat -A POSTROUTING -s 192.168.41.0/24 -o br0 -j MASQUERADE if we have problems with some games (which means it should generally work without masquerading) which I assumed is done on the OpenVPN server and 192.168.41.0/24 is the network where the server is (so 192.168.10.0/24 in my sase) and br0 is the bridge that connects the OpenVPN TAP adapter with the NIC.
My OpenVPN server is inside VM with 3 interfaces:

  • enp1s0.77 - VLAN77
    DEVICE=enp1s0.77
    ONBOOT=yes
    BOOTPROTO=none
    VLAN=yes
    BRIDGE=br0
    
  • br0
    TYPE=Bridge
    DEVICE=br0
    NAME="Bridge br0"
    ONBOOT=yes
    BOOTPROTO=none
    NM_MANAGED=no
    IPADDR=192.168.10.2
    NETMASK=24
    GATEWAY=192.168.10.1
    DNS1=1.1.1.1
    
  • tap0
    DEVICE=tap0
    ONBOOT=yes
    BOOTPROTO=none
    TYPE=Tap
    BRIDGE=br0
    

Host is connected to VLAN trunk bridged to the pfSense VM and the OpenVPN VM and I’m basically only extracting VLAN77 traffic on the OpenVPN VM.


The end goal as I said is basically to have a VLAN w/ OpenVPN server hosted in it on my network that I (from the main/non-VLAN network) and people from outside (WAN) can connect to for gaming. And I’m trying to host all that on a single physical server (pfSense router and OpenPVN server in VMs and at the same time to have the OS that the hypervisor is in on the main LAN to be able to access LAN and internet as normal)

Sorry, missed that in your original post and went straight to the IP tables lines .
Yes, in theory you shouldn’t need any masquerading when bridged…
From your logs it is not clear to me what state you end up in the client, can you post an ipconfig/ifconfig and the route table from the client .
Also, I am a little confused as to why you would expect packets on the hypervisor bridge instead of the one that should be created i side the OpenVPN VM?
What hypervisor are you running ? Have you checked the default network interface config allows traffic from unknown Mac addresses through?

Client ip info (while connected to OVPN)

  • ip addr
    Output
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 scope host lo
           valid_lft forever preferred_lft forever
        inet6 ::1/128 scope host
           valid_lft forever preferred_lft forever
    2: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state UP group default qlen 1000
        link/ether 18:c0:4d:ed:25:24 brd ff:ff:ff:ff:ff:ff
    3: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
        link/ether aa:67:7c:3f:11:8d brd ff:ff:ff:ff:ff:ff
        inet 192.168.0.101/24 brd 192.168.0.255 scope global br0
           valid_lft forever preferred_lft forever
        inet6 fe80::a867:7cff:feb2:80d/64 scope link
           valid_lft forever preferred_lft forever
    4: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
        link/ether f6:22:32:4b:dc:f0 brd ff:ff:ff:ff:ff:ff
        inet 192.168.10.100/24 scope global tap0
           valid_lft forever preferred_lft forever
        inet6 fe80::ac56:f1ff:fe16:cce8/64 scope link
           valid_lft forever preferred_lft forever
    
  • ip link
    Output
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    2: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state UP mode DEFAULT group default qlen 1000
        link/ether 18:c0:4d:ed:25:24 brd ff:ff:ff:ff:ff:ff
    3: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
        link/ether aa:67:7c:3f:11:8d brd ff:ff:ff:ff:ff:ff
    4: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN mode DEFAULT group default qlen 1000
        link/ether f6:22:32:4b:dc:f0 brd ff:ff:ff:ff:ff:ff
    
  • ip route
    Output
    default via 192.168.0.1 dev br0 proto static
    192.168.0.0/24 dev br0 proto kernel scope link src 192.168.0.101
    192.168.10.0/24 dev tap0 proto kernel scope link src 192.168.10.100
    

Hypervisor

For hypervisor I’m using KVM/Libvirt in RockyLinux.

Other

I ran tcpdump on every place on the way to see where I can see traffic last. The traffic I posted began showing after I stopped the VPN connection and stopped pinging

I don’t think plain Linux+KVM has restrictions like that.


Posting tcpdump logs from everywhere:

  1. ran sudo openvpn User1.ovpn - 23:30:10
  2. entered file passphrase - 23:30:20
  3. ran ping -i 5 192.168.10.2(waited for 10 ping attempts) - 23:31:00
  4. cancelled ping command - 23:31:50
  5. cancelled OpenVpn connection - 23:32:10
  6. stopped logging - 23:33:15-23:33:30

vm host logs:

  • sudo tcpdump -vv -i br0 -nn ' ( src net 192.168.0.0/24 or src net 192.168.10.0/24 ) and icmp '
    23:32:16.143645 IP (tos 0xc0, ttl 64, id 57814, offset 0, flags [none], proto ICMP (1), length 97)
        192.168.0.101 > 192.168.10.2: ICMP 192.168.0.101 udp port 35091 unreachable, length 77
    	IP (tos 0x0, ttl 63, id 14655, offset 0, flags [DF], proto UDP (17), length 69)
        192.168.10.2.1194 > 192.168.0.101.35091: [udp sum ok] UDP, length 41
    23:32:16.143680 IP (tos 0xc0, ttl 63, id 57814, offset 0, flags [none], proto ICMP (1), length 97)
        192.168.0.101 > 192.168.10.2: ICMP 192.168.0.101 udp port 35091 unreachable, length 77
    	IP (tos 0x0, ttl 63, id 14655, offset 0, flags [DF], proto UDP (17), length 69)
        192.168.10.2.1194 > 192.168.0.101.35091: [udp sum ok] UDP, length 41
    23:32:26.505741 IP (tos 0xc0, ttl 64, id 59947, offset 0, flags [none], proto ICMP (1), length 97)
        192.168.0.101 > 192.168.10.2: ICMP 192.168.0.101 udp port 35091 unreachable, length 77
    	IP (tos 0x0, ttl 63, id 23752, offset 0, flags [DF], proto UDP (17), length 69)
        192.168.10.2.1194 > 192.168.0.101.35091: [udp sum ok] UDP, length 41
    23:32:26.505772 IP (tos 0xc0, ttl 63, id 59947, offset 0, flags [none], proto ICMP (1), length 97)
        192.168.0.101 > 192.168.10.2: ICMP 192.168.0.101 udp port 35091 unreachable, length 77
    	IP (tos 0x0, ttl 63, id 23752, offset 0, flags [DF], proto UDP (17), length 69)
        192.168.10.2.1194 > 192.168.0.101.35091: [udp sum ok] UDP, length 41
    23:32:29.605400 IP (tos 0xc0, ttl 64, id 59981, offset 0, flags [none], proto ICMP (1), length 220)
        192.168.0.101 > 192.168.10.2: ICMP 192.168.0.101 udp port 35091 unreachable, length 200
    	IP (tos 0x0, ttl 63, id 26113, offset 0, flags [DF], proto UDP (17), length 192)
        192.168.10.2.1194 > 192.168.0.101.35091: [udp sum ok] UDP, length 164
    23:32:29.605437 IP (tos 0xc0, ttl 63, id 59981, offset 0, flags [none], proto ICMP (1), length 220)
        192.168.0.101 > 192.168.10.2: ICMP 192.168.0.101 udp port 35091 unreachable, length 200
    	IP (tos 0x0, ttl 63, id 26113, offset 0, flags [DF], proto UDP (17), length 192)
        192.168.10.2.1194 > 192.168.0.101.35091: [udp sum ok] UDP, length 164
    23:32:39.817404 IP (tos 0xc0, ttl 64, id 60133, offset 0, flags [none], proto ICMP (1), length 97)
        192.168.0.101 > 192.168.10.2: ICMP 192.168.0.101 udp port 35091 unreachable, length 77
    	IP (tos 0x0, ttl 63, id 32414, offset 0, flags [DF], proto UDP (17), length 69)
        192.168.10.2.1194 > 192.168.0.101.35091: [udp sum ok] UDP, length 41
    23:32:39.817459 IP (tos 0xc0, ttl 63, id 60133, offset 0, flags [none], proto ICMP (1), length 97)
        192.168.0.101 > 192.168.10.2: ICMP 192.168.0.101 udp port 35091 unreachable, length 77
    	IP (tos 0x0, ttl 63, id 32414, offset 0, flags [DF], proto UDP (17), length 69)
        192.168.10.2.1194 > 192.168.0.101.35091: [udp sum ok] UDP, length 41
    23:32:50.038324 IP (tos 0xc0, ttl 64, id 61355, offset 0, flags [none], proto ICMP (1), length 97)
        192.168.0.101 > 192.168.10.2: ICMP 192.168.0.101 udp port 35091 unreachable, length 77
    	IP (tos 0x0, ttl 63, id 42337, offset 0, flags [DF], proto UDP (17), length 69)
        192.168.10.2.1194 > 192.168.0.101.35091: [udp sum ok] UDP, length 41
    23:32:50.038347 IP (tos 0xc0, ttl 63, id 61355, offset 0, flags [none], proto ICMP (1), length 97)
        192.168.0.101 > 192.168.10.2: ICMP 192.168.0.101 udp port 35091 unreachable, length 77
    	IP (tos 0x0, ttl 63, id 42337, offset 0, flags [DF], proto UDP (17), length 69)
        192.168.10.2.1194 > 192.168.0.101.35091: [udp sum ok] UDP, length 41
    23:33:00.128614 IP (tos 0xc0, ttl 64, id 62806, offset 0, flags [none], proto ICMP (1), length 97)
        192.168.0.101 > 192.168.10.2: ICMP 192.168.0.101 udp port 35091 unreachable, length 77
    	IP (tos 0x0, ttl 63, id 43157, offset 0, flags [DF], proto UDP (17), length 69)
        192.168.10.2.1194 > 192.168.0.101.35091: [udp sum ok] UDP, length 41
    23:33:00.128671 IP (tos 0xc0, ttl 63, id 62806, offset 0, flags [none], proto ICMP (1), length 97)
        192.168.0.101 > 192.168.10.2: ICMP 192.168.0.101 udp port 35091 unreachable, length 77
    	IP (tos 0x0, ttl 63, id 43157, offset 0, flags [DF], proto UDP (17), length 69)
        192.168.10.2.1194 > 192.168.0.101.35091: [udp sum ok] UDP, length 41
    
  • sudo tcpdump -vv -i enp5s1 -nn ' ( src net 192.168.0.0/24 or src net 192.168.10.0/24 ) and icmp '
    23:32:16.143639 IP (tos 0xc0, ttl 64, id 57814, offset 0, flags [none], proto ICMP (1), length 97)
        192.168.0.101 > 192.168.10.2: ICMP 192.168.0.101 udp port 35091 unreachable, length 77
    	IP (tos 0x0, ttl 63, id 14655, offset 0, flags [DF], proto UDP (17), length 69)
        192.168.10.2.1194 > 192.168.0.101.35091: [udp sum ok] UDP, length 41
    23:32:26.505735 IP (tos 0xc0, ttl 64, id 59947, offset 0, flags [none], proto ICMP (1), length 97)
        192.168.0.101 > 192.168.10.2: ICMP 192.168.0.101 udp port 35091 unreachable, length 77
    	IP (tos 0x0, ttl 63, id 23752, offset 0, flags [DF], proto UDP (17), length 69)
        192.168.10.2.1194 > 192.168.0.101.35091: [udp sum ok] UDP, length 41
    23:32:29.605396 IP (tos 0xc0, ttl 64, id 59981, offset 0, flags [none], proto ICMP (1), length 220)
        192.168.0.101 > 192.168.10.2: ICMP 192.168.0.101 udp port 35091 unreachable, length 200
    	IP (tos 0x0, ttl 63, id 26113, offset 0, flags [DF], proto UDP (17), length 192)
        192.168.10.2.1194 > 192.168.0.101.35091: [udp sum ok] UDP, length 164
    23:32:39.817398 IP (tos 0xc0, ttl 64, id 60133, offset 0, flags [none], proto ICMP (1), length 97)
        192.168.0.101 > 192.168.10.2: ICMP 192.168.0.101 udp port 35091 unreachable, length 77
    	IP (tos 0x0, ttl 63, id 32414, offset 0, flags [DF], proto UDP (17), length 69)
        192.168.10.2.1194 > 192.168.0.101.35091: [udp sum ok] UDP, length 41
    23:32:50.038321 IP (tos 0xc0, ttl 64, id 61355, offset 0, flags [none], proto ICMP (1), length 97)
        192.168.0.101 > 192.168.10.2: ICMP 192.168.0.101 udp port 35091 unreachable, length 77
    	IP (tos 0x0, ttl 63, id 42337, offset 0, flags [DF], proto UDP (17), length 69)
        192.168.10.2.1194 > 192.168.0.101.35091: [udp sum ok] UDP, length 41
    

vpn vm logs:

  • sudo tcpdump -vv -i br0 -nn ' ( src net 192.168.0.0/24 or src net 192.168.10.0/24 ) and icmp '
    23:32:16.142980 IP (tos 0xc0, ttl 63, id 57814, offset 0, flags [none], proto ICMP (1), length 97)
        192.168.0.101 > 192.168.10.2: ICMP 192.168.0.101 udp port 35091 unreachable, length 77
    	IP (tos 0x0, ttl 63, id 14655, offset 0, flags [DF], proto UDP (17), length 69)
        192.168.10.2.1194 > 192.168.0.101.35091: [udp sum ok] UDP, length 41
    23:32:26.505068 IP (tos 0xc0, ttl 63, id 59947, offset 0, flags [none], proto ICMP (1), length 97)
        192.168.0.101 > 192.168.10.2: ICMP 192.168.0.101 udp port 35091 unreachable, length 77
    	IP (tos 0x0, ttl 63, id 23752, offset 0, flags [DF], proto UDP (17), length 69)
        192.168.10.2.1194 > 192.168.0.101.35091: [udp sum ok] UDP, length 41
    23:32:29.604741 IP (tos 0xc0, ttl 63, id 59981, offset 0, flags [none], proto ICMP (1), length 220)
        192.168.0.101 > 192.168.10.2: ICMP 192.168.0.101 udp port 35091 unreachable, length 200
    	IP (tos 0x0, ttl 63, id 26113, offset 0, flags [DF], proto UDP (17), length 192)
        192.168.10.2.1194 > 192.168.0.101.35091: [udp sum ok] UDP, length 164
    23:32:39.816749 IP (tos 0xc0, ttl 63, id 60133, offset 0, flags [none], proto ICMP (1), length 97)
        192.168.0.101 > 192.168.10.2: ICMP 192.168.0.101 udp port 35091 unreachable, length 77
    	IP (tos 0x0, ttl 63, id 32414, offset 0, flags [DF], proto UDP (17), length 69)
        192.168.10.2.1194 > 192.168.0.101.35091: [udp sum ok] UDP, length 41
    23:32:50.037620 IP (tos 0xc0, ttl 63, id 61355, offset 0, flags [none], proto ICMP (1), length 97)
        192.168.0.101 > 192.168.10.2: ICMP 192.168.0.101 udp port 35091 unreachable, length 77
    	IP (tos 0x0, ttl 63, id 42337, offset 0, flags [DF], proto UDP (17), length 69)
        192.168.10.2.1194 > 192.168.0.101.35091: [udp sum ok] UDP, length 41
    23:33:00.127951 IP (tos 0xc0, ttl 63, id 62806, offset 0, flags [none], proto ICMP (1), length 97)
        192.168.0.101 > 192.168.10.2: ICMP 192.168.0.101 udp port 35091 unreachable, length 77
    	IP (tos 0x0, ttl 63, id 43157, offset 0, flags [DF], proto UDP (17), length 69)
        192.168.10.2.1194 > 192.168.0.101.35091: [udp sum ok] UDP, length 41
    
  • sudo tcpdump -vv -i enp1s0.77 -nn ' ( src net 192.168.0.0/24 or src net 192.168.10.0/24 ) and icmp '
    23:32:16.142976 IP (tos 0xc0, ttl 63, id 57814, offset 0, flags [none], proto ICMP (1), length 97)
        192.168.0.101 > 192.168.10.2: ICMP 192.168.0.101 udp port 35091 unreachable, length 77
    	IP (tos 0x0, ttl 63, id 14655, offset 0, flags [DF], proto UDP (17), length 69)
        192.168.10.2.1194 > 192.168.0.101.35091: [udp sum ok] UDP, length 41
    23:32:26.505065 IP (tos 0xc0, ttl 63, id 59947, offset 0, flags [none], proto ICMP (1), length 97)
        192.168.0.101 > 192.168.10.2: ICMP 192.168.0.101 udp port 35091 unreachable, length 77
    	IP (tos 0x0, ttl 63, id 23752, offset 0, flags [DF], proto UDP (17), length 69)
        192.168.10.2.1194 > 192.168.0.101.35091: [udp sum ok] UDP, length 41
    23:32:29.604737 IP (tos 0xc0, ttl 63, id 59981, offset 0, flags [none], proto ICMP (1), length 220)
        192.168.0.101 > 192.168.10.2: ICMP 192.168.0.101 udp port 35091 unreachable, length 200
    	IP (tos 0x0, ttl 63, id 26113, offset 0, flags [DF], proto UDP (17), length 192)
        192.168.10.2.1194 > 192.168.0.101.35091: [udp sum ok] UDP, length 164
    23:32:39.816745 IP (tos 0xc0, ttl 63, id 60133, offset 0, flags [none], proto ICMP (1), length 97)
        192.168.0.101 > 192.168.10.2: ICMP 192.168.0.101 udp port 35091 unreachable, length 77
    	IP (tos 0x0, ttl 63, id 32414, offset 0, flags [DF], proto UDP (17), length 69)
        192.168.10.2.1194 > 192.168.0.101.35091: [udp sum ok] UDP, length 41
    23:32:50.037616 IP (tos 0xc0, ttl 63, id 61355, offset 0, flags [none], proto ICMP (1), length 97)
        192.168.0.101 > 192.168.10.2: ICMP 192.168.0.101 udp port 35091 unreachable, length 77
    	IP (tos 0x0, ttl 63, id 42337, offset 0, flags [DF], proto UDP (17), length 69)
        192.168.10.2.1194 > 192.168.0.101.35091: [udp sum ok] UDP, length 41
    23:33:00.127946 IP (tos 0xc0, ttl 63, id 62806, offset 0, flags [none], proto ICMP (1), length 97)
        192.168.0.101 > 192.168.10.2: ICMP 192.168.0.101 udp port 35091 unreachable, length 77
    	IP (tos 0x0, ttl 63, id 43157, offset 0, flags [DF], proto UDP (17), length 69)
        192.168.10.2.1194 > 192.168.0.101.35091: [udp sum ok] UDP, length 41
    
  • sudo tcpdump -vv -i enp1s0 -nn ' ( src net 192.168.0.0/24 or src net 192.168.10.0/24 ) and icmp '
    23:32:16.142974 IP (tos 0xc0, ttl 63, id 57814, offset 0, flags [none], proto ICMP (1), length 97)
        192.168.0.101 > 192.168.10.2: ICMP 192.168.0.101 udp port 35091 unreachable, length 77
    	IP (tos 0x0, ttl 63, id 14655, offset 0, flags [DF], proto UDP (17), length 69)
        192.168.10.2.1194 > 192.168.0.101.35091: [udp sum ok] UDP, length 41
    23:32:26.505062 IP (tos 0xc0, ttl 63, id 59947, offset 0, flags [none], proto ICMP (1), length 97)
        192.168.0.101 > 192.168.10.2: ICMP 192.168.0.101 udp port 35091 unreachable, length 77
    	IP (tos 0x0, ttl 63, id 23752, offset 0, flags [DF], proto UDP (17), length 69)
        192.168.10.2.1194 > 192.168.0.101.35091: [udp sum ok] UDP, length 41
    23:32:29.604734 IP (tos 0xc0, ttl 63, id 59981, offset 0, flags [none], proto ICMP (1), length 220)
        192.168.0.101 > 192.168.10.2: ICMP 192.168.0.101 udp port 35091 unreachable, length 200
    	IP (tos 0x0, ttl 63, id 26113, offset 0, flags [DF], proto UDP (17), length 192)
        192.168.10.2.1194 > 192.168.0.101.35091: [udp sum ok] UDP, length 164
    23:32:39.816743 IP (tos 0xc0, ttl 63, id 60133, offset 0, flags [none], proto ICMP (1), length 97)
        192.168.0.101 > 192.168.10.2: ICMP 192.168.0.101 udp port 35091 unreachable, length 77
    	IP (tos 0x0, ttl 63, id 32414, offset 0, flags [DF], proto UDP (17), length 69)
        192.168.10.2.1194 > 192.168.0.101.35091: [udp sum ok] UDP, length 41
    23:32:50.037613 IP (tos 0xc0, ttl 63, id 61355, offset 0, flags [none], proto ICMP (1), length 97)
        192.168.0.101 > 192.168.10.2: ICMP 192.168.0.101 udp port 35091 unreachable, length 77
    	IP (tos 0x0, ttl 63, id 42337, offset 0, flags [DF], proto UDP (17), length 69)
        192.168.10.2.1194 > 192.168.0.101.35091: [udp sum ok] UDP, length 41
    23:33:00.127944 IP (tos 0xc0, ttl 63, id 62806, offset 0, flags [none], proto ICMP (1), length 97)
        192.168.0.101 > 192.168.10.2: ICMP 192.168.0.101 udp port 35091 unreachable, length 77
    	IP (tos 0x0, ttl 63, id 43157, offset 0, flags [DF], proto UDP (17), length 69)
        192.168.10.2.1194 > 192.168.0.101.35091: [udp sum ok] UDP, length 41
    
  • sudo tcpdump -vv -i tap0 -nn ' ( src net 192.168.0.0/24 or src net 192.168.10.0/24 ) and icmp ' - empty log