Networking – Using ARP protocol with OpenVPN routed (TUN) tunnel

arphome-networkingopenvpntomatotunnel

I've configured network shown in the following diagram:

enter image description here

ROT1 is Tomato-based router. It has BR0 bridged network interface for all the clients within internal network with subnet 192.168.1.0/24. One of the clients is a NAS device (NAS01) which provides some basic services like ownCloud and SMB server. Both LAP01 and MOB01 clients are able to see NAS01 and use its services. ROT1 has also two VPNs configured: TAP0 is an OpenVPN bridged tunnel which is bridged with BR0, that's why client LAP04 receives IP address from DHCP server within subnet 192.168.1.0/24. This client is also able to ping NAS01 device within internal subnet. Router ROT01 is running arpwake program to automatically wake up NAS01 with Magic Packet when the host is requested by some other client in the network with ARP request (who-has). You can find the description of the application and links for its source code here. arpwake application is listening on BR0 for ARP request containing MAC address of NAS01 and automatically sends Magic Packet if one of the clients within the network asks for it.
The problem is that I'm trying to set up routed VPN tunnel also with OpenVPN that will allow me to use arpwake application in order to automatically wake NAS01 when one of the clients from TUN0 network will ask for it. If NAS01 is up I can ping it and use all the services, but if it's down I cannot wake it up with arpwake application, because there are no ARP requests on that interface (TUN0) – I've already checked that with tcpdump on the router. I've also tried to use Proxy ARP with command echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp but still it doesn't work.

Here's the configuration of the router:

Routes

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.200.2   *               255.255.255.255 UH    0      0        0 tun0
192.168.0.1     *               255.255.255.255 UH    0      0        0 vlan2
192.168.200.0   192.168.200.2   255.255.255.0   UG    0      0        0 tun0
192.168.1.0     *               255.255.255.0   U     0      0        0 br0
192.168.0.0     *               255.255.255.0   U     0      0        0 vlan2
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         192.168.0.1     0.0.0.0         UG    0      0        0 vlan2

iptables (output of iptables-save concerning only TUN0)

# Generated by iptables-save v1.3.8 on Sun Aug 28 12:08:23 2016
*nat
:PREROUTING ACCEPT [50195:5904352]
:POSTROUTING ACCEPT [409:28145]
:OUTPUT ACCEPT [4413:306096]
-A POSTROUTING -o tun0 -j MASQUERADE
COMMIT
# Completed on Sun Aug 28 12:08:23 2016
# Generated by iptables-save v1.3.8 on Sun Aug 28 12:08:23 2016
*mangle
:PREROUTING ACCEPT [1628436:1350223724]
:INPUT ACCEPT [43707:3160699]
:FORWARD ACCEPT [1563428:1344198921]
:OUTPUT ACCEPT [13790:1556262]
:POSTROUTING ACCEPT [1576178:1345632445]
COMMIT
# Completed on Sun Aug 28 12:08:23 2016
# Generated by iptables-save v1.3.8 on Sun Aug 28 12:08:23 2016
*filter
:INPUT DROP [10689:641141]
:FORWARD ACCEPT [19:1151]
:OUTPUT ACCEPT [13539:1531250]
-A INPUT -i tun0 -j ACCEPT
COMMIT
# Completed on Sun Aug 28 12:08:23 2016

TUN0 OpenVPN config (security related options removed)

local [IP_address]
port [PORT]
proto udp
dev tun
server 192.168.200.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
push "dhcp-option DNS 192.168.1.1"

ifconfig for TUN0 interface (by default OpenVPN brings this interface up with NOARP option, but even if I turn this back on with command ifconfig tun0 arp it does not solve my problem).

tun0       Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
           inet addr:192.168.200.1  P-t-P:192.168.200.2  Mask:255.255.255.255
           UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
           RX packets:311 errors:0 dropped:0 overruns:0 frame:0
           TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:100
           RX bytes:21166 (20.6 KiB)  TX bytes:3486 (3.4 KiB)

My question is: how to make this TUN0 interface to start working with ARP?

Best Answer

Non-IP traffic is not forwarded over Layer-3 (tun) interfaces, that's the whole beauty of it: you save on broadcast traffic and on ethernet headers. You can read about all of this on the OpenVPN wiki.

I am not sure I understand how arpwake works, the Web page you linked to is more of a ramble than a wiki. But you may try adding this firewall rule, 

 iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE

This rewrites all source IP addresses, in the packet headers, with the router IP address. I do not know whether this will trigger arpwake, but you may try.

EDIT:

I have thought of a workaround, which does not use arpwake. Add the following iptables rule,

iptables -A INPUT -i tun0  -s xxx.xxx.xxx.xxx/24 -d 192.168.1.4/32 -m state --state NEW -m state ! --state ESTABLISHED -j LOG --log-prefix "NEW_CONN_ATTEMPT"

where xxx.xxx.xxx.xxx/24 is VPN tunnel's network. Now setup an executable script, running under sudo, with the following content:

tail -f /var/log/firewall.log | awk '/NEW_CONN_ATTEMPT/ {system("/usr/local/bin/myscript")}'

where /usr/local/bin/myscript is a script that sends the magic packet to the NAS. It should work.

Related Question