Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ARP and DHCP and OpenVPN

    Scheduled Pinned Locked Moved OpenVPN
    8 Posts 2 Posters 314 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      trl
      last edited by

      I'm fooling with OpenVPN for the first time and I'm confused by a couple things.

      • I connect from my Android phone to my gateway using OpenVPN
      • I don't see any DHCP Configuration on the phone -- no DHCP Server, no DNS, no gateway
      • I try to connect from the phone to an SMB Server on my network
      • I can do packet capture on the OPENVPN interface and see traffic

      specifically

      04:10:26.846836 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has host.domain tell otherhost.domain, length 46
      04:10:27.634355 IP (tos 0x0, ttl 63, id 2670, offset 0, flags [DF], proto TCP (6), length 60)
          host.domain.42980 > optherhost.domain.microsoft-ds: Flags [S], cksum 0x0118 (correct), seq 4122196380, win 65535, options [mss 1400,sackOK,TS val 3332089150 ecr 0,nop,wscale 9], length 0
      

      I have turned on Log packets that are handled by this rule in my firewall rule for the OPENVPN Interface (which is assigned) but it never fires and I never get connected to the SMB Server. I don't think packets ever get routed to the LAN (Interface Name LANSW0).

      I'm using the Android App OpenVPN Connect. I don't see a DHCP-DISCOVER from the phone in the packet logger, but I don't REALLY know how this is supposed to work -- maybe that's between DHCP and the OpenVPN Service. Or maybe it's something I should have done in Client Export ==> Additional configuration options or something. I don't know.

      What do I look for?

      One other weird thing. If I look in Interfaces==>Assignments I see this

      Interface	Network port	 
      WAN	        igb0 (a0:36:9f:aa:38:24)
      LANSW0	        igb1 (a0:36:9f:aa:38:25)
      LANonRouter	re0 (00:8c:fa:d5:8c:ac)
      OPENVPN	ovpns1 (MBActivation Remote Access)
      

      If I go to Firewall==>Rules I see this list of interfaces

      Floating WAN LANSW0 LANONROUTER OPENVPN %(#ff0000)[OpenVPN]
      

      That didn't work very well, but it still draws attention.

      There's an extra interface in Firewall Rules Land that's missing from Interfaces==>Assignments

      I'm pretty sure I typed the mixed-case name OpenVPN at one point trying to get this working. It doesn't show up anywhere in the UI except here -- not in Packet Capture, not in Status==>Interfaces, nothing I've found. I guess it's a bit of cruft, but I'd sure like to be rid of it.

      Any hints about that?

      Thanks...

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @trl
        last edited by

        @trl
        Do you access the SMB server by its IP or by host name?
        If host name try to FQDN.

        OpenVPN has its own internal IP address management. It doesn't use DHCP as long as your not using tap mode.

        After you fire up an OpenVPN instance, pfSense shows a "OpenVPN" firewall rules tab. this is not for your instance only, but it's an interface group, which includes all OpenVPN instances running on the system.
        If you assign an interface to your OpenVPN instance you get an additional rule tab, which is for this instance only.

        It's basically not necessary to assign an interface to an access server.

        T 2 Replies Last reply Reply Quote 0
        • T
          trl @viragomann
          last edited by

          @viragomann

          Thank you for the reply

          It's basically not necessary to assign an interface to an access server.

          OK. I'll delete the assignment and see what happens. Yep, the ALL UPPER CASE version is gone. I can see the OpenVPN (opvns1) interface as "assignable" but I'm not assigning it.

          Do you access the SMB server by its IP or by host name?
          If host name try to FQDN.

          I had done it by IP address. At your suggestion here I changed to FQDN and on the Android side it said "unknown host" which tells me DNS isn't working.

          On the OpenVPN Tunnel Definition I tried setting

          Advanced Client Settings
          DNS Default Domain
          mbactivation.net
          DNS Server 1
          192.168.0.1
          

          and got the exact same result with FQDN -- unknown host -- DNS still not working

          If I go back to connecting by IP Address, I can get traffic but ARP is fouled-up

          18:49:05.761915 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.2 tell 192.168.0.3, length 46
          18:49:06.792835 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.2 tell 192.168.0.3, length 46
          18:49:07.816835 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.2 tell 192.168.0.3, length 46
          

          192.168.1.2 is the OpenVPN Tunnel
          192.168.0.3 is the SMB Server
          The LAN Interface is 192.168.0.0/23 which includes the OpenVPN Tunnels
          Firewall Rules are wide open on the LAN and on the OpenVPN pseudo-interface

          I don't get it.

          V 1 Reply Last reply Reply Quote 0
          • T
            trl @viragomann
            last edited by

            @viragomann

            I went to look at the DNS Resolver to see what I could see. IO had the red "configuration has changed, apply to make it work" message at the top. But I hadn't changed anything

            I found this

            OpenVPN Clients 
            [X] Register connected OpenVPN clients in the DNS Resolver
            If this option is set, then the common name (CN) of connected OpenVPN clients will be registered
            in the DNS Resolver, so that their name can be resolved. This only works for OpenVPN servers
            (Remote Access SSL/TLS or User Auth with Username as Common Name option) operating in "tun" mode.
            The domain in System: General Setup should also be set to the proper value.
            

            I don't remember doing that -- maybe the OpenVPN setup process did it.

            Anyway I hit "apply" disconnected the Android Client, Restarted the OpenVPN Service just because, Reconnected the Android Client, and attempted to reach the SMB Server again using the FQDN. This time it was correctly resolved to 192.168.0.3 but ARP failed the same way.

            So I still don't get it.

            1 Reply Last reply Reply Quote 0
            • V
              viragomann @trl
              last edited by

              @trl said in ARP and DHCP and OpenVPN:

              18:49:06.792835 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.2 tell 192.168.0.3, length 46
              192.168.1.2 is the OpenVPN Tunnel
              192.168.0.3 is the SMB Server

              I suspect, that your ARP problem is due to network misconfiguration.

              Normally if the the SMB server is in a different subnet than the VPN tunnel it shouldn't ARP it. It would just send the packet to its default gateway.

              So I guess, your LAN and OpenVPN tunnel network are overlapping.

              T 3 Replies Last reply Reply Quote 0
              • T
                trl @viragomann
                last edited by trl

                @viragomann

                Oh.

                Well, here's what I have:

                The LAN is 192.168.0.1/23
                The VPN Tunnels are at 193.168.1.0/28

                1 Reply Last reply Reply Quote 0
                • T
                  trl @viragomann
                  last edited by

                  So I think I misunderstood something.

                  I don't want to define the LAN such that it includes the VPN -- I want to define the LAN and the VPN so that it would be possible to "cover" both of them with a single CIDR.

                  What I want is
                  LAN = 192.168.0.1/24
                  VPN = 193.168.1.0/28

                  CIDR 192.168.0.1/23 "covers" them both, so it's cool.

                  Lemme try that.

                  1 Reply Last reply Reply Quote 0
                  • T
                    trl @viragomann
                    last edited by

                    Yes, that was it.

                    What I have settled on
                    LAN = 192.168.0.1/24
                    VPN = 192.168.1.0/24
                    CIDR 192.168.0.0/23 "covers" them both perfectly

                    I'm not quite sure what to do if I want another VPN.

                    If I made it 192.168.2.0/24

                    I'd have to use 192.168.0.0/22 to cover both VPNs and the LAN, but now the Maximum Address is 192.168.3.254 -- so it "wastes" 255 IP addresses.

                    But I'm not there yet and there's probably a better way to do it.

                    Thanks for all your help.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.