ARP and DHCP and OpenVPN

trl

I'm fooling with OpenVPN for the first time and I'm confused by a couple things.

• I connect from my Android phone to my gateway using OpenVPN
• I don't see any DHCP Configuration on the phone -- no DHCP Server, no DNS, no gateway
• I try to connect from the phone to an SMB Server on my network
• I can do packet capture on the OPENVPN interface and see traffic

specifically

04:10:26.846836 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has host.domain tell otherhost.domain, length 46
04:10:27.634355 IP (tos 0x0, ttl 63, id 2670, offset 0, flags [DF], proto TCP (6), length 60)
    host.domain.42980 > optherhost.domain.microsoft-ds: Flags [S], cksum 0x0118 (correct), seq 4122196380, win 65535, options [mss 1400,sackOK,TS val 3332089150 ecr 0,nop,wscale 9], length 0

I have turned on Log packets that are handled by this rule in my firewall rule for the OPENVPN Interface (which is assigned) but it never fires and I never get connected to the SMB Server. I don't think packets ever get routed to the LAN (Interface Name LANSW0).

I'm using the Android App OpenVPN Connect. I don't see a DHCP-DISCOVER from the phone in the packet logger, but I don't REALLY know how this is supposed to work -- maybe that's between DHCP and the OpenVPN Service. Or maybe it's something I should have done in Client Export ==> Additional configuration options or something. I don't know.

What do I look for?

One other weird thing. If I look in Interfaces==>Assignments I see this

Interface	Network port	 
WAN	        igb0 (a0:36:9f:aa:38:24)
LANSW0	        igb1 (a0:36:9f:aa:38:25)
LANonRouter	re0 (00:8c:fa:d5:8c:ac)
OPENVPN	ovpns1 (MBActivation Remote Access)

If I go to Firewall==>Rules I see this list of interfaces

Floating WAN LANSW0 LANONROUTER OPENVPN %(#ff0000)[OpenVPN]

That didn't work very well, but it still draws attention.

There's an extra interface in Firewall Rules Land that's missing from Interfaces==>Assignments

I'm pretty sure I typed the mixed-case name OpenVPN at one point trying to get this working. It doesn't show up anywhere in the UI except here -- not in Packet Capture, not in Status==>Interfaces, nothing I've found. I guess it's a bit of cruft, but I'd sure like to be rid of it.

Any hints about that?

Thanks...

viragomann

@trl
Do you access the SMB server by its IP or by host name?
If host name try to FQDN.

OpenVPN has its own internal IP address management. It doesn't use DHCP as long as your not using tap mode.

After you fire up an OpenVPN instance, pfSense shows a "OpenVPN" firewall rules tab. this is not for your instance only, but it's an interface group, which includes all OpenVPN instances running on the system.
If you assign an interface to your OpenVPN instance you get an additional rule tab, which is for this instance only.

It's basically not necessary to assign an interface to an access server.

trl

@viragomann

Thank you for the reply

It's basically not necessary to assign an interface to an access server.

OK. I'll delete the assignment and see what happens. Yep, the ALL UPPER CASE version is gone. I can see the OpenVPN (opvns1) interface as "assignable" but I'm not assigning it.

Do you access the SMB server by its IP or by host name?
If host name try to FQDN.

I had done it by IP address. At your suggestion here I changed to FQDN and on the Android side it said "unknown host" which tells me DNS isn't working.

On the OpenVPN Tunnel Definition I tried setting

Advanced Client Settings
DNS Default Domain
mbactivation.net
DNS Server 1
192.168.0.1

and got the exact same result with FQDN -- unknown host -- DNS still not working

If I go back to connecting by IP Address, I can get traffic but ARP is fouled-up

18:49:05.761915 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.2 tell 192.168.0.3, length 46
18:49:06.792835 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.2 tell 192.168.0.3, length 46
18:49:07.816835 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.2 tell 192.168.0.3, length 46

192.168.1.2 is the OpenVPN Tunnel
192.168.0.3 is the SMB Server
The LAN Interface is 192.168.0.0/23 which includes the OpenVPN Tunnels
Firewall Rules are wide open on the LAN and on the OpenVPN pseudo-interface

I don't get it.

trl

@viragomann

I went to look at the DNS Resolver to see what I could see. IO had the red "configuration has changed, apply to make it work" message at the top. But I hadn't changed anything

I found this

OpenVPN Clients 
[X] Register connected OpenVPN clients in the DNS Resolver
If this option is set, then the common name (CN) of connected OpenVPN clients will be registered
in the DNS Resolver, so that their name can be resolved. This only works for OpenVPN servers
(Remote Access SSL/TLS or User Auth with Username as Common Name option) operating in "tun" mode.
The domain in System: General Setup should also be set to the proper value.

I don't remember doing that -- maybe the OpenVPN setup process did it.

Anyway I hit "apply" disconnected the Android Client, Restarted the OpenVPN Service just because, Reconnected the Android Client, and attempted to reach the SMB Server again using the FQDN. This time it was correctly resolved to 192.168.0.3 but ARP failed the same way.

So I still don't get it.

viragomann

@trl said in ARP and DHCP and OpenVPN:

18:49:06.792835 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.2 tell 192.168.0.3, length 46
192.168.1.2 is the OpenVPN Tunnel
192.168.0.3 is the SMB Server

I suspect, that your ARP problem is due to network misconfiguration.

Normally if the the SMB server is in a different subnet than the VPN tunnel it shouldn't ARP it. It would just send the packet to its default gateway.

So I guess, your LAN and OpenVPN tunnel network are overlapping.

trl

@viragomann

Oh.

Well, here's what I have:

The LAN is 192.168.0.1/23
The VPN Tunnels are at 193.168.1.0/28

trl

So I think I misunderstood something.

I don't want to define the LAN such that it includes the VPN -- I want to define the LAN and the VPN so that it would be possible to "cover" both of them with a single CIDR.

What I want is
LAN = 192.168.0.1/24
VPN = 193.168.1.0/28

CIDR 192.168.0.1/23 "covers" them both, so it's cool.

Lemme try that.

trl

Yes, that was it.

What I have settled on
LAN = 192.168.0.1/24
VPN = 192.168.1.0/24
CIDR 192.168.0.0/23 "covers" them both perfectly

I'm not quite sure what to do if I want another VPN.

If I made it 192.168.2.0/24

I'd have to use 192.168.0.0/22 to cover both VPNs and the LAN, but now the Maximum Address is 192.168.3.254 -- so it "wastes" 255 IP addresses.

But I'm not there yet and there's probably a better way to do it.

Thanks for all your help.