OpenVPN bridge between pfsense boxes HOW TO?????

Louis89

I am trying to set up a simple OpenVPN bridge between two pfsense boxes, I need all traffic including broadcast traffic to flow freely across the VPN. I have searched high and low on the pfsense boards as well as the internet and everyone seems to have their own variation on how to get this to work. So far I have been unable to get any tutorials or posts to work for me. I have put many hours into this and have made little progress, any help would be greatly appreciated.

My network configuration is as follows:

Server-

LAN IP - 192.168.5.0

OpenVPN settings -

Protocol - UDP
Port - 1194
Address Pool - 10.31.105.0/24
Use static IPs - is checked
local network - empty
remote network - empty
client-to-client VPN - is checked
Authentication Method - PKI
LZO compression - is checked
Custom Options - dev tap0; server-bridge 192.168.5.1 255.255.255.0 192.168.5.10 192.168.5.25;

I have no client specific configuration and I have no NAT entries for this VPN (I didn't think this was necessary because it is a VPN bridge, but I may be wrong.)
A firewall exception has been added for port 1194

I have also added a bridge between the LAN interface and the tap0 interface, this is its status:

bridge0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        ether ea:c7:13:ca:56:9e
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: tap0 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 11 priority 128 path cost 2000000
        member: re0 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 1 priority 128 path cost 2000000

Server side log:
Jun 29 15:36:40 openvpn[28133]: OpenVPN 2.0.6 i386-portbld-freebsd7.1 [SSL] [LZO] built on Apr 22 2009
Jun 29 15:36:40 openvpn[28133]: WARNING: file '/var/etc/openvpn_server1.key' is group or others accessible
Jun 29 15:36:40 openvpn[28133]: WARNING: Since you are using –dev tap, the second argument to --ifconfig must be a netmask, for example something like 255.255.255.0. (silence this warning with --ifconfig-nowarn)
Jun 29 15:36:40 openvpn[28133]: TUN/TAP device /dev/tap0 opened
Jun 29 15:36:40 openvpn[28133]: /sbin/ifconfig tap0 10.31.105.1 netmask 10.31.105.2 mtu 1500 up
Jun 29 15:36:40 openvpn[28133]: /etc/rc.filter_configure tap0 1500 1574 10.31.105.1 10.31.105.2 init
Jun 29 15:36:41 openvpn[28144]: UDPv4 link local (bound): [undef]:1194
Jun 29 15:36:41 openvpn[28144]: UDPv4 link remote: [undef]
Jun 29 15:36:41 openvpn[28144]: Initialization Sequence Completed
Jun 29 15:37:22 openvpn[28144]: 67.xxx.xxx.xxx:1194 Re-using SSL/TLS context
Jun 29 15:37:22 openvpn[28144]: 67.xxx.xxx.xxx:1194 LZO compression initialized
Jun 29 15:37:23 openvpn[28144]: 67.xxx.xxx.xxx:1194 [ovpn_client1] Peer Connection Initiated with 67.xxx.xxx.xxx:1194

Client-

LAN IP - 192.168.1.0

OpenVPN configuration -

Protocol - UDP
Server IP - 67.xxx.xxx.xxx
Server Port - 1194
Interface IP - empty
Authertication - PKI
LZO compression - checked
custom options - dev tap0;

I have a firewall exception on port 1194
I have no NAT rules set up on the client side

Client side log -
Jun 29 15:51:09 openvpn[2079]: OpenVPN 2.0.6 i386-portbld-freebsd7.1 [SSL] [LZO] built on Apr 22 2009
Jun 29 15:51:09 openvpn[2079]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Jun 29 15:51:09 openvpn[2079]: WARNING: file '/var/etc/openvpn_client0.key' is group or others accessible
Jun 29 15:51:09 openvpn[2079]: LZO compression initialized
Jun 29 15:51:09 openvpn[2086]: UDPv4 link local (bound): [undef]:1194
Jun 29 15:51:09 openvpn[2086]: UDPv4 link remote: 67.xxx.xxx.xxx:1194
Jun 29 15:51:10 openvpn[2086]: [server] Peer Connection Initiated with 67.xxx.xxx.xxx:1194
Jun 29 15:51:11 openvpn[2086]: TUN/TAP device /dev/tap0 opened
Jun 29 15:51:11 openvpn[2086]: /sbin/ifconfig tap0 192.168.5.10 netmask 255.255.255.0 mtu 1500 up
Jun 29 15:51:11 openvpn[2086]: /etc/rc.filter_configure tap0 1500 1574 192.168.5.10 255.255.255.0 init
Jun 29 15:51:12 openvpn[2086]: Initialization Sequence Completed

It appears that the server and client connect without problems, but I cannot ping any hosts on either network across the VPN bridge.  ???</learning,discover,autoedge,autoptp></learning,discover,autoedge,autoptp></up,broadcast,running,simplex,multicast>

Louis89

I have come somewhat closer in configuring the openvpn bridge. I set both networks to the same subnet and I set the DHCP range to be a different section of the subnet for the client and the server. This setup works because windows sees an IP from the same subnet so there are no firewall issues with sharing files there is also no ip conflicts because the dhcp servers on each network assign different sections of the same subnet. Unfortunately I still have no idea how to get all network traffic bridged into the vpn. I have tried both manually building the bridge through the pfsense shell and I have tried assigning an optional interface to the tap0 openvpn interface and then bridging it with the LAN through the WebUI in 1.2.3….no luck..... What is most frustrating is that I dont receive any errors in the logs, Im not even sure where to look next to fix this issue. I have tried every tutorial I could find on this and every variation I could think of for each with no luck. I really dont think this should be this hard and it seems like other people have managed to figure this out. Any help would be greatly appreciated. :-\

Louis89

Also I have no issues with site-to-site OpenVPN, it works great! But OpenVPN bridging is killing me.

tehryan

I've been banging my head on this same issue for 6+ months….. cant get anyone to help

fastcon68

You can't have the same sub-net on both sides they have to be different.  As for DHCP, I know it can be done but that is not my expertise.
RC

madas

http://doc.pfsense.org/index.php/VPN_Capability_OpenVPN

I assume from the section at the bottom that someone was able to get this working?

I cannot get any IP traffic to flow just like the rest of you

default666

It seems like it works somehow, strange but works.  ???
all works on vmware workstation 6.5
                                                     client                                                          server
vm1<–-lan–->vmnet3<–--lan–->em1 pfs1 em0<–-wan–-->vmnet1<–-wan–-->em0 pfs2 em1<–-lan–-->vmnet4<–-lan–-->vm2
192.168.4.21/24             192.168.4.11/24   172.16.1.10/24                      172.16.1.11/24  192.168.4.10/24                192.168.4.20/24
gw 192.168.4.11             tap 192.168.4.2                                                                    tap 192.168.4.1                gw 192.168.4.10

pfs - pfsenses
vm - virtual mashines - win xp
vmnet - virtual switches

Firewall > Rules > WAN - ALL to ALL - permit,   LAN - ALL to ALL - permit
OpenVPN > Client > Edit > Protocol - UDP
                                   Port - 1194
                                   Address Pool - 192.168.4.0/24
                                   Use static IPs - is not checked
                                   local network - empty
                                   remote network - empty
                                   client-to-client VPN - is not checked
                                   Authentication Method - sk
                                   LZO compression - is not checked
                                   Custom Options - dev tap0
OpenVPN > Server > Edit > same as client
Diagnostics > Edit File  /conf/config.xml  add the following to both pfsenses SYSTEM section. I'm presuming your LAN interface is em1, use your real LAN interface:

<earlyshellcmd>ifconfig bridge0 create</earlyshellcmd>
<earlyshellcmd>ifconfig bridge0 addm em1 up</earlyshellcmd>
<shellcmd>ifconfig bridge0 addm tap0</shellcmd>

and some log shit:

Jul 19 05:04:41 openvpn[332]: WARNING: 'ifconfig' is used inconsistently, local='ifconfig 192.168.4.0 192.168.4.2', remote='ifconfig 192.168.4.0 192.168.4.1' 
Jul 19 05:04:34 openvpn[332]: Initialization Sequence Completed 
Jul 19 05:04:34 openvpn[332]: Peer Connection Initiated with 172.16.1.10:1194 
Jul 19 05:04:31 openvpn[332]: UDPv4 link remote: [undef] 
Jul 19 05:04:31 openvpn[332]: UDPv4 link local (bound): [undef]:1194 
Jul 19 05:04:30 openvpn[325]: /etc/rc.filter_configure tap0 1500 1576 192.168.4.1 192.168.4.2 init 
Jul 19 05:04:30 openvpn[325]: /sbin/ifconfig tap0 192.168.4.1 netmask 192.168.4.2 mtu 1500 up 
Jul 19 05:04:30 openvpn[325]: TUN/TAP device /dev/tap0 opened 
Jul 19 05:04:30 openvpn[325]: WARNING: Since you are using --dev tap, the second argument to --ifconfig must be a netmask, for example something like 255.255.255.0\. (silence this warning with --ifconfig-nowarn) 
Jul 19 05:04:30 openvpn[325]: WARNING: file '/var/etc/openvpn_server0.secret' is group or others accessible 
Jul 19 05:04:30 openvpn[325]: OpenVPN 2.0.6 i386-portbld-freebsd7.1 [SSL] [LZO] built on Apr 22 2009

fastcon68

It seems like it works somehow, strange but works.  ???
all works on vmware workstation 6.5
                                                      client                                                          server
vm1<–-lan--->vmnet3<----lan--->em1 pfs1 em0<---wan---->vmnet1<---wan---->em0 pfs2 em1<---lan---->vmnet4<---lan---->vm2
192.168.4.21/24            192.168.4.11/24  172.16.1.10/24                      172.16.1.11/24  192.168.4.10/24                192.168.4.20/24
gw 192.168.4.11            tap 192.168.4.2                                                                    tap 192.168.4.1                gw 192.168.4.10

I know that this seems to work on vmware, but I don't think that this would a standard network configuration.  I can see several potential issues, DNS, DHCP.  In most wide area networks you would have a core site with a 21 network or larger.  For your remotes they would some 24 networks or smaller.  It all depends on the size of your company.

So in that case you would extend your network either with secure VPN's, or metnet's, openvpn's.  When I mean extend your business network to 10 sites I would do the following and let's assume that the connections are ipsec or openvpn. We are also using windows 2003/2008 for servers.

Our core network has 200 users and each site has 32 users.  We will have a 510 addresses (23 bit mask) at the core(10.10.10.0- 10.10.11.254),  each site will have 64 addresses.
Core:10.10.10.0

Site 1: 10.10.20.1 - 10.10.20.64      GW:10.10.20.1
Site 2: 10.10.20.65 - 10.10.20.128  GW:10.10.20.66
Site 3: 10.10.20.129 - 10.10.20.193  GW:10.10.20.130
Site 4: 10.10.20.194 - 10.10.20.254  GW:10.10.20.195
Site 5: 10.10.21.1 - 10.10.21.64      GW:10.10.21.1
Site 6: 10.10.21.65 - 10.10.21.128    GW:10.10.21.66
Site 7: 10.10.21.129 - 10.10.21.193  GW:10.10.21.130
Site 8: 10.10.21.194 - 10.10.21.254  GW:10.10.21.195
Site 9: 10.10.22.1 - 10.10.22.64      GW:10.10.22.1
Site 10: 10.10.22.65 - 10.10.22.128  GW:10.10.22.65

So at the core site we would be building a main router so we would reserve the first 32 addresses for addresses for routers and vpn devices.  Then we would build out from there through our firewalls and start building out our tunnels (what every secure method that you would use, your choice).  So at the core we would then be looking at something like the following:

Core: 10.10.10.10 core router managment
Core: 10.10.10.1 Default gateway
Firewall Lan interface: 10.10.10.11
Firewall VPN interface 1:10.10.10.12 (5 vpn tunnels per interface)
Firewall VPN interface 2:10.10.10.13 (5 vpn tunnels per interface)
DHCP Server: 10.10.10.14 contains scopes for core site with all vpn sites
Baracuda: 10.10.10.15  (mail filtering)

We would build our VPN's with rules in place to allow DCHP, DNS services to extend over the vpn tunnels.  Our internet and other services would be provided from the core site.  Remote sites would have a file server and data would be replicated over the vpn tunnels for backup.  The local server would also run DNS services for local names resolution.  Other services could be provided via terminal services or citrix to conserve bandwidth.

I hope this helps.  I know it might draw more questions.
RC