PFSense 2.0 - Not able to bridge tap VPN.
-
Hi,
I have a PFSense box with the latest firmware (updated today september 18th). It have two network cards - LAN (192.168.100.0/24) and WAN (Assigned by DHCP). I have configured a TAP OpenVPN who listen on the WAN interface on the standard port and the tunnel network is set for 192.168.101.0/24. The only server options who are checked are : compression and dynamic ip and I gave a specific default domain name (the same as my pfsense box) and the two google DNS server IPs (8.8.8.8 and 8.8.4.4).
I am able to connect fine with the client. I can ping 192.168.100.1 and I have a LAN adress (192.168.100.124) assigned to the client.
The problem is, I can't ping anything inside the LAN network.
If I understood correctly, I should bridge the tap virtual interface (renamed to ovpns1 automaticaly by pfsense) to the LAN physical interface, but the bridge screen only shows LAN and WAN.
I spent about 20 hours in 4 days to make this work. I have the pfsense book (who is written for version 1.2) and section 15.9, who speaks about bridged openVPN indicates "this cannot be used on 2.0". So does it means there can be no TAP VPN on pfsense 2.0 or only that the procedure indicated on the page is not compatible for 2.0 ?
You will find enclosed the firewall rules who are set and the routing table on the client when I am connected to the VPN. I find the route 192.168.100.124/32 to 192.168.100.124 stange, is it?
Please, help me on that.
-
If you go to /Status/Services page is the OpenVPN service running? When I tried to use tap, I could not make the service run…
-
show the openvpn configuration please
-
Yes, my service is running, as I am able to connect and ping the pf box. Here is the detailed config of my server :
 -
You're just missing the local network on the list. Add your local lan address range to the mentioned box and see if that works for you then.
You can also use the "force all generated traffic through tunnel" which will prevent any traffic from going over the network they're using outside of the company/business/home/etc.
-
Already tried both. The problem is the same. I tried to ping two machines in LAN (one of them is 192.168.100.110) and there is no response. I can ping this machine when my client is in the LAN without VPN, so I suppose the windows firewall on 192.168.100.110 should see no difference between the ICMP paquet coming directly from LAN or coming from the VPN as I am bridged. You will find the two routing tables corresponsing to the two states.
 -
Try going to 'Interfaces' > 'assign' and create an interface for 'ovpns1'
Then enable it under the interface drop down list, then go back to assign interfaces and you should be able to bridge the LAN and OVPN interfaces
See attached screenshots, let me know if it works.
Also for my bridged client setup I had to modify the /var/etc/openvpn/server1.conf
dev ovpns2
dev-type tap
dev-node /dev/tap2
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local x.x.x.x
tls-server
mode server <–---removed 'server x.x.x.x'
client-config-dir /var/etc/openvpn-csc
lport 1195
management /var/etc/openvpn/server2.sock unix
ca /var/etc/openvpn/server2.ca
cert /var/etc/openvpn/server2.cert
key /var/etc/openvpn/server2.key
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server2.tls-auth 0
-
this issue will be fixed in the next release?
-
Try going to 'Interfaces' > 'assign' and create an interface for 'ovpns1'
Then enable it under the interface drop down list, then go back to assign interfaces and you should be able to bridge the LAN and OVPN interfaces
See attached screenshots, let me know if it works.
Also for my bridged client setup I had to modify the /var/etc/openvpn/server1.conf
dev ovpns2
dev-type tap
dev-node /dev/tap2
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local x.x.x.x
tls-server
mode server <–---removed 'server x.x.x.x'
client-config-dir /var/etc/openvpn-csc
lport 1195
management /var/etc/openvpn/server2.sock unix
ca /var/etc/openvpn/server2.ca
cert /var/etc/openvpn/server2.cert
key /var/etc/openvpn/server2.key
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server2.tls-auth 0how did you set mode "server <–---removed 'server x.x.x.x'" to stay in config after reboot?
-
This might be a slight kick, but did you try a (bogus) /30 subnet on the TAP? Don't forget to bridge the interface and allow traffic on the created OPT interface (Which you need to create a bridge, anyway).
-
The code for tap on 2.0 is a bit broken. I fixed it up and it's now working on 2.1.
https://github.com/bsdperimeter/pfsense/commit/1ab6bdb5ffcf052241f58af87efef9fe077b38c7
https://github.com/bsdperimeter/pfsense/commit/74a556a3caa67adb0adac055ffb9321e264e1b71 -
Sorry to all, but I did not have time to try your suggestions. I think i will wait until 2.1 is released if it is not too far. Any date yet?
-
No idea, probably on the order of 4-6+ months.
It wouldn't be hard to adapt those changes to 2.0.1 but I'm not sure if the impact of the change would be considered too large to pull back from 2.1, considering we're trying to get 2.0.1 out in just a few days time.
-
Please, do try to get it in 2.0.1. The changes in the two files don't seem like they break machines or vpns when you update 'em to 2.0.1, or do they? ;-) As the code for tun interfaces stays the same.
Quite a few people have problems with the tap interface. I would be really grateful if it'd be fixed in 2.0.1.
-
Hi!
Have you seen it? - http://doc.pfsense.org/index.php/OpenVPN_Bridging
I have successfully setup bridge between LAN and tap on the 2.0 version.
-
No, but you have seen the following, I suppose :
_Caveat - There are some problems with the setup described here, this is currently being refactored.
THIS CANNOT BE USED ON 2.0._
-
Yes, But it works fine on 2.0 :)
-
Can we get our hands on version 2.1?
-
You can install the tap fix patch package I put up for 2.0 (though it needs updating… not so easy as the fixes don't merge cleanly from 2.1), and if you want 2.1 you can use gitsync to get the code, check the doc wiki for instructions.
-
Ah, I did not realize that you had added a Tap Fix Package for OpenVPN. It is now installed! Thank You, and Thanks for pfSense.
It does everything I need for my SOHO Gateway and more, with minimal resources!
