OpenVPN Bridging config - How To

nydiow

Worked for me too, thanks!

jits

Hi.

Can I use this for VOIP phones? In this case, I would want the phones on the client side use DHCP across the bridge. DHCP okay for this?

wm408

couple comments:

-when you create a server or client config on either end of the site, and you choose the first checkbox that says "disable this client" as you're creating it…   when you go to add to the first OPT interface, in the drop down, the ovpnc1 won't be listed.  The first time you actually run the service itself, via the server / client conf... this seems to be when the interface gets created.  So do a quick run to officially set the interface, and enable it.  (I disabled the openvpn server/client, added the interface properly, then restarted the server/client)
    --not sure if it matters overall.

-I did a routed set up instead of requiring both ends to be on the same subnet.  To do this I filled in the "Remote Network" option under "Tunnel Settings".  This is the subnet of the remote network that you want to talk with once the OpenVPN connection is established.
    -With this set up, I didn't need to change the confs manually, the ifconfig command that it runs worked fine.  I just needed to set the "Tunnel Network" under "Tunnel Settings" the exact same on both sides (server and client).  In my case I used: 10.2.5.0/24 on both ends.

-Also, I am not sure if by default pfsense and openvpn set the "user nobody" and "group nobody" options.
  --under "Advanced Configuration" on both the server and client, I added this line:

user nobody;group nobody

Both the server and client can talk to eachother no problem.  And I can ping hosts on either side from the server and client routers.  Clients can also ping each other on either side of the VPN.

Both sides of my VPN have static public IPs also... to avoid issues with PPPoE, DHCP, and other dumb problems i've seen in the past with certain ISPs.

profkp

Hey,

New to pfSense.  Trying to get bridging between 2 locations to work as described in the 1st post.  The actual connection is made and running.  I can ping between the 2 tunnel IPs (10.0.8.1 <=> 10.0.8.2) from the vpn interface, but thats about it.  I cannot ping between to 2 LAN networks - which are on the same subnet.

My server & client .confs look exactly like the 1st post(except the live ips,of course). Using the exact same -latest-updated 2.0x64 pfSense versions on both servers.

Its like there is no route from the vpn tunnel to the lan.  The only thing I have noticed, is on rebooting, I have go back in and edit the .conf files because they change the
ifconfig back to 10.0.8.1 10.0.8.2  from where i changed it 10.0.8.1 255.255.255.248.  I did save the file after making the changes.

Both pfSense boxes are fresh installs (3 times) with nothing else running on them.  Each location is independently otherwise working as expected.

I didn't want to jump in just start adding routes fiddling with it - not enough experience with pfSense anyway.

Any help would be appreciated…

Kevin

wm408

My only thought is firewall?  Check the firewall status logs for blocks of any kind?

Personally, I like the routed setup.  :)

You don't need to worry about the interface(s) changing after reboot.

@profkp:

Hey,

New to pfSense.  Trying to get bridging between 2 locations to work as described in the 1st post.   The actual connection is made and running.  I can ping between the 2 tunnel IPs (10.0.8.1 <=> 10.0.8.2) from the vpn interface, but thats about it.  I cannot ping between to 2 LAN networks - which are on the same subnet.

My server & client .confs look exactly like the 1st post(except the live ips,of course). Using the exact same -latest-updated 2.0x64 pfSense versions on both servers.

Its like there is no route from the vpn tunnel to the lan.  The only thing I have noticed, is on rebooting, I have go back in and edit the .conf files because they change the
ifconfig back to 10.0.8.1 10.0.8.2  from where i changed it 10.0.8.1 255.255.255.248.  I did save the file after making the changes.

Both pfSense boxes are fresh installs (3 times) with nothing else running on them.  Each location is independently otherwise working as expected.

I didn't want to jump in just start adding routes fiddling with it - not enough experience with pfSense anyway.

Any help would be appreciated…

Kevin

kambing

hi there..,

good work…thanks to nooblet sharing us the tutorial..

but i get a problem accessing  zynga poker on FB on both side firewall 1 and 2 while enable the vpn, but if i disable  it ok...

please help.. ???

wm408

Kambing…

So is it just Zygna poker?  (thats weird...)

With the VPN enabled... it shouldn't affect traffic to the web from either location.  Web traffic should pass through the local router for a client.

@kambing:

hi there..,

good work…thanks to nooblet sharing us the tutorial..

but i get a problem accessing  zynga poker on FB on both side firewall 1 and 2 while enable the vpn, but if i disable  it ok...

please help.. ???

Ximerian

Can I trouble you to post your roadwarrior config? I need to get this done for a client and I am struggling with it.

EDIT:

Got it working, here is my roadwarrior conf. Note I used TLS/SSL instead of Shared Key

I also didn't specify a network for clients under OpenVPN server setting as I wanted them to get an address on the local network. I also left out the one deny rule for this same reason.

dev tap
persist-tun
persist-key
proto udp
cipher AES-128-CBC
tls-client
client
resolve-retry interface
remote x.x.x.x 1194
tls-remote xxxxxxxx
auth-user-pass
pkcs12 xxxxxxxx.p12
tls-auth xxxxxxx.key 1

kambing

ya its true , what i do …enable  squid ,all firewall rules open on lan(default)  :P

@wm408:

Kambing…

So is it just Zygna poker?  (thats weird...)

With the VPN enabled... it shouldn't affect traffic to the web from either location.  Web traffic should pass through the local router for a client.

@kambing:

hi there..,

good work…thanks to nooblet sharing us the tutorial..

but i get a problem accessing  zynga poker on FB on both side firewall 1 and 2 while enable the vpn, but if i disable  it ok...

please help.. ???

vicpryl

@nooblet:

now in my troubleshooting I had to edit the server conf file (/var/etc/openvpn/server1.conf  use Diagnostics > edit file > browse to find it) and change the 'ifconfig' option
because it would input it as ifconfig 10.0.8.1 10.0.8.2 when instead it should have been ifconfig 10.0.8.1 255.255.255.248, I have since seen it appear to work with this step but it doesn't hurt (and it cleans up the logs).

SAVE

I don't want to edit file every time I'm open and save openvpn config. And I made litle change in php-file for version pfSense - 2.0.1

1. On console enter digit 8 - Shell
2. Invoke editor to edit file /etc/inc/openvpn.inc with command
ee /etc/inc/openvpn.inc
3. Goto line 405
4. Replace 405 line

                                $conf .= "ifconfig $ip1 $ip2\n";

with 4 lines

                                if ($settings['dev_mode'] != "tap")
                                        $conf .= "ifconfig $ip1 $ip2\n";
                                else
                                        $conf .= "ifconfig $ip1 $mask\n";

5. Goto line 527
6. Replace 527 line

                        $conf .= "ifconfig $ip2 $ip1\n";

with 4 lines

                        if ($settings['dev_mode'] != "tap")
                                $conf .= "ifconfig $ip2 $ip1\n";
                        else
                                $conf .= "ifconfig $ip2 $mask\n";

That's ALL!

Now in openvpn config will be correct line for ifconfig command.