OpenVPN Site-to-Site TAP Help

yottabyte

Hey everyone,

I'm trying to setup an site-to-site OpenVPN connection using TAP and can't seem to find any tutorial or how-to on how to do it.  The 2.1 draft of the pfSense book mentions it a bit in the "Bridged OpenVPN Connections" section, but it is not enough for me to get going.  Any help would be greatly appreciated.

Some background.  I am wanting to use a site-to-site VPN for a Aloha point-of-sale system.  The client site has two POS terminals that need to talk to the POS terminals and server at the server site.  I successfully created a tunnel using TUN mode, but I can't seem to get the client site POS terminals to see the server.  TAP seems like it can achieve what I need since, the way I understand it, I can use the same subnet at both sites (one logical LAN) and allow for the POS system to work properly across the VPN.

Please help.

P.S.  I would like to add that the OpenVPN connection I had setup using TUN mode was partially working and did allow me to ping certain clients across the link, but nothing more.

kejianshi

I don't get why TUN won't work for you.  As long as you can address everything directly by IP seems like it should work just fine.  I think you are doing something wrong.

yottabyte

I don't doubt it.  I know I'm missing something.  I was reading through the forums searching for a solution and came across people talking about using TAP, which seems to fit what I need.  I would like to try it, if I had directions on how to do it.  My problem starts when I'm supposed to create a bridge and the pfSense book is very vague on this.  Also, site-to-site TAP doesn't seem to be mentioned anywhere that I looked, only client-to-site, so I don't know if it can work that way.

By the way, what do you mean by "as long as you can address everything directly by IP"?

dotdash

I will second that a site to site bridge is a terrible idea compared to a standard routed config. If you can get the POS vendor to help, that should be your first choice. But, I had to do this once due to extenuating (idiot vendor) circumstances. Here are some notes:

It worked but performance was slow. It was temp setup, so these notes are all I have and they may not be perfect.
The ips and ports used are mostly arbitrary. I bumped the port to 1195, as there was an existing instance.
Your openvpns interface may show up as 0, not 1. IIRC, the LANs were on the same subnet, with the firewalls at diff IPs (e.g. 1 and 2)

SITE A
New OpenVPN server instance:
Peer to Peer (Shared Key)
UDP
tap
(WAN)
1195

generate key

IP4 tunnel 10.20.10.0/30

Interfaces, Assign. Add new if for Ovpns1
enable new interface

Interfaces, Assign, Bridges
new bridge with LAN and ovpns1 interfaces

Firewall rules:
allow all on OpenVPN
allow all on OPTx(ovpns1)
allow UDP 1195 on WAN to WAN Address

SITE B
New OpenVPN client instance:
Peer to Peer (Shared Key)
UDP
tap
(WAN)
local port 1195
server host or address: (address of site A WAN)
Server port 1195

paste key from site A

IP4 tunnel 10.20.10.0/30

Interfaces, Assign. Add new if for Ovpns1
enable new interface

Interfaces, Assign, Bridges
new bridge with LAN and ovpns1 interfaces

Firewall rules:
allow all on OpenVPN
allow all on OPTx(ovpns1)
allow UDP 1195 on WAN to WAN Address

kejianshi

The only thing that I've ever had issue with is stateless config devices that don't have a way for you to enter IPs to make them work.

Or with people who are hell bent on using \MyWindowsPC to access a share vs \10.12.13.14 (or whatever the IP of the share is)

But if your are configuring all your devices using IPs directly, I don't see why a normal TUN setup wouldn't be great.

yottabyte

@dotdash:

I will second that a site to site bridge is a terrible idea compared to a standard routed config. If you can get the POS vendor to help, that should be your first choice. But, I had to do this once due to extenuating (idiot vendor) circumstances. Here are some notes:

It worked but performance was slow. It was temp setup, so these notes are all I have and they may not be perfect.
The ips and ports used are mostly arbitrary. I bumped the port to 1195, as there was an existing instance.
Your openvpns interface may show up as 0, not 1. IIRC, the LANs were on the same subnet, with the firewalls at diff IPs (e.g. 1 and 2)

SITE A
New OpenVPN server instance:
Peer to Peer (Shared Key)
UDP
tap
(WAN)
1195

generate key

IP4 tunnel 10.20.10.0/30

Interfaces, Assign. Add new if for Ovpns1
enable new interface

Interfaces, Assign, Bridges
new bridge with LAN and ovpns1 interfaces

Firewall rules:
allow all on OpenVPN
allow all on OPTx(ovpns1)
allow UDP 1195 on WAN to WAN Address

SITE B
New OpenVPN client instance:
Peer to Peer (Shared Key)
UDP
tap
(WAN)
local port 1195
server host or address: (address of site A WAN)
Server port 1195

paste key from site A

IP4 tunnel 10.20.10.0/30

Interfaces, Assign. Add new if for Ovpns1
enable new interface

Interfaces, Assign, Bridges
new bridge with LAN and ovpns1 interfaces

Firewall rules:
allow all on OpenVPN
allow all on OPTx(ovpns1)
allow UDP 1195 on WAN to WAN Address

dotdash,

So no IPv4 Local or Remote Network defined on either the OpenVPN Server or Client? Leave blank?

Also, page 368 of the pfSense 2.1 draft book states that for bridged OpenVPN connections "You will also want to make sure that the IPv4 Tunnel Network and IPv6 Tunnel Network boxes are empty. The way that a tap bridge OpenVPN functions, it does not need a tunnel network, as OpenVPN doesn't use the same address assignment that it does for tun mode."  What should I do?

dotdash

I used a /30 tunnel network. Somehow it was smart enough to assign .1 to the first box and .2 to the second. I started from a couple of incomplete/old tutorials on the net which used a tunnel network. If it works with an empty tunnel network, go that route. The book is generally authoritative.
I left the local and remote networks blank.

yottabyte

Okay, I followed the example that you posted but did leave "IPv4 Tunnel Network" blank for the moment.  OpenVPN status is green and logs show no errors.  Firewall logs, on the other hand, show that the POS terminals at the server site are sending out LLMNR packets on port 5355 to 224.0.0.252 multicast address and are being blocked from either the POS VLAN interface or "bridge 0".

What should my firewall rules be for the POS VLAN on the server and client sites?  Right now they are any protocol, source POS VLAN net, any port, destination POS VLAN net, any port.  Also, what IP address should I assign to the client site POS VLAN? Right now both the server and client site POS VLAN interface IP addresses are the same.  Lastly, I can't ping anything across the link from either pfSense box or clients.

Thanks for your help.

yottabyte

By the way, I tried adding a /30 network to the "IPv4 Tunnel Network" field and it took down the tunnel.  OpenVPN status read "unable to contact daemon".  Perhaps I need to assign an IP address to the OPTx(ovpns1) interface?  Right now "IPv4 Configuration Type" field is set to "None".

dotdash

My openvpns interface was just enabled with no IP address set. I put a pass any any on the openvpn tab and the openvpns(OPTx) interface.
Your POS VLAN interfaces on the two firewalls should have different IPs. e.g. Site A 192.168.13.1 Site B 192.168.13.2

yottabyte

Success!  I fixed the POS VLAN IP address, rebooted both boxes, and whole POS system now works.  Performance is a new issue, though.  A slight one or two second lag occurs sometimes at the client site POS terminals, between button presses and screen refresh.  It might be due to the TAP or the ~800 kbps upload limit at both sites.  This ain't over yet, but it works for now.  Thanks dotdash.