Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN TAP Bridging with LAN

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 2 Posters 7.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      jgwinner
      last edited by

      This topic is locked, but good:

      https://forum.pfsense.org/index.php?topic=46984.0#lastPost

      However, I tried it, but it doesn't work.

      I've gone through the setup twice, making sure I followed all of the steps. I'll edit this when we find the solution.

      I contacted NetGate with a trouble ticket, and they advised that OpenVPN TAP bridging is a security risk. In any event, here are the steps I followed:

      First Install the OpenVPN Client Export Utility Package

      1. Goto System –-> Packages

      2. Choose "Available Packages Tab"
        http://i.imgur.com/GZpNwDc.jpg

      3. Locate the OpenVPN Client Export Utlity Package and install it by pressing the "+" on the right
        http://i.imgur.com/Hk2Gdkz.jpg

      Setup your Certs

      1. Goto System ---> Cert Manager
        http://i.imgur.com/eF7AdAa.jpg

      2. Goto CA Tab and create a CA by pressing the "+" button
        http://i.imgur.com/TIBRPIG.jpg

      3. Fill in the boxes with the appropriate information, making sure to change method to "Create Internal Certificate Authority". Alternatively you can also import your own. (outside the scope of this guide)
        http://i.imgur.com/pFQNJx2.jpg

      4. Create the server certificate by clicking the "Certificates" tab and pressing the "+" button

      5. Change "Method" to "Create an internal Certificate", and "Certificate Type" to "Server Certificate" Fill in the appropriate information and make sure to change the Certificate Authority to that of the CA you just created in step 3.

      6. Create User Certificates in the same way but instead of choosing "Server Certificate" for Certificate type, make sure to choose "User Certificate"
        *It is recommended that each individual PC that connects to the VPN have their own certificates created.
        **It is also not necessary, but recommened to create a revocation list. Click the Client Revocation tab, then the "+" to add one. Choose the CA you made in step 3.

      Setup the OpenVPN server

      1. Goto VPN ---> OpenVPN
      2. On the Server tab press the "+" button to create an OpenVPN server
      3. Fill in the following settings
        Disabled - Unchecked (Obviously!)
        Server Mode - Remote Access (SSL/TLS)
        Protocol - UDP
        Device Mode - tap
        Interface - WAN
        Port - 1194
        Description - description of your server
        TLS Authentication - Check both boxes... this also creates your authentication key
        Peer Certificate Authority - choose the CA you created earlier
        Peer Certificate Revocation List - if you made one while setting up the certs specify it here
        Server Certificate - choose the server certificate you created earlier
        DH Parameters - 1024
        Encryption algorithm: AES-128-CBC (128-bit)
        Hardware Crypto - options here may differ, but choose a hardware crypto engine if you have one
        Certificate Depth - One (Client+Server)

      IP settings


      Ipv4 Tunnel Network - Leave blank, not used in tap/bridge mode
      Ipv6 Tunnel Network - Leave blank, not used in tap/bridge mode
      Bridge DHCP - check
      Bridge Interface - LAN
      Server Bridge DHCP Start - start of your ip address range for remote clients
      Server Bridge DHCP End - end of your ip address range for remote clients
      *DHCP address range should be a range of IP addresses that are within the ip address range of your LAN network.
      Redirect Gateway - uncheck
      IPv4 Local Network - this is the address of your LAN network expressed as a CIDR range, most likely 192.168.1.0/24
      IPv6 Local Network - Leave blank
      Concurrent connections - 2
      Compression - for bandwidth reduction check this box
      Type-of-Service - uncheck
      Inter-client communication - check this box if you want remote clients to be able to access each other
      Duplicate Connections - allows multiple connections from the same client, not recommended but may possibly be needed

      Dynamid IP - if your router's WAN IP changes you should check this
      Address Pool - check
      DNS Default Domain - fill this in if you have one
      DNS Servers - set to your local DNS server

      Press save and your OpenVPN server is created

      Create your Interface and Bridge:

      1. Interfaces ---> (assign)
      2. add an interface by pressing the "+" button
      3. in the drop down box next to the OPT1 interface that was created choose the open vpn server instance we just created
      4. goto Interfaces ---> OPT1
      5. Enable the interface and give it a Description
      6. goto Interfaces ---> (assign)
      7. choose the Bridges tab and then click the "+" button to add a bridge
      8. Hold the CTRL button and highlight both your LAN interface and the renamed OPT1 interface we just created.

      Create a firewall rule allowing traffic on your OpenVPN port for the WAN interface.

      1. Goto Firewall ---> Rules
      2. Choose the WAN tab
      3. Press the "+" on near the top right to add a rule and enter the following information:
        Action: Pass
        Disabled: uncheck
        Interface: WAN
        TCP/IP Vesion: IPv4
        Protocol: The protocol you chose in the OpenVPN server settings, probably UDP
        Source
        not: unchecked
        Type: any
        Address: leave blank
        Destination:
        not: unchecked
        type: WAN address
        Address: blank
        Destination port range: Port your OpenVPN server runs on, probably 1194
        Log: up to you
        Description: optional, give the rule a description

      You're done. The last thing to do is export the client configs. Luckily with v2.1 pfsense has made this stupid easy to do.

      1. VPN ---> OpenVPN
      2. Choose the client Export Tab
      3. You should see an option to export a config for each certificate you created earlier. Hopefully you named your certs something easily identifiable.
      4. Its recommended that for Windows you choose the Windows Installer. This will download and install OpenVPN and the config files.
      1 Reply Last reply Reply Quote 0
      • J Offline
        jgwinner
        last edited by

        Current status (will update once we get it working).

        I can connect, but nothing routes to the remote office.

        Remote LAN: (IP's sanitized)

        192.168.10.X

        pfSense box: 192.168.10.254

        My IP (via OpenVPN) 192.168.10.32
        My local LAN is 192.168.0.1 (I'm testing as if I'm a typical home user).

        If I ping 192.168.10.254 the route goes out my default gateway. (Note that redirect gateway setting was set off, per instructions).

        IPv4 Route Table
        ===========================================================================
        Active Routes:
        Network Destination        Netmask          Gateway       Interface  Metric
                  0.0.0.0          0.0.0.0      192.168.0.1    192.168.0.111     10
                127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
                127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
          127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
              192.168.0.0    255.255.255.0         On-link     192.168.0.111    266
            192.168.0.111  255.255.255.255         On-link     192.168.0.111    266
            192.168.0.255  255.255.255.255         On-link     192.168.0.111    266
             192.168.10.0    255.255.255.0         On-link     192.168.10.32    276
             192.168.10.0    255.255.255.0   192.168.10.254    192.168.10.32     20
            192.168.10.32  255.255.255.255         On-link     192.168.10.32    276
           192.168.10.255  255.255.255.255         On-link     192.168.10.32    276
                224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
                224.0.0.0        240.0.0.0         On-link     192.168.0.111    293
                224.0.0.0        240.0.0.0         On-link     192.168.10.32    276
          255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
          255.255.255.255  255.255.255.255         On-link     192.168.0.111    266
          255.255.255.255  255.255.255.255         On-link     192.168.10.32    276
        ===========================================================================
        
        1 Reply Last reply Reply Quote 0
        • W Offline
          WiFivomFranMan
          last edited by

          Id guess you have to bridge the tap interface to the lan.  I think that was a change in 2.3 so the old guide doesn't work

          https://www.reddit.com/r/PFSENSE/comments/3hql33/configuring_openvpn_bridge_with_local_dhcp/

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.