Openvpn tap 2.4.2_RELEASE-p1 does it work?

rsloan

Hi

I wanted to use tap on 2.4.2_RELEASE-p1 as well, but had no joy. You seem to be having more luck that me though as I can't get tun  to work properly either. I have a post at:

https://forum.pfsense.org/index.php?topic=142196.0

But know one has managed to help me so far.

Regards,

Robert.

jimp

tap works just fine if you configure it properly and know its limits and how it works.

There is a lot of confusion because people expect it to behave like tun + a bridge and that just isn't how it works, and it can't really work that way without some nudging. Routing through tap to the Internet or other subnets requires a gateway, but with a typical tap setup you don't have that since the tunnel network is empty. In these cases, you must manually push a gateway to clients using advanced options (e.g. push "route-gateway 192.168.1.1"; but substitute your actual LAN IP address.)

The GUI could probably be slightly smarter and guess what route-gateway to push based on the selected bridge interface, but I'm not sure if that should always be on or be its own separate option. You can apply that patch using the system patches package and see if it makes a difference.

server-bridge only appears if you fill in the start/stop dhcp range. If you want DHCP to pass through to the existing LAN DHCP (bridge enabled but the start/stop range is empty), that directive won't be in the config.

simon.lock

Thank you Jimp for you reply. You certainly are correct regarding the the "server-bridge" directive I've just checked it out. I already push "route-gateway 192.168.148.1", where the IP specified is that of my LAN interface, as an option. But still fail to gain access to the internet and to resolve names from the unbound DNS Resolver when connected. Do you specify the LAN interface directly or the created bridge interface "BR0" in my case (LAN+TAP) as the Bridge Interface in the tap server configuration page?

I've also specified pass any rules for both the TAP interface and the created bridge "BR0" interface without any luck.

simon.lock

@rsloan:

Hi

I wanted to use tap on 2.4.2_RELEASE-p1 as well, but had no joy. You seem to be having more luck that me though as I can't get tun  to work properly either. I have a post at:

https://forum.pfsense.org/index.php?topic=142196.0

But know one has managed to help me so far.

Regards,

Robert.

I was reminded of this YouTube video (https://www.youtube.com/watch?v=xiy52Hn5bTc&ab_channel=ChunkyTech) by seewolf in another post. I found this video useful when setting the tun server on pfsense. In fact I was the last person to comment on that video 2 weeks ago suggestions a tap tutorial :-)

jimp

@simon.lock:

Thank you Jimp for you reply. You certainly are correct regarding the the "server-bridge" directive I've just checked it out. I already push "route-gateway 192.168.148.1", where the IP specified is that of my LAN interface, as an option. But still fail to gain access to the internet and to resolve names from the unbound DNS Resolver when connected. Do you specify the LAN interface directly or the created bridge interface "BR0" in my case (LAN+TAP) as the Bridge Interface in the tap server configuration page?

I've also specified pass any rules for both the TAP interface and the created bridge "BR0" interface without any luck.

Must be something in your settings yet. My tap bridge user gets an IP address from the LAN subnet, it can query unbound just fine, and once I push it a route-gateway it can reach the Internet through the bridge. NAT shouldn't be a concern since it's the same subnet as LAN, same with unbound ACLs, the LAN subnet is already allowed. As long as the firewall passes it through it should work.

jimp

I added a GUI option to 2.4.3 which can push a route-gateway based on the selected bridge interface. It should make things easier/more obvious for users hitting that barrier.

https://redmine.pfsense.org/issues/8267
The commit will show up there in a few moments.

simon.lock

Thank you again for this Jimp. It will certainly prove very valuable to many others in the next version of pfSense. I however had already implemented the route-gateway directive after viewing the initial complaints shown in openvpn GUI client logs.

I have created an interface for the openvpn tap server (ovpns2) and called it TAP
I've created a bridge interface (BRIDGE0) and called it BR0 which combines TAP with LAN

In the openvpn server configuration page which "Bridge Interface" should I select? BR0, TAP or LAN? I've tried all combinations without success.

In PfSense Viewing Status / Interfaces (shown attached)

The TAP Interface always shows "In/Out errors 0/1" might this be the cause of my problems?

jimp

In OpenVPN you select the local interface that the VPN is bridged to, so LAN is the Bridge Interface.

What settings are on the TAP interface in the GUI? It should really just be the enable checkbox and the name, other settings left at 'none'.

Can you show the rest of your OpenVPN configuration? You can mask any private info, but please try to keep at least the last first and last octet of any networks you have filled in, along with their subnet masks.

simon.lock

Thanks Jimp your feedback is much appreciated. My TAP interface is simply enabled, given a name and a description and nothing more.

The openvpn generated configuration is listed below:

dev ovpns2
verb 1
dev-type tap
dev-node /dev/tap2
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-256-CBC
auth SHA512
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local 109.xxx.xxx.65
engine rdrand
tls-server
mode server
username-as-common-name
auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user TxxxxU= true server2 1194" via-env
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'server' 1"
lport 1194
management /var/etc/openvpn/server2.sock unix
max-clients 10
push "dhcp-option DOMAIN simon.lan"
push "dhcp-option DNS 192.168.148.1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "block-outside-dns"
push "register-dns"
push "dhcp-option WINS 192.168.148.101"
push "redirect-gateway def1"
ca /var/etc/openvpn/server2.ca
cert /var/etc/openvpn/server2.cert
key /var/etc/openvpn/server2.key
dh /etc/dh-parameters.4096
crl-verify /var/etc/openvpn/server2.crl-verify
tls-crypt /var/etc/openvpn/server2.tls-crypt
ncp-ciphers AES-256-GCM:AES-128-GCM
compress lz4-v2
push "compress lz4-v2"
passtos
persist-remote-ip
float
push "route-gateway 192.168.148.1"

jimp

Nothing stands out there that I can see. The only difference in mine is that I'm using slightly different compression, ciphers/auth, and not pushing as many DNS servers.

simon.lock

Thanks Jimp. The additional dns servers were only added in the hope of getting to the internet through the tunnel and because the pfsense dns doesn't respond when connected. The compression, ciphers and auth must be correct and valid because I always successfully connect.

Could it be that the openvpn tap interface always shows an error (The TAP Interface always shows "In/Out errors 0/1" might this be the cause of my problems?). That's my only remaining guess.

jimp

No a single error wouldn't mean anything, and mine shows the same (one single output error).

Check your firewall rules, logs, and when you're attempting connections, check what the state table looks like when traffic from the client is trying to reach the internet.

simon.lock

Thanks for eliminating the one single output error on my TAP interface as being the cause of my problems. I have no complicated rules in place whatsoever and will need to bring my laptop from work, so I'll have 2 computers on my home LAN, to do proper diagnosis of the states table while connecting. Might even try to investigate using wireshark.

simon.lock

I'm sure openvpn tap problems are directly related to dns.

I can connect every time, access mapped drives and even see machines listed in the windows 10 network and also access their samba shares. I can also connect to local web services on my LAN by ip address.

The Internet access problems and names not resolving when using the openvpn tap server are dns related despite the "route-gateway xx.xx.xx.xx" directive.

My network card receives the correct dns settings etc but still cannot communicate with the dns resolver.

In addition to this almost every time I make a change to the openvpn tap server settings and press the save button, the unbound dns resolver service stops running and I then need to restart it manually. Might this be a bug?

simon.lock

Hi Jimp

I did as you suggested but unfortunately I'm no nearer to a solution. I hope you might be able to point me closer to the right direction.

When I connect to my OpenVpn tap server from a laptop tethered to my iPhone for an Internet connection, I can connect every time.

I receive the expected IP address 192.168.148.244 and my network adapter lists 192.168.148.1 as the DNS server which is the local IP address of my pfSense box.

Connection-specific DNS Suffix  . : simon.lan
  Description . . . . . . . . . . . : TAP-Windows Adapter V9
  Physical Address. . . . . . . . . : 00-FF-62-D8-1A-D2
  DHCP Enabled. . . . . . . . . . . : Yes
  Autoconfiguration Enabled . . . . : Yes
  IPv4 Address. . . . . . . . . . . : 192.168.148.244(Preferred)
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Lease Obtained. . . . . . . . . . : 17 January 2018 13:13:22
  Lease Expires . . . . . . . . . . : 17 January 2019 13:13:21
  Default Gateway . . . . . . . . . :
  DHCP Server . . . . . . . . . . . : 192.168.148.0
  DNS Servers . . . . . . . . . . . : 192.168.148.1
  Primary WINS Server . . . . . . . : 192.168.148.101
  NetBIOS over Tcpip. . . . . . . . : Enabled

The DHCP Server listed however, looks somewhat strange as it lists my subnet as the DHCP Server. I've not seen that before.

This is a "print route - 4" from the connected laptop.

IPv4 Route Table

Active Routes:
Network Destination        Netmask          Gateway      Interface  Metric
          0.0.0.0          0.0.0.0      172.20.10.1      172.20.10.2    20
          0.0.0.0        128.0.0.0    192.168.148.1  192.168.148.244    259
  109.154.145.65  255.255.255.255      172.20.10.1      172.20.10.2    276
        127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
        127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
  127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
        128.0.0.0        128.0.0.0    192.168.148.1  192.168.148.244    259
      172.20.10.0  255.255.255.240        On-link      172.20.10.2    276
      172.20.10.2  255.255.255.255        On-link      172.20.10.2    276
    172.20.10.15  255.255.255.255        On-link      172.20.10.2    276
    192.168.148.0    255.255.255.0        On-link  192.168.148.244    259
  192.168.148.244  255.255.255.255        On-link  192.168.148.244    259
  192.168.148.255  255.255.255.255        On-link  192.168.148.244    259
        224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
        224.0.0.0        240.0.0.0        On-link  192.168.148.244    259
        224.0.0.0        240.0.0.0        On-link      172.20.10.2    276
  255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
  255.255.255.255  255.255.255.255        On-link  192.168.148.244    259
  255.255.255.255  255.255.255.255        On-link      172.20.10.2    276

Attached below is a screen shot of the Status Page for OpenVPN. All looks completely normal to me. (TAPStatus.JPG)
However, I've noticed that when I disconnect the client from the OpenVPN session, that pfSense still shows the session as connected.

I've also attached both the OpenVPN log files (verbosity=6) for my TAP adapter (TAP_Svr_Log.txt) and also the states table when connected. (TAP_Adapter_States.txt)

I've obscured my public IP to show ww.xx.yy.zz and my Common Name to myCN.

I can see that many calls from my adapter to the dns server are being made (port 53) but I'm not sure what MULTIPLE:MULTIPLE means.

e.g.

TAP udp 192.168.148.244:61989 -> 192.168.148.1:53 MULTIPLE:MULTIPLE 4/4 332B/552B
TAP udp 192.168.148.244:59203 -> 192.168.148.1:53 MULTIPLE:MULTIPLE 4/4 276B/496B
TAP udp 192.168.148.244:53117 -> 192.168.148.1:53 MULTIPLE:MULTIPLE 4/4 248B/940B
TAP udp 192.168.148.244:63584 -> 192.168.148.1:53 MULTIPLE:MULTIPLE 4/4 248B/312B

Thanks very much in advance. I'm sure the solution must be something trivial that I'm missing.

TAP_Svr_Log.txt
TAP_Adapter_States.txt

simon.lock

OpenVPN TAP solution

Block Outside DNS
This prevents DNS working period. Regardless of whether the client is a Win 10 machine or not. Win 7 is also affected. This must NOT be enabled for TAP.

Redirect IPv4 Gateway

Doesn't work properly for both TUN and TAP solutions. I had to disable this option and add the statement: push "redirect-gateway def1" to the custom options. This makes it the last statement in the generated conf files. It's subtle but without doing this the public IP address used by the connected clients is NOT the public IP address used by pfsense.

TAP now connect, clients use the correct tunnelled public IP address, I have internet access and “some” sort of DNS resolution from pfsense Resolver.
DNS Resolver works perfectly with TUN.

DNS generally resolves to a hostnames but not the fully qualified names including the DNS Default Domain name. I shouldn't have to specify DNS Default Domain in the configuration as the clients connect by DHCP. But even specifying an entry for DNS Default Domain makes no difference.

I think the OpenVPN TAP solution need some refinement. I hope this helps someone.

xel

Thank you could achieve your TAP bridge simon.lock.

Can you give us how your final config looks like..?

I was trying the custom```
push "redirect-gateway def1";

Cheers.