Openvpn tap 2.4.2_RELEASE-p1 does it work?

jimp

In OpenVPN you select the local interface that the VPN is bridged to, so LAN is the Bridge Interface.

What settings are on the TAP interface in the GUI? It should really just be the enable checkbox and the name, other settings left at 'none'.

Can you show the rest of your OpenVPN configuration? You can mask any private info, but please try to keep at least the last first and last octet of any networks you have filled in, along with their subnet masks.

simon.lock

Thanks Jimp your feedback is much appreciated. My TAP interface is simply enabled, given a name and a description and nothing more.

The openvpn generated configuration is listed below:

dev ovpns2
verb 1
dev-type tap
dev-node /dev/tap2
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-256-CBC
auth SHA512
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local 109.xxx.xxx.65
engine rdrand
tls-server
mode server
username-as-common-name
auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user TxxxxU= true server2 1194" via-env
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'server' 1"
lport 1194
management /var/etc/openvpn/server2.sock unix
max-clients 10
push "dhcp-option DOMAIN simon.lan"
push "dhcp-option DNS 192.168.148.1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "block-outside-dns"
push "register-dns"
push "dhcp-option WINS 192.168.148.101"
push "redirect-gateway def1"
ca /var/etc/openvpn/server2.ca
cert /var/etc/openvpn/server2.cert
key /var/etc/openvpn/server2.key
dh /etc/dh-parameters.4096
crl-verify /var/etc/openvpn/server2.crl-verify
tls-crypt /var/etc/openvpn/server2.tls-crypt
ncp-ciphers AES-256-GCM:AES-128-GCM
compress lz4-v2
push "compress lz4-v2"
passtos
persist-remote-ip
float
push "route-gateway 192.168.148.1"

jimp

Nothing stands out there that I can see. The only difference in mine is that I'm using slightly different compression, ciphers/auth, and not pushing as many DNS servers.

simon.lock

Thanks Jimp. The additional dns servers were only added in the hope of getting to the internet through the tunnel and because the pfsense dns doesn't respond when connected. The compression, ciphers and auth must be correct and valid because I always successfully connect.

Could it be that the openvpn tap interface always shows an error (The TAP Interface always shows "In/Out errors 0/1" might this be the cause of my problems?). That's my only remaining guess.

jimp

No a single error wouldn't mean anything, and mine shows the same (one single output error).

Check your firewall rules, logs, and when you're attempting connections, check what the state table looks like when traffic from the client is trying to reach the internet.

simon.lock

Thanks for eliminating the one single output error on my TAP interface as being the cause of my problems. I have no complicated rules in place whatsoever and will need to bring my laptop from work, so I'll have 2 computers on my home LAN, to do proper diagnosis of the states table while connecting. Might even try to investigate using wireshark.

simon.lock

I'm sure openvpn tap problems are directly related to dns.

I can connect every time, access mapped drives and even see machines listed in the windows 10 network and also access their samba shares. I can also connect to local web services on my LAN by ip address.

The Internet access problems and names not resolving when using the openvpn tap server are dns related despite the "route-gateway xx.xx.xx.xx" directive.

My network card receives the correct dns settings etc but still cannot communicate with the dns resolver.

In addition to this almost every time I make a change to the openvpn tap server settings and press the save button, the unbound dns resolver service stops running and I then need to restart it manually. Might this be a bug?

simon.lock

Hi Jimp

I did as you suggested but unfortunately I'm no nearer to a solution. I hope you might be able to point me closer to the right direction.

When I connect to my OpenVpn tap server from a laptop tethered to my iPhone for an Internet connection, I can connect every time.

I receive the expected IP address 192.168.148.244 and my network adapter lists 192.168.148.1 as the DNS server which is the local IP address of my pfSense box.

Connection-specific DNS Suffix  . : simon.lan
  Description . . . . . . . . . . . : TAP-Windows Adapter V9
  Physical Address. . . . . . . . . : 00-FF-62-D8-1A-D2
  DHCP Enabled. . . . . . . . . . . : Yes
  Autoconfiguration Enabled . . . . : Yes
  IPv4 Address. . . . . . . . . . . : 192.168.148.244(Preferred)
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Lease Obtained. . . . . . . . . . : 17 January 2018 13:13:22
  Lease Expires . . . . . . . . . . : 17 January 2019 13:13:21
  Default Gateway . . . . . . . . . :
  DHCP Server . . . . . . . . . . . : 192.168.148.0
  DNS Servers . . . . . . . . . . . : 192.168.148.1
  Primary WINS Server . . . . . . . : 192.168.148.101
  NetBIOS over Tcpip. . . . . . . . : Enabled

The DHCP Server listed however, looks somewhat strange as it lists my subnet as the DHCP Server. I've not seen that before.

This is a "print route - 4" from the connected laptop.

IPv4 Route Table

Active Routes:
Network Destination        Netmask          Gateway      Interface  Metric
          0.0.0.0          0.0.0.0      172.20.10.1      172.20.10.2    20
          0.0.0.0        128.0.0.0    192.168.148.1  192.168.148.244    259
  109.154.145.65  255.255.255.255      172.20.10.1      172.20.10.2    276
        127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
        127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
  127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
        128.0.0.0        128.0.0.0    192.168.148.1  192.168.148.244    259
      172.20.10.0  255.255.255.240        On-link      172.20.10.2    276
      172.20.10.2  255.255.255.255        On-link      172.20.10.2    276
    172.20.10.15  255.255.255.255        On-link      172.20.10.2    276
    192.168.148.0    255.255.255.0        On-link  192.168.148.244    259
  192.168.148.244  255.255.255.255        On-link  192.168.148.244    259
  192.168.148.255  255.255.255.255        On-link  192.168.148.244    259
        224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
        224.0.0.0        240.0.0.0        On-link  192.168.148.244    259
        224.0.0.0        240.0.0.0        On-link      172.20.10.2    276
  255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
  255.255.255.255  255.255.255.255        On-link  192.168.148.244    259
  255.255.255.255  255.255.255.255        On-link      172.20.10.2    276

Attached below is a screen shot of the Status Page for OpenVPN. All looks completely normal to me. (TAPStatus.JPG)
However, I've noticed that when I disconnect the client from the OpenVPN session, that pfSense still shows the session as connected.

I've also attached both the OpenVPN log files (verbosity=6) for my TAP adapter (TAP_Svr_Log.txt) and also the states table when connected. (TAP_Adapter_States.txt)

I've obscured my public IP to show ww.xx.yy.zz and my Common Name to myCN.

I can see that many calls from my adapter to the dns server are being made (port 53) but I'm not sure what MULTIPLE:MULTIPLE means.

e.g.

TAP udp 192.168.148.244:61989 -> 192.168.148.1:53 MULTIPLE:MULTIPLE 4/4 332B/552B
TAP udp 192.168.148.244:59203 -> 192.168.148.1:53 MULTIPLE:MULTIPLE 4/4 276B/496B
TAP udp 192.168.148.244:53117 -> 192.168.148.1:53 MULTIPLE:MULTIPLE 4/4 248B/940B
TAP udp 192.168.148.244:63584 -> 192.168.148.1:53 MULTIPLE:MULTIPLE 4/4 248B/312B

Thanks very much in advance. I'm sure the solution must be something trivial that I'm missing.

TAP_Svr_Log.txt
TAP_Adapter_States.txt

simon.lock

OpenVPN TAP solution

Block Outside DNS
This prevents DNS working period. Regardless of whether the client is a Win 10 machine or not. Win 7 is also affected. This must NOT be enabled for TAP.

Redirect IPv4 Gateway

Doesn't work properly for both TUN and TAP solutions. I had to disable this option and add the statement: push "redirect-gateway def1" to the custom options. This makes it the last statement in the generated conf files. It's subtle but without doing this the public IP address used by the connected clients is NOT the public IP address used by pfsense.

TAP now connect, clients use the correct tunnelled public IP address, I have internet access and “some” sort of DNS resolution from pfsense Resolver.
DNS Resolver works perfectly with TUN.

DNS generally resolves to a hostnames but not the fully qualified names including the DNS Default Domain name. I shouldn't have to specify DNS Default Domain in the configuration as the clients connect by DHCP. But even specifying an entry for DNS Default Domain makes no difference.

I think the OpenVPN TAP solution need some refinement. I hope this helps someone.

xel

Thank you could achieve your TAP bridge simon.lock.

Can you give us how your final config looks like..?

I was trying the custom```
push "redirect-gateway def1";

Cheers.