VLAN over TAP tunnel OpenVPN?

JKnott

@ncat

My understanding is OpenVPN doesn't support VLANs. However, I have no experience with that.

Pippin

Minimum OpenVPN version 2.5 is required.
Take a look at

--vlan-tagging

In manual 2.5:
https://build.openvpn.net/man/openvpn-2.5/openvpn.8.html

ncat

@pippin Thanks, looks like I have to wait for pfSense 2.5 official release.

marvosa

Just curious... what problem are you trying to address with this setup?

ncat

@marvosa
I want to setup a separate SSID which will allow me to connect to another location directly, use its DHCP, DNS and etc.
Imagine, in my Yellow location I have "RED" SSID with 1002 vlan. When I connect to it, all frames go to the pfSense in Red location and are processed according to the Red location rules.
Not sure if it is possible and what the performance would be with L2 tunnel.
Another option would be picking up 1002 vlan in yellow location and redirecting all traffic to the red, but that would be layer 3 filtering as far as I understood.

marvosa

@ncat
I understand what you want to do, but the solution you're suggesting will add unnecessary complexity.

If you want certain devices in the yellow location to use the rules from the red location, then just route the traffic over there.

What I would do:

• Re-configure your bridged tunnel into a routed tunnel
• Create a separate VLAN for the devices you want using rules from the remote location
• Create a separate SSID and tag the VLAN you just created
• Policy route traffic sourced from this VLAN over the tunnel to the remote end
• If you want these devices using DNS from the remote end, just have the local DHCP server for this subnet assign DNS servers from the remote end

This would be a cleaner setup IMO. Also, the routed tunnel will give you better performance over a bridged solution.

ncat

@marvosa thanks for the suggestion. Already tried implementing that.
The only issue I got is DHCP. Is it possible to use DHCP of Red location with this solution? That's why I decided to try L2 tunnel.

marvosa

@marvosa thanks for the suggestion. Already tried implementing that.

The only issue I got is DHCP. Is it possible to use DHCP of Red location with this solution? That's why I decided to try L2 tunnel.

This sort of builds no my previous question... What issue are you trying to address by using a DHCP server that's across a VPN tunnel? I mean, if you're using Cisco switches you could just add an ip-helper-address to send the requests anywhere you want, but it'd be interesting to hear why you're looking to do that instead of leveraging a local DHCP server.

ncat

@marvosa
reg DHCP: some routing rules based on IPs and subnetworks currently exist. So, placing a known MAC device within existing DHCP pool range gives some convenience.

marvosa

@ncat
I understand the convenience factor, however, instead of adding complexity, you could also address those issues by adding the appropriate routes as needed.

I have yet to hear anything that couldn't be addressed with a routed solution.