Buggy OpenVPN when setup as TAP



  • I'm trying to get OpenVPN setup as a tap, not a tun and frustrating isn't really the word anymore.  Before we go any further, I know from searching the forums that running as tap instead of a tunnel is hated here.  Why, I really can't understand.  But I absolutely want tap and will not tunnel.  And for the record I tried the OpenVPN setup wizard which does a tunnel, and while I was able to keep the OpenVPN server running consistently for connections, when I connected, I couldn't get things to work the way I want on the remote devices.  When I have gotten tap to work, I have connectivity and things are working overall on the remote devices, which further reinforces tap not tunnel.  I just can't get the OpenVPN server to stay running when configured as tap.  I keep getting the error:

    [error]	Unable to contact daemon	Service not running?
    

    FYI, I only have 3 devices that are going to connect via this VPN.  One android device running 5.1 and two windows computers running Win7 & Win10.  So no big loads and another reason why I'm going tap not tun.  Ideally, I want the devices to connect and get the same IP address they would get via DHCP if they were connected via wifi on the network, and have the option on the device itself to either route all traffic through the VPN and out, or just the private traffic.  However setting the IP via the device's OpenVPN config is fine, but I do need to figure out how to change the routing "on the fly" on the device.

    I've never gotten the DHCP to work, but I think that's because I don't have a proper entry made for the mac address that the dhcp server would be seeing through the tunnel.  And I've never figured out routing either all traffic or just the private network traffic.  When I did get it to work, I assigned the ip address locally on the device's OpenVPN config, and it was only routing the private traffic over the VPN, public traffic was working and bypassing the VPN.

    There are no guides anymore on the pfSense site for tap setup.  I have for the most part used this guide
    http://sclabs.blogspot.ro/2012/05/openvpn-bridge-with-pfsense-201.html

    I am on 2.3.2-RELEASE (amd64).  Whether it matters or not, this box was originally installed with 2.2.6 and I then upgraded to 2.3.2 and then tried OpenVPN.  With all the crazy errors I got, I backed up just the relevant parts of my config (DHCP leases, RRD data, firewall rules), and then did a clean install of 2.3.2, setup the base config, restored the parts of my backup config, and then reinstalled my packages.  And after that the errors persisted.

    I setup the CA and generated certificates for the OpenVPN server and the users.  They stayed the same through the setup.  I did not setup a certificate revocation list.

    I've tweaked the settings multiple times as the first time the server stopped I googled the error I was getting and found posts from years ago saying that the server mode (SSL/TLA + User Auth) was causing the issue so i changed it to SSL/TLA only.  I also had to turn off Inter-client communication: Allow communication between clients connected to this server.  That got it working for a bit but then it started acting up again.  When these options are enabled I get the following error messages logged:

    Sep 6 13:45:11	openvpn	88590	Options error: --client-connect requires --mode server
    Sep 6 13:45:11	openvpn	88590	Use --help for more information.
    

    Here's the current config and the current errors.
    Please keep in mind I want to:
    1-Have the option to force all traffic over the VPN or just the private traffic on the remote client.
    2-Have authentication as (SSL/TLA + User Auth)
    3-Allow communication between clients connected to this server
    4-Have the DHCP server give the same IP if the device was on the lan via wifi

    Server Mode:  Remote Access (SSL/TLA) (Want this to be (SSL/TLA + User Auth))
    Backend for authentication:  Local Database
    Protocol:  UDP
    Device Mode:  tap
    Interface:  WAN
    Local Port:  1194
    TLS Authentication:  Enable authentication of TLS packets
    Peer Certificate Authority:  The one I generated
    Server Certificate:  The one I generated
    DH Parameters Length:  1024
    Encryption Algorithm:  AES-128-CBC (128-bit)
    Hardware Crypto:  BSD cryptodev engine
    Certificate Depth:  One (Client + Server)

    Tunnel Settings:
    I left everything blank but -
    Concurrent Connections:  3
    Compression:  Enabled with Adaptive Compression
    Inter-client communication: Allow communication between clients connected to this server (OFF but want it on!)

    Client Settings:
    Dynamic IP:  Allow connected clients to retain their connections if their IP address changes.

    After that I went to
    Interfaces > I added OPT1 and set it to "ovpns1 (OpenVPN)", and enabled it on it's page (didn't change any other settings on that page).
    Interfaces / Bridges > I created a bridge "BRIDGE0" and bridged LAN & OPT1

    And created the following Firewall Rules:

    Protocol	Source	Port	Destination	Port	Gateway	Queue
    
    WAN:
    IPv4 UDP	*	*	WAN address	1194	*	none
    
    OPT1:
    IPv4*		*	*	*		*	*	none
    
    OpenVPN:
    IPv4*		*	*	*		*	*	none
    

    And here's the current logs:

    Sep 6 13:54:59	openvpn	87340	OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Jul 19 2016
    Sep 6 13:54:59	openvpn	87340	library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09
    Sep 6 13:54:59	openvpn	87443	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Sep 6 13:54:59	openvpn	87443	Initializing OpenSSL support for engine 'cryptodev'
    Sep 6 13:54:59	openvpn	87443	Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
    Sep 6 13:54:59	openvpn	87443	TUN/TAP device ovpns1 exists previously, keep at program end
    Sep 6 13:54:59	openvpn	87443	Cannot open TUN/TAP dev /dev/tap1: Device busy (errno=16)
    Sep 6 13:54:59	openvpn	87443	Exiting due to fatal error
    
    

    Thanks in advance!


  • Rebel Alliance Global Moderator

    "I couldn't get things to work the way I want on the remote devices. "

    Like what exactly?  There is zero advantage to running tap, zero!!  Unless you like more overhead and shitty performance?  Are you running some protocol like ipx or something that can not be routed?



  • @johnpoz:

    "I couldn't get things to work the way I want on the remote devices. "

    Like what exactly?  There is zero advantage to running tap, zero!!  Unless you like more overhead and shitty performance?  Are you running some protocol like ipx or something that can not be routed?

    I knew this would come up.  Long story short, the remote devices must be on the same subnet.  This isn't just about netbios and browsing LAN resources by name instead of IP, however I'm not going to lie and say that isn't a part of it.  But it isn't the main part.  Several of the resources that are being accessed have software firewalls that are configured to only allow the main subnet (192.168.1.x).  Running a tunnel config and being on a different subnet (192.168.2.x) isn't an option.

    I don't understand the "more overhead and shitty performance" when in researching this I've found tons of people who have site to site VPN's via tap and are bridging their networks.  Makes sense why they need that, simply from the netbios and lan resources aspect.  But everyone still hates and rails about tap.  I don't understand it or what's so complex about it, but I'm sure that's way over my head.

    If there is another way to do this, I'm totally receptive.  But based on what I know and understand, this has to be tap (bridged).  And from what I've seen so far, this is something buggy in how the GUI is starting OpenVPN.  Cause when I get the server to run, and get connected I've got the connectivity I want.  It just won't stay running.


  • Rebel Alliance Global Moderator

    As to performance.. with tap your going to see all the broadcast traffic since your L2.. So all devices on both sides will be sending your broadcast traffic down your wan connection.  Which is normally a limited pipe that should be used to carry useful data not every client broadcasting for wpad, or all their UPnP data - all the noise that your typical device sends out.

    Since it Layer 2 you will also have all the ethernet overhead on all traffic going over the tunnel..  Is that at a basic enough level for you to understand?

    "I've found tons of people who have site to site VPN's via tap and are bridging their networks"

    I don't doubt it - there are lots of people that just don't have clue one to what they are doing at all..  And don't even understand what they are working with and why it doesn't work.  They just know that hey if I use a tap it works… There are a lot of people in the world that have to think rabbit through the hole when they tie their shoes ;) hehehehe

    "Several of the resources that are being accessed have software firewalls that are configured to only allow the main subnet (192.168.1.x)."

    Well the proper way to solve that issue would be to adjust the firewalls to allow the traffic you want and desire.. Not just blindly trust traffic because its on the same natwork?  If you want to allow port xyz, then allow that from your other sites machines either by specific IP or by the remote network address space as source, etc.  Another way to work around that issue would be to nat your traffic over the tunnel so it looks like its from the same network ;)

    So these devices are going to directly connect into your vpn server?  Or your going to do a site to site tunnel?  So lets go back to your "to only allow the main subnet (192.168.1.x)."  So these clients already have an IP on 192.168.1, and now you want them to connect to your vpn and also give them another 192.168.1.x address?  So when they want to talk to a machine on the local network, how do they know to send it down the tunnel or just out their local interface?  So you want to bridge these devices tap devices to the their local interface as well?  Did you do that?

    Connecting a site to site with a tap/bridge setup to extend a vlan is much easier to accomplish then client to server with client on the same local IP as the VPN via tap, etc.

    As to openvpn gui being buggy.. I would assume its more you have not gone through all the steps in configuration of a tap setup, etc.  Here is the thing while it can be done, normally it should not be done.  The only valid reasons to have to use a tap would be if you have some protocol your running that is not IP based and can not be routed..  Your reasoning is that there is some software firewall that what you can not adjust?  Who does??  Get them to do it if your going to setup a vpn from their machine to your network.