OpenVPN TAP TCP traffic not passing, ICMP works



  • hi folks,

    Recently I've come across this strange issue with OpenVPN when using it in TAP mode.

    It's set up correctly (well obviously it isn't since it's not working but I have no idea what to change).

    • It's in Remote access mode (SSL/TLS with auth)
    • no tunnel network
    • bridged with LAN interface
    • DHCP inside the LAN pool
    • disabled compression
    • TOS IP header checked
    • Inter-client comm allowed
    • allow duplicate connecitons
    • allow dynamic IP changes
    • Provide a virtual adapter IP address to clients
    • no custom options

    I've bridged the LAN and the TAP OpenVPN interface

    • the bridge interface is enabled

    On TAP OpenVPN interface and bridge interface as well as LAN interface there is allow any/any rule on top
    There is an allow UDP/1199 on WAN (that's the service port, not using the default 1194)

    The clients connect just fine, receive the IP address from the pfSense's LAN DHCP service as they should and ping works between the VPN clients and the actual LAN devices both ways (from LAN to OVPN client and vice versa).

    Even UDP works (traceroute).

    The issue is with TCP connections. I can't access the pfsense web config on LAN side. There's a lot of multicasting devices on the LAN side (Xboxes) and the states are there but can't seem to actually start a TCP session across the VPN.

    I've played around with the MTU using the fragment xxxx;mssfix in the advanced options (the xxxx ranging from 1000 to 1400, tried about a dozen of random numbers) but that makes it only worse. No matter what MTU I set there nothing passes anymore, not even ICMP.

    If anyone has any ideas I'd greatly appreciate it,

    cheers,

    Damir



  • I was wondering whenever you actually got to fix this issue.

    I'm having a similar problem where TCP can't get to pfsense main gui over VPN but ping get there just fine. I also am not able to query DNS that is on pf sense over vpn … which is mighty bizarre !



  • @tomtom13:

    I was wondering whenever you actually got to fix this issue.

    I'm having a similar problem where TCP can't get to pfsense main gui over VPN but ping get there just fine. I also am not able to query DNS that is on pf sense over vpn … which is mighty bizarre !

    I can't speak to your problems, but I used this reference for my tap server and it worked perfectly out of the box.

    https://hardforum.com/threads/pfsense-2-0-1-openvpn-configuration-guide.1663797/

    Hope it helps.


  • LAYER 8 Global Moderator

    I am curious to why anyone would want to setup a tap vs a tun in the first place.. What is the use case that justifies tap?



  • @johnpoz:

    I am curious to why anyone would want to setup a tap vs a tun in the first place.. What is the use case that justifies tap?

    Zeroconf/mDNS for the VPN client and similar multicast/broadcast based discovery services is just about the only thing I can think of.


  • LAYER 8 Global Moderator

    All of which makes zero sense for a remote user or site to site.

    So I am curious what the OP is using that needs tap?



  • @johnpoz:

    All of which makes zero sense for a remote user or site to site.

    So I am curious what the OP is using that needs tap?

    OpenVPN offers this explanation: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting and
    https://openvpn.net/index.php/open-source/faq/75-general/309-what-is-the-difference-between-bridging-and-routing.html

    For me, originally, I started with OpenVPN on DD-WRT. I could not access my home network using it so I assumed tun was for routing through the internet using your home network and tap was to access your home network. Documentation was and still is generally bad here. A few exceptions apply, but DD-WRT in general is massively more complicated with respect to OpenVPN than pfSense.

    The tap/tun belief turned out to be wrong after I converted to pfSense and was encouraged to play around with tun a little more to use tun for both. Tun can easily pass through and access the home resources.

    Until I upgraded to Windows 10 pro creators, I could access the home resources a little easier using tap than tun. With tap. it was as simple as being at home. With tun, I had to remember network notations and think a little differently. Windows 10 CU appears to force me to use network notation for everything, even at home. Weird.

    Anyway, for most people tun is enough.

    It would be great if someplace in the pfSense documentation someone said this or something similar.

    If the OP insists on tap, this is the documentation I used to set it up. It worked the first time. https://hardforum.com/threads/pfsense-2-0-1-openvpn-configuration-guide.1663797/

    Re: site to site: I just set one up to using a pfSense instance and a DD-WRT router. The client export worked perfectly for it. I wanted to use the more advanced server with user certificates but the client export didn't work for it and I couldn't figure out what certificates went where. I'll be testing it out of town later this month. I plan to use / try a tp-link WR702n in wireless client mode to get past the captive portal and plug the DD-WRT site to site router into the travel router. Anecdotal reports say it should work. If it works, I know of a small wireless travel router that supports DD-WRT and OpenVPN client for $25 or so.



  • @shimpa:

    […]

    I've bridged the LAN and the TAP OpenVPN interface

    • the bridge interface is enabled

    On TAP OpenVPN interface and bridge interface as well as LAN interface there is allow any/any rule on top
    There is an allow UDP/1199 on WAN (that's the service port, not using the default 1194)

    The clients connect just fine, receive the IP address from the pfSense's LAN DHCP service as they should and ping works between the VPN clients and the actual LAN devices both ways (from LAN to OVPN client and vice versa).

    Even UDP works (traceroute).

    The issue is with TCP connections. I can't access the pfsense web config on LAN side. There's a lot of multicasting devices on the LAN side (Xboxes) and the states are there but can't seem to actually start a TCP session across the VPN.

    […]

    I have the same problem with a similar configuration. Two pfsense connected through tap VPN with bridges to LAN. All traffic from LAN-1 to LAN-2 is ok. I have another LAN (LAN-2B) in one side not bridged. Routing are ok because all ICMP packets goes well from LAN-2B to LAN-1 and from LAN-2B to LAN-2, but i haven't TCP traffic from LAN-2B to LAN-2.

    Any solution?
    –--------------------------------

    I find the solution: I have configured Hybrid Outbound NAT, and i have created one Outbound NAT Rule from my LAN-2B to my LAN-B. All work fine now.  :)
    Why ICMP traffic go but not tcp whithout NAT? I don't know.  ::)



  • Same problem here. Setup remote access VPN with tap interface. Manually made a bridge with lan and ovpns1 interface as member.
    Connection works ok. I can ping all IP addresses on LAN from VPN. Firewall rules configured as allow any traffic.
    With wireshark I see the LAN broadcast traffic. But im unable to connect with tcp to the pfsense box http/ssh.

    I could fix it temporary to recreate the bridge. After it works for a few hours. After some time it stops….



  • @johnpoz said in OpenVPN TAP TCP traffic not passing, ICMP works:

    I am curious to why anyone would want to setup a tap vs a tun in the first place.. What is the use case that justifies tap?

    I am curious to why you'd be so confused about this. There are literally so many reasons one may want to use TAP, from generalized to extremely specific.


  • LAYER 8 Global Moderator

    It is not as efficient as TUN for starters.. And why would I need to be on the same layer 2?

    https://community.openvpn.net/openvpn/wiki/BridgingAndRouting



  • @johnpoz said in OpenVPN TAP TCP traffic not passing, ICMP works:

    All of which makes zero sense for a remote user or site to site.

    As a generalized statement without having any application-specific insight, this is just plain incorrect.

    I have a combination of tun and tap VPNs across multiple sites: there's rarely a time where using tun doesn't annoy me and interrupt my workflow, and never have I been able to notice a performance hit or any practically measurable or operational added latency from using tap.

    mDNS, and all sorts of layer 2 applications, both high and low bandwidth can be incredibly useful remotely.

    I'm not advocating that tap should by any means be thought of as the preferred option across the board, I'm simply saying there's no reason to wonder why someone may specifically want to use it - it has plenty of uses. For me I would not be able to work from home without it.