VPN connects, can't ping or connect to remote subnet
-
The tl;dr version is on the client side I get manager: (tap0): new Tun device (/org/freedesktop/NetworkManager/Devices/5) and cannot get it to use TAP.
I get no warnings or errors connecting.
The client config is (as created from pfSense wizard):
dev tap
persist-key
cipher AES-256-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote xxx.xxx.xxx.xxx 1194 udp
lport 0
verify-x509-name "xyz.com" name
auth-user-pass
pkcs12 firewall-udp-1194-user.p12
tls-auth firewall-udp-1194-user-tls.key 1
ns-cert-type server
comp-lzoMy local subnet is 192.168.42.0/24
Remote is 192.168.1.0/24I get assigned 192.168.1.200/24 and the routing tables update as expected (I think).
ip r
default via 192.168.42.1 dev eno1 proto static metric 100
xxx.xxx.xxx.xxx via 192.168.42.1 dev eno1 proto static metric 100
192.168.1.0/24 dev tap0 proto kernel scope link src 192.168.1.200 metric 50
192.168.42.0/24 dev eno1 proto kernel scope link src 192.168.42.238 metric 100The ovpn wizard created firewall rules:
IPV4 UDP * * WAN Address 1194 * none
IPV4 * * * * * * noneI can not connect in any way to any remote IP.
ping 192.168.1.100
PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.
From 192.168.1.200 icmp_seq=1 Destination Host Unreachabletraceroute 192.168.1.100
traceroute to 192.168.1.100 (192.168.1.100), 30 hops max, 60 byte packets
1 magneto (192.168.1.200) 3045.336 ms !H 3045.300 ms !H 3045.297 ms !Hmagneto is my local machine, 192.168.1.100 exists on the remote network.
Back to the tl;dr:
I think the fact that "tap0" is actually a tun device is my issue.Any ideas are appreciated!
-
Your openvpn client export package is up-to-date?
On your ovpn server, tun is selected for "Device mode" near the top? Maybe something isn't saved right in your config, try re-saving it and then re-downloading your ovpn config from client export…
-
Redoing the config wizard resulted in the same config.
The server config in pfsense is set to tap for mode. Interface is WAN, bridge interface is LAN.
I found a guide that had me do the following:
- Interfaces –-> (assign)
- add an interface by pressing the "+" button
- in the drop down box next to the OPT1 interface that was created choose the open vpn server instance we just created
- goto Interfaces ---> OPT1
- Enable the interface and give it a Description
- goto Interfaces ---> (assign)
- choose the Bridges tab and then click the "+" button to add a bridge
- Hold the CTRL button and highlight both your LAN interface and the renamed OPT1 interface we just created.
I then restarted OpenVPN...and got the same result. It connects, but is useless.
-
so, you are actually wanting to use tap mode? Why do you need that if I may ask? It is fairly uncommon and a bit trickier to make work, will not work for mobile devices and has several other caveats etc. Much better to stick with tun unless you really need broadcast traffic to traverse the tunnel for some reason…