SG-3100 openVPN Bridge Configuration

  • Hello
    I've a openvpn config which works perfect at my laptop. What I need the SG3100 for is as bridge (instead of the ovpn client+laptop) to work with multiple devices (NAS, the mentioned laptop, ...) and therefore as router or bridge. I'm logging into via an LTE connect (IPv6 with IPv4 tunnel possibility with the int. modem+SIM) and I'm using pure IPv4 at my ovpn site.
    I did find some instructions how to configure the SG3100 to work as client, but the routing is not working, so no side could even ping the other side, while the connection is established and the IPs are confirmed. I tried three different instructions/setups (all with a reset to default before start) and got stuck at the routing. Of course I did open the firewall for testing as wide as possible, so I guess the routing (forwarding in brdige mode) is the problem.
    Messing around the routing table was not my intention and I guess there's some hidden switch to enable the ovpn client to broadcast his new table and update the gateway as well?! I did reconfigure the prim. gateway (NAT-Outbound) in two setups (while my first go did expect the ovpn client to update the info to route anything to the tunnel instead of the LTE gateway....). When I turned on logging I did not see any package arrived at the ovpn Server, so the routing seems terribly wrong at the client site. When I use teh notebook+ovpn client and enable forwarding everything works as expected, but the SG3100 seems the much better+mean way.

    Way should be:

    [Clients (own subnet)]-[SG3100_ovpn tunnel->LTE provider]->Internet->[ovpn Server with stat. IP]-[Routing+Firewall/DNS-[my homenet with DHCP, DNS,some other services,....]
    Both sides must be able to see each other via IP so I'd access the devices (or certain ports/services) from both sides.

    Does anyone has such a "not so unusual" setup running at home/work?


  • LAYER 8 Rebel Alliance

    Why do you think you need a Bridge?
    Generally speaking yout want OpenVPN to work in tun Mode, which should be possible in your case.
    Your OpenVPN Server is also pfSense?


  • Netgate Administrator

    In remote access OpenVPN server setup like that when clients connect they are given an IP in the tunnel subnet and that OP can connect to whatever subnets the server sends as routes for the client.
    There is normally not a remote subnet defined, just a single client, and there is no way for the client to send a subnet to the server.

    So if you have a configuration that is working for a single client you can move that to the SG-3100 but you would have to NAT the traffic leaving across the tunnel so that the server side sees it all as coming from the single tunnel IP. You would be able to access resources at the server end from the SG-3100 LAN but not the other way around.

    If you need full routing in both directions you need a site-to-site tunnel where the server is configured know about the subnet behind the SG-3100. That would be either directly in the config in a site-to-site PSK tunnel or via client specific overrides if you use SSL/TLS.


  • @Rico: Hi Rico, thanks for the reply :-)
    I did at first a Router mode Setup according to the netgate wiki thread for ovpn. As that did not show any working solution I retried a slightly other variant. third solution was a business solution for remote sites, which is more or less what I want. The thrid was a bridge config which seems nice for me as all config (DHCP, DNS, routing) is done on the "server" site and not on the client.
    Yes the "server" is a SG3100 as well and I'm using the build in ovpn service.

    I expect that I'm missing the right parameter setup so the server is exporting the routed subnets to my client mode SG3100. As all three setups did not provide a working solution I thought it wiser to ask someone who works with ovpn in detail.

  • @stephenw10 : Hi Steve, thanks for you reply!
    My ovpn (Server) setup is very straightforward, just as described in the netgate wiki entry. I reconfigured it every time I changed the description. As there are a lot of optional parameter possible I always guessed the ovpn server get it's info from the Interface site or the network settings configured in the service.

    I'd like to be able to configure what traffic crosses the server in case of a malicious USB stick which may come across me or unwanted traffic (SMB, AD, broadcasts), but basically I though my third solution (site to site) seems best fitting to me, which is your option as well.
    From all I've seen so far there's surely some info missing, so neither the server sees my network, nor the client is able to forward the packages to the right tunnel. Using WWAN/LTE seems not so usual, while for me (moving a lot around hotels and being sick about hotel WLAN, disclaimers, ....) it seems perfect to feel at home :-)

    I'll try your example config (next time I'm at home), if Rico has no better/additional thought about it.

  • Netgate Administrator

    @Michael-Samer said in SG-3100 openVPN Bridge Configuration:

    My ovpn (Server) setup is very straightforward, just as described in the netgate wiki entry

    Which page exactly? There are instructions for all the different setup types.


Log in to reply