PFSense single interface (WAN) OpenVPN TAP Bridge to internal DHCP server not getting IP



  • Hi All,

    I need some help from you smart peeps.

    My current test is to do the following:

    Have a device with OpenVPN client connect to a pfsense server with 1 interface only (WAN) and get DHCP from the internal server.

    Thus far I get everything to connect ( OpenVPN ). but I still cant get a DHCP address and still get stuck with a default 169 IP and no gateway on the client.

    What can I post here for your assistance?

    df6400a3-4495-4e12-ac91-5759bcddbe38-image.png

    cafb7b3f-6109-4c8a-8d78-64b8d0f6c133-image.png

    d1ec86d8-b76a-4351-b62e-a4706678f285-image.png

    55549e23-fb56-4b2b-b0b3-cd1736777cf2-image.png

    /var/etc/openvpn/server1.conf

    dev ovpns1
    verb 3
    dev-type tap
    dev-node /dev/tap1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp4
    cipher AES-256-CBC
    auth SHA256
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 172.16.36.66
    tls-server
    mode server
    push "route-gateway 172.16.36.66"
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'ServCert' 1"
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    push "dhcp-option DOMAIN xxxxxxxxxx.co.za"
    push "dhcp-option DNS 10.0.3.2"
    client-to-client
    duplicate-cn
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.2048
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    ncp-disable
    persist-remote-ip
    float

    Client Config File:

    #-- Config Auto Generated By pfSense for Viscosity --#

    #viscosity startonopen false
    #viscosity dhcp true
    #viscosity dnssupport true
    #viscosity name OpenVPN-TAP

    dev tap
    persist-tun
    persist-key
    cipher AES-256-CBC
    auth SHA256
    tls-client
    client
    resolv-retry infinite
    remote xxx.xxx.xxx.xxx 1194 udp
    lport 0
    verify-x509-name "ServCert" name
    remote-cert-tls server

    ca ca.crt
    tls-auth ta.key 1
    cert cert.crt
    key key.key

    verb 3
    log openvpn.log
    log-append openvpn.log

    Wed Nov 20 10:58:07 2019 OpenVPN 2.3.6 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Dec 1 2014
    Wed Nov 20 10:58:07 2019 library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.08
    Wed Nov 20 10:58:07 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
    Wed Nov 20 10:58:07 2019 Need hold release from management interface, waiting...
    Wed Nov 20 10:58:08 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
    Wed Nov 20 10:58:08 2019 MANAGEMENT: CMD 'state on'
    Wed Nov 20 10:58:08 2019 MANAGEMENT: CMD 'log all on'
    Wed Nov 20 10:58:08 2019 MANAGEMENT: CMD 'hold off'
    Wed Nov 20 10:58:08 2019 MANAGEMENT: CMD 'hold release'
    Wed Nov 20 10:58:08 2019 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
    Wed Nov 20 10:58:08 2019 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
    Wed Nov 20 10:58:08 2019 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
    Wed Nov 20 10:58:08 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
    Wed Nov 20 10:58:08 2019 UDPv4 link local (bound): [undef]
    Wed Nov 20 10:58:08 2019 UDPv4 link remote: [AF_INET]172.16.36.66:1194
    Wed Nov 20 10:58:08 2019 MANAGEMENT: >STATE:1574240288,WAIT,,,
    Wed Nov 20 10:58:08 2019 MANAGEMENT: >STATE:1574240288,AUTH,,,
    Wed Nov 20 10:58:08 2019 TLS: Initial packet from [AF_INET]172.16.36.66:1194, sid=b14a1c9f 99833975
    Wed Nov 20 10:58:08 2019 VERIFY OK: depth=1, CN=ServCA, C=ZA, ST=WC, L=Cape Town, O=MyOrg
    Wed Nov 20 10:58:08 2019 Validating certificate key usage
    Wed Nov 20 10:58:08 2019 ++ Certificate has key usage 00a0, expects 00a0
    Wed Nov 20 10:58:08 2019 VERIFY KU OK
    Wed Nov 20 10:58:08 2019 Validating certificate extended key usage
    Wed Nov 20 10:58:08 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
    Wed Nov 20 10:58:08 2019 VERIFY EKU OK
    Wed Nov 20 10:58:08 2019 VERIFY X509NAME OK: CN=ServCert, C=ZA, ST=WC, L=Cape Town, O=MyOrg
    Wed Nov 20 10:58:08 2019 VERIFY OK: depth=0, CN=ServCert, C=ZA, ST=WC, L=Cape Town, O=MyOrg
    Wed Nov 20 10:58:08 2019 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Wed Nov 20 10:58:08 2019 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
    Wed Nov 20 10:58:08 2019 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Wed Nov 20 10:58:08 2019 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
    Wed Nov 20 10:58:08 2019 Control Channel: TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 2048 bit RSA
    Wed Nov 20 10:58:08 2019 [ServCert] Peer Connection Initiated with [AF_INET]172.16.36.66:1194
    Wed Nov 20 10:58:09 2019 MANAGEMENT: >STATE:1574240289,GET_CONFIG,,,
    Wed Nov 20 10:58:10 2019 SENT CONTROL [ServCert]: 'PUSH_REQUEST' (status=1)
    Wed Nov 20 10:58:10 2019 PUSH: Received control message: 'PUSH_REPLY,route-gateway 172.16.36.66,dhcp-option DOMAIN xxxxxxxxx.co.za,dhcp-option DNS 10.0.3.2,ping 10,ping-restart 60,peer-id 0'
    Wed Nov 20 10:58:10 2019 OPTIONS IMPORT: timers and/or timeouts modified
    Wed Nov 20 10:58:10 2019 OPTIONS IMPORT: route-related options modified
    Wed Nov 20 10:58:10 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Wed Nov 20 10:58:10 2019 OPTIONS IMPORT: peer-id set
    Wed Nov 20 10:58:10 2019 open_tun, tt->ipv6=0
    Wed Nov 20 10:58:10 2019 TAP-WIN32 device [Ethernet 6] opened: \.\Global{75484DF4-3D11-4FE5-B0FC-F25C7B8EB0DF}.tap
    Wed Nov 20 10:58:10 2019 TAP-Windows Driver Version 9.9
    Wed Nov 20 10:58:10 2019 Successful ARP Flush on interface [24] {75484DF4-3D11-4FE5-B0FC-F25C7B8EB0DF}
    Wed Nov 20 10:58:15 2019 TEST ROUTES: 0/0 succeeded len=0 ret=1 a=0 u/d=up
    Wed Nov 20 10:58:15 2019 Initialization Sequence Completed
    Wed Nov 20 10:58:15 2019 MANAGEMENT: >STATE:1574240295,CONNECTED,SUCCESS,,172.16.36.66

    d632d983-e96e-47e2-b3d0-d66e313d4a02-image.png



  • What is actually happening? For example, if you run Packet Capture, do you see DHCP traffic from the remote device? To it? That would give some clues as to where the problem is.



  • I can see on wireshark my pc tries to get a DHCP address.

    But I think it is my bridge that is the problem and possibly my firewall rules.

    bare in mind I only have 1 interface.

    All I want is fo the OpenVPN to connect and the pc is on the network.



  • @Crimzinza

    Also run Packet Capture on pfSense, to determine if it's getting that far. It's hard to solve a problem when we don't know the details.


Log in to reply