OpenVPN bridge between pfsense boxes HOW TO?????



  • I am trying to set up a simple OpenVPN bridge between two pfsense boxes, I need all traffic including broadcast traffic to flow freely across the VPN. I have searched high and low on the pfsense boards as well as the internet and everyone seems to have their own variation on how to get this to work. So far I have been unable to get any tutorials or posts to work for me. I have put many hours into this and have made little progress, any help would be greatly appreciated.

    My network configuration is as follows:

    Server-

    LAN IP - 192.168.5.0

    OpenVPN settings -

    Protocol - UDP
    Port - 1194
    Address Pool - 10.31.105.0/24
    Use static IPs - is checked
    local network - empty
    remote network - empty
    client-to-client VPN - is checked
    Authentication Method - PKI
    LZO compression - is checked
    Custom Options - dev tap0; server-bridge 192.168.5.1 255.255.255.0 192.168.5.10 192.168.5.25;

    I have no client specific configuration and I have no NAT entries for this VPN (I didn't think this was necessary because it is a VPN bridge, but I may be wrong.)
    A firewall exception has been added for port 1194

    I have also added a bridge between the LAN interface and the tap0 interface, this is its status:

    bridge0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            ether ea:c7:13:ca:56:9e
            id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
            maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
            root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
            member: tap0 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 11 priority 128 path cost 2000000
            member: re0 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 1 priority 128 path cost 2000000

    Server side log:
    Jun 29 15:36:40 openvpn[28133]: OpenVPN 2.0.6 i386-portbld-freebsd7.1 [SSL] [LZO] built on Apr 22 2009
    Jun 29 15:36:40 openvpn[28133]: WARNING: file '/var/etc/openvpn_server1.key' is group or others accessible
    Jun 29 15:36:40 openvpn[28133]: WARNING: Since you are using –dev tap, the second argument to --ifconfig must be a netmask, for example something like 255.255.255.0. (silence this warning with --ifconfig-nowarn)
    Jun 29 15:36:40 openvpn[28133]: TUN/TAP device /dev/tap0 opened
    Jun 29 15:36:40 openvpn[28133]: /sbin/ifconfig tap0 10.31.105.1 netmask 10.31.105.2 mtu 1500 up
    Jun 29 15:36:40 openvpn[28133]: /etc/rc.filter_configure tap0 1500 1574 10.31.105.1 10.31.105.2 init
    Jun 29 15:36:41 openvpn[28144]: UDPv4 link local (bound): [undef]:1194
    Jun 29 15:36:41 openvpn[28144]: UDPv4 link remote: [undef]
    Jun 29 15:36:41 openvpn[28144]: Initialization Sequence Completed
    Jun 29 15:37:22 openvpn[28144]: 67.xxx.xxx.xxx:1194 Re-using SSL/TLS context
    Jun 29 15:37:22 openvpn[28144]: 67.xxx.xxx.xxx:1194 LZO compression initialized
    Jun 29 15:37:23 openvpn[28144]: 67.xxx.xxx.xxx:1194 [ovpn_client1] Peer Connection Initiated with 67.xxx.xxx.xxx:1194

    Client-

    LAN IP - 192.168.1.0

    OpenVPN configuration -

    Protocol - UDP
    Server IP - 67.xxx.xxx.xxx
    Server Port - 1194
    Interface IP - empty
    Authertication - PKI
    LZO compression - checked
    custom options - dev tap0;

    I have a firewall exception on port 1194
    I have no NAT rules set up on the client side

    Client side log -
    Jun 29 15:51:09 openvpn[2079]: OpenVPN 2.0.6 i386-portbld-freebsd7.1 [SSL] [LZO] built on Apr 22 2009
    Jun 29 15:51:09 openvpn[2079]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Jun 29 15:51:09 openvpn[2079]: WARNING: file '/var/etc/openvpn_client0.key' is group or others accessible
    Jun 29 15:51:09 openvpn[2079]: LZO compression initialized
    Jun 29 15:51:09 openvpn[2086]: UDPv4 link local (bound): [undef]:1194
    Jun 29 15:51:09 openvpn[2086]: UDPv4 link remote: 67.xxx.xxx.xxx:1194
    Jun 29 15:51:10 openvpn[2086]: [server] Peer Connection Initiated with 67.xxx.xxx.xxx:1194
    Jun 29 15:51:11 openvpn[2086]: TUN/TAP device /dev/tap0 opened
    Jun 29 15:51:11 openvpn[2086]: /sbin/ifconfig tap0 192.168.5.10 netmask 255.255.255.0 mtu 1500 up
    Jun 29 15:51:11 openvpn[2086]: /etc/rc.filter_configure tap0 1500 1574 192.168.5.10 255.255.255.0 init
    Jun 29 15:51:12 openvpn[2086]: Initialization Sequence Completed

    It appears that the server and client connect without problems, but I cannot ping any hosts on either network across the VPN bridge.  ???</learning,discover,autoedge,autoptp></learning,discover,autoedge,autoptp></up,broadcast,running,simplex,multicast>



  • I have come somewhat closer in configuring the openvpn bridge. I set both networks to the same subnet and I set the DHCP range to be a different section of the subnet for the client and the server. This setup works because windows sees an IP from the same subnet so there are no firewall issues with sharing files there is also no ip conflicts because the dhcp servers on each network assign different sections of the same subnet. Unfortunately I still have no idea how to get all network traffic bridged into the vpn. I have tried both manually building the bridge through the pfsense shell and I have tried assigning an optional interface to the tap0 openvpn interface and then bridging it with the LAN through the WebUI in 1.2.3….no luck..... What is most frustrating is that I dont receive any errors in the logs, Im not even sure where to look next to fix this issue. I have tried every tutorial I could find on this and every variation I could think of for each with no luck. I really dont think this should be this hard and it seems like other people have managed to figure this out. Any help would be greatly appreciated. :-\



  • Also I have no issues with site-to-site OpenVPN, it works great! But OpenVPN bridging is killing me.



  • I've been banging my head on this same issue for 6+ months….. cant get anyone to help



  • You can't have the same sub-net on both sides they have to be different.  As for DHCP, I know it can be done but that is not my expertise.
    RC



  • http://doc.pfsense.org/index.php/VPN_Capability_OpenVPN

    I assume from the section at the bottom that someone was able to get this working?

    I cannot get any IP traffic to flow just like the rest of you



  • It seems like it works somehow, strange but works.  ???
    all works on vmware workstation 6.5
                                                         client                                                          server
    vm1<–-lan–->vmnet3<–--lan–->em1 pfs1 em0<–-wan–-->vmnet1<–-wan–-->em0 pfs2 em1<–-lan–-->vmnet4<–-lan–-->vm2
    192.168.4.21/24             192.168.4.11/24   172.16.1.10/24                      172.16.1.11/24  192.168.4.10/24                192.168.4.20/24
    gw 192.168.4.11             tap 192.168.4.2                                                                    tap 192.168.4.1                gw 192.168.4.10

    pfs - pfsenses
    vm - virtual mashines - win xp
    vmnet - virtual switches

    Firewall > Rules > WAN - ALL to ALL - permit,   LAN - ALL to ALL - permit
    OpenVPN > Client > Edit > Protocol - UDP
                                       Port - 1194
                                       Address Pool - 192.168.4.0/24
                                       Use static IPs - is not checked
                                       local network - empty
                                       remote network - empty
                                       client-to-client VPN - is not checked
                                       Authentication Method - sk
                                       LZO compression - is not checked
                                       Custom Options - dev tap0
    OpenVPN > Server > Edit > same as client
    Diagnostics > Edit File  /conf/config.xml  add the following to both pfsenses SYSTEM section. I'm presuming your LAN interface is em1, use your real LAN interface:

    <earlyshellcmd>ifconfig bridge0 create</earlyshellcmd>
    <earlyshellcmd>ifconfig bridge0 addm em1 up</earlyshellcmd>
    <shellcmd>ifconfig bridge0 addm tap0</shellcmd>

    and some log shit:

    Jul 19 05:04:41 openvpn[332]: WARNING: 'ifconfig' is used inconsistently, local='ifconfig 192.168.4.0 192.168.4.2', remote='ifconfig 192.168.4.0 192.168.4.1' 
    Jul 19 05:04:34 openvpn[332]: Initialization Sequence Completed 
    Jul 19 05:04:34 openvpn[332]: Peer Connection Initiated with 172.16.1.10:1194 
    Jul 19 05:04:31 openvpn[332]: UDPv4 link remote: [undef] 
    Jul 19 05:04:31 openvpn[332]: UDPv4 link local (bound): [undef]:1194 
    Jul 19 05:04:30 openvpn[325]: /etc/rc.filter_configure tap0 1500 1576 192.168.4.1 192.168.4.2 init 
    Jul 19 05:04:30 openvpn[325]: /sbin/ifconfig tap0 192.168.4.1 netmask 192.168.4.2 mtu 1500 up 
    Jul 19 05:04:30 openvpn[325]: TUN/TAP device /dev/tap0 opened 
    Jul 19 05:04:30 openvpn[325]: WARNING: Since you are using --dev tap, the second argument to --ifconfig must be a netmask, for example something like 255.255.255.0\. (silence this warning with --ifconfig-nowarn) 
    Jul 19 05:04:30 openvpn[325]: WARNING: file '/var/etc/openvpn_server0.secret' is group or others accessible 
    Jul 19 05:04:30 openvpn[325]: OpenVPN 2.0.6 i386-portbld-freebsd7.1 [SSL] [LZO] built on Apr 22 2009
    


  • It seems like it works somehow, strange but works.  ???
    all works on vmware workstation 6.5
                                                          client                                                          server
    vm1<–-lan--->vmnet3<----lan--->em1 pfs1 em0<---wan---->vmnet1<---wan---->em0 pfs2 em1<---lan---->vmnet4<---lan---->vm2
    192.168.4.21/24            192.168.4.11/24  172.16.1.10/24                      172.16.1.11/24  192.168.4.10/24                192.168.4.20/24
    gw 192.168.4.11            tap 192.168.4.2                                                                    tap 192.168.4.1                gw 192.168.4.10

    I know that this seems to work on vmware, but I don't think that this would a standard network configuration.  I can see several potential issues, DNS, DHCP.  In most wide area networks you would have a core site with a 21 network or larger.  For your remotes they would some 24 networks or smaller.  It all depends on the size of your company.

    So in that case you would extend your network either with secure VPN's, or metnet's, openvpn's.  When I mean extend your business network to 10 sites I would do the following and let's assume that the connections are ipsec or openvpn. We are also using windows 2003/2008 for servers.

    Our core network has 200 users and each site has 32 users.  We will have a 510 addresses (23 bit mask) at the core(10.10.10.0- 10.10.11.254),  each site will have 64 addresses.
    Core:10.10.10.0

    Site 1: 10.10.20.1 - 10.10.20.64      GW:10.10.20.1
    Site 2: 10.10.20.65 - 10.10.20.128  GW:10.10.20.66
    Site 3: 10.10.20.129 - 10.10.20.193  GW:10.10.20.130
    Site 4: 10.10.20.194 - 10.10.20.254  GW:10.10.20.195
    Site 5: 10.10.21.1 - 10.10.21.64      GW:10.10.21.1
    Site 6: 10.10.21.65 - 10.10.21.128    GW:10.10.21.66
    Site 7: 10.10.21.129 - 10.10.21.193  GW:10.10.21.130
    Site 8: 10.10.21.194 - 10.10.21.254  GW:10.10.21.195
    Site 9: 10.10.22.1 - 10.10.22.64      GW:10.10.22.1
    Site 10: 10.10.22.65 - 10.10.22.128  GW:10.10.22.65

    So at the core site we would be building a main router so we would reserve the first 32 addresses for addresses for routers and vpn devices.  Then we would build out from there through our firewalls and start building out our tunnels (what every secure method that you would use, your choice).  So at the core we would then be looking at something like the following:

    Core: 10.10.10.10 core router managment
    Core: 10.10.10.1 Default gateway
    Firewall Lan interface: 10.10.10.11
    Firewall VPN interface 1:10.10.10.12 (5 vpn tunnels per interface)
    Firewall VPN interface 2:10.10.10.13 (5 vpn tunnels per interface)
    DHCP Server: 10.10.10.14 contains scopes for core site with all vpn sites
    Baracuda: 10.10.10.15  (mail filtering)

    We would build our VPN's with rules in place to allow DCHP, DNS services to extend over the vpn tunnels.  Our internet and other services would be provided from the core site.  Remote sites would have a file server and data would be replicated over the vpn tunnels for backup.  The local server would also run DNS services for local names resolution.  Other services could be provided via terminal services or citrix to conserve bandwidth.

    I hope this helps.  I know it might draw more questions.
    RC


Log in to reply