OpenVPN Site to Site
-
Hello,
I am trying to setup a site to site setup between my home network and a remote network with openvpn. I have read through tons of tutorials, but I can't seem to get it to work. Simply want both networks to talk to each other and be able to dhcp boot a computer on my home network from the remote network.
Remote network currently has the openvpn server setup with TAP protocol and bridging the LAN and OPVN interface. Both pfsense boxes use a shared key. Home network pfsense is in openvpn client mode on TAP and bridging the LAN and OPVN Interface. I am not able to ping either side.
-
@brandon-lizard Post a picture of your openvpn config.
-
-
-
@brandon-lizard This is a good start.
What about your firewall rules?
Firewall logs?
Have you tried packet captures on either side to see if traffic is crossing the OVPN connection? -
The 2 sites are on different subnets. Why aren't you using tun? You use tap when the 2 sites are on the same subnet. It's as though you put a computer with the wrong address/subnet on your LAN. You just can't get there from here.
-
Mmm, unclear what you need here. Are you running the DHCP boot server on the server side pfSense?
-
@rcoleman-netgate Can dhcp work over tun? What's my best option? I am new at this.
-
@stephenw10 Yes, dhcp is running on the server side. I want both sites to be able to route traffic back and force including dhcp requests. I want to be able to boot a computer on my home side.
-
@brandon-lizard Do you have another interface on the remote site? You can bridge that with the vpn and set it with the same network as your home.
-
@jarhead Yes I do. Is it possible to create a vlan on my home side instead of allowing access to all of my network? I just want certain computers to be able to communicate with the remote server and be able to dhcp.
-
@brandon-lizard You can do that. Make the vlan the same subnet as the remote site if you can move those computers to a different vlan.
One thing, I don't have my tap vpn up at the moment but I do remember I had to enable the "Bridge dhcp" option to get it to work. Might wanna try it if it doesn't come up. -
@brandon-lizard It's starting to come back to me now... what I believe I did was, on the server side, enable bridge dhcp, and select the lan as the bridge (you still have to create the bridge, this doesn't do that), then set the range to one ip. The client side vpn interface will receive that address (server side will stay without an IP), and you'll be set.
Just to add, all other clients on my client side were statically assigned. You may have to expand the dhcp range if needed.
-
@jarhead Thank you. Here's what it sounds like I need to do.
- Setup openvpn in tap mode. Both sides need to be on the same subnet.
- Setup bridge mode on openvpn and lan interfaces
- Enable bridge dhcp
Firewall rules - Allow * on openvpn, Allow * on Lan.
Is there a good tutorial on this setup out there?
-
@brandon-lizard https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-bridged.html
-
@jarhead Say I created a VLAN on my home network switch. How would that work with pfsense?
-
@brandon-lizard You would create VLAN tags on pfSense and create interfaces out of those VLANs.
-
@brandon-lizard If this whole project is something you're just doing as a test, my need for a tap also needed 3 different vlans. I was able to trunk the tap and send all 3 (or more, tried 5) vlans over the vpn.
I was surprised it actually worked but I think the stigma around tap vpn's had a lot to do with the actual internet connection. It worked great for me with a 500M fiber connection on both ends and my ping time only increase by 3 -10ms when using the "other" side.
-
@brandon-lizard said in OpenVPN Site to Site:
Yes, dhcp is running on the server side.
But it is actually running on pfSense or on some other server at that site?
You might want to look at running a DHCP relay instead.
Steve
-
@jarhead said in OpenVPN Site to Site:
I was surprised it actually worked but I think the stigma around tap vpn's had a lot to do with the actual internet connection. It worked great for me with a 500M fiber connection on both ends and my ping time only increase by 3 -10ms when using the "other" side.
This is very true. Most of the bad rep TAP gets if from people who set it up over a >100ms link and then hit issues when the broadcast domain includes that.
It's possible to do some interesting combinations of routing over TAP with some manual editing. That can be useful.
Steve
