VPN with DHCP from server LAN

djdmx

Hi everyone,

I need to setup a VPN between two sites like this:

HOME PFSense
1st NIC -> WAN
2nd NIC -> LAN 192.168.1.0/24 with DHCP server
3rd NIC -> not used

REMOTE SITE PFSense
1st NIC -> WAN
2nd NIC -> LAN 10.98.0.0/24 with DHCP server
3rd NIC -> VPN tunnel to HOME LAN (every client connected to this interface have to obtain an IP from home's DHCP server 192.168.1.x)

It's possible to do that with an OpenVPN in TAP mode, or somehow?

Thank you

johnpoz

@djdmx why do they need to be on the same network?

djdmx

@johnpoz because there's an hub that can only discover devices on his same network

Jarhead

@djdmx Yes, tap mode will work.

djdmx

@jarhead thank you, can you tell me how to configure it and how to assign the tunnel to the 3td NIC?

Jarhead

@djdmx
https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-bridged.html

djdmx

@jarhead thank you so much, I'll try and let you know

Jarhead

@djdmx
Just to add, if you don't have at least a 500/500 internet at both sites, it's gonna be tough.
tap vpn's were always frowned upon but it was never the vpn, just because the internet connections weren't fast enough.

I remember I hit a few snags setting it up so any problems you have, just post here. I should be able to remember what I did.

djdmx

@jarhead thank you!
I set up correctly PFSense at home as OpenVPN server, in tap mode, and bridge with LAN interface.

Now I have to configure the second PFSense as OpenVPN client and assign it to 3rd NIC.
Any suggestion?

djdmx

@jarhead I have some problems with tunnel configuration:
I set up server side in Peer to Peer (Shared Key) mode (in this mode it's not possible to select "Bridge DHCP", and the same Peer to Peer (Shared Key) mode on the PfSense client.
On the server I create a bridge with openvpn and LAN.
The tunnel is working (client correctly connect to the server), but it doesn't obtain an ip address from server's LAN DHCP.

johnpoz

@djdmx said in VPN with DHCP from server LAN:

Peer to Peer (Shared Key

That is going away anyway - I would suggest from doing any sort of anything with shared key as the setup

https://redmine.pfsense.org/issues/12981
Warn about OpenVPN shared key deprecation

djdmx

@johnpoz Thank you, I know that. It's only for the first test

djdmx

I did it!

This is my configuration:

SERVER

OpenVPN settings:
Peer to Peer (Shared Key)
Tap mode
UDP on IPV4
Interface WAN
Port 1194
Data encryption (default 256-bit)
Tunnel IP4 network 192.178.168.0/30

Interfaces:
OpenVPN interface assigned to OPT1
Bridge with LAN and OPT1

Firewall rules:
WAN -> permit UDP 1194 from any to WAN
OPT1 -> permit any IPv4 from any to any
BRIDGE -> permit any IPv4 from any to any
OPENVPN -> permit any IPv4 from any to any

CLIENT

OpenVPN settings:
Peer to Peer (Shared Key)
Tap mode
UDP on IPV4
Interface WAN
Server host -> my_server_IP
Server Port 1194
Data encryption (default 256-bit)
Tunnel IP4 network 192.178.168.0/30

OpenVPN interface assigned to OPT1
Bridge with LAN2 and OPT1 with DHCP IPv4 address

Firewall rules:

OPT1 -> permit any IPv4 from any to any
LAN2 -> permit any IPv4 from any to any
BRIDGE -> permit any IPv4 from any to any
OPENVPN -> permit any IPv4 from any to any

Now I'll try to move to Peer to Perr (SSL/TLS) ;-)

Jarhead

@djdmx Good to hear!!
Sorry I haven't answered any of your posts, just getting over the flu. But you didn't need my help anyway!