Working on getting OpenVPN server bridging to fly.
-
I know this isn't currently supported, but there is a nice writeup on how to get this working on FreeBSD:
http://www.mired.org/home/mwm/papers/FreeBSD-OpenVPN-Bridging.html
I'm poking around in my pfSense config as we speak to set this up. So far no luck, primarily because openvpn.inc insists on having an ifconfig line regardless of what I put in. I'm trying a manual config file for now to see if I can get it working. Just thought I'd toss it out there.
-
Wow, that was almost TOO easy. The only thing that sucks is that my powerbook won't do Bonjour/Rendezvous/Zeroconf across the tap0 interface. :(
All we need to do is the following:
Get your tunnel working so you can connect from a remote location. Don't bother setting up routing to other networks, just make sure you can get into the vpn, and that traffic flows as exptected.
Now, the IP range you're using on the VPN, by definition, to this point has been different. We are going to take tap0 and make it, for lack of a better term, a switch port, connected to another interface, and thus it is going to assume the IP address identity of that other interface. DO NOT change the IP address settings you've put in, as you'll mess up the rest of your network otherwise (router that can find the same network on two interfaces….doesn't make for a happy router).
Check "Use Static IP's" (if you haven't already)
In "custom options", add the following to whatever you already have:
dev tap0; float; server-bridge 172.16.10.1 255.255.255.0 172.16.10.64 172.16.10.191
Okay, now 172.16.10.1 should be replaced with the IP address that will be used as the server end of the openvpn tunnel. I chose that IP because it matched up well with the rest of my configuration, and of course it should be on the same network as the one you're bridging to. replace 255.255.255.0 with the correct netmask of the network you're bridging to.
That last two IPs are the beginning and end of your OpenVPN IP assignment range. I allowed a 32 host block for this purpose.
Now here's the kicker.
We have to create bridge0. In my original config, I went to Interfaces, tap0, and chose to bridge to my other interface (was an opt interface, sis0). bridge0 gets created, but does not actually add the members tap0 and sis0. ????
On the page I linked above, it suggests creating a script that does this:
ifconfig bridge0 addm sis0 addm tap0 up
For whatever reason pfSense's code doesn't do this. I also tried that document's method of creating the script, giving it execute permissions, and then adding it to my "custom options" line, but when I reboot the firewall, the tap0 interface comes up, but it never adds the two interfaces to bridge0. ???
So right now, I temporarily added that line to /etc/rc, right before "bootup complete". Ta da! Bridged openvpn! My laptop is now on my opt network no matter where I go! :D
Now if we can figure out how to get this to work right using the pfSense interface, I'm a happy man.
-
on the Bonjour/Rendezvous/ZeroConf side of things, per this page I should have a workaround:
http://www.section6.net/wiki/index.php/Setting_up_a_Secure_Bridged_(Wireless)_Network_with_OpenVPN#A_note_on_OS_X_and_Bonjour
echo "pass in quick on sis0 dup-to tap0 inet proto udp from any to 224.0.0.251 port = 5353" | pfctl -mf -
echo "pass in quick on tap0 dup-to sis0 inet proto udp from any to 224.0.0.251 port = 5353" | pfctl -mf -HOWEVER…when I do that, the entire system seems to stop answering any requests at all, and nothing gets put into filter.log for debugging. :\
Anyone with a clue on that one please let me know.
-
Hmm. I've had to resort to turning off bridging in the webui, and create the bridge /etc/rc. So I now have this:
ifconfig bridge0 create
ifconfig bridge0 addm sis0 addm tap0 up
#echo "pass in quick on sis0 dup-to tap0 inet proto udp from any to 224.0.0.251 port = 5353" | pfctl -mf -
#echo "pass in quick on tap0 dup-to sis0 inet proto udp from any to 224.0.0.251 port = 5353" | pfctl -mf -(commented out the dup-to rules until I figure out why they kill things)
-
1 Edit /tmp/rules.debug
2 Add your custom items
3 pfctl -f /tmp/rules.debug -
Hmm.
It appears that bridge0 needs to be an interface that pfSense recognizes for rules creation. The moment I enable the bridge and connect to openvpn, no one on either the openvpn or the opt interface I've bridged to can go anywhere, and I'm getting blocks on bridge0 showing up in the filter logs. Yay.
interfaces.inc looks a lot different from back in December, btw. Can't figure out where to hack in a quick allowance for bridge0 so I can add it as an opt.
-
/etc/inc/filter.inc … Search for "outgoing".
-
Here we go. The problem I have right now appears to be that since I'm running carp on the same interface I'm bridging to, it is causing hiccups. Wonder if I can bridge to teh carp interface instead?
-
It's more than hiccups. It's a packet storm kids.
I think I'm creating a loop on the LAN that causes a storm. As soon as a turn off the bridge, life is well again.
Not sure precisely how it's happening. Someone want to try this on a pfsense box without CARP and tell me what kind of luck you have?
-
If you are briding there is no need for the dup-to portions. Simply allow the traffic.
-
Yeah, I think you're right. The problem is actually that the mDNSResponder and tap driver on OSX need to be patched. In case anyone stumbles onto this later, here's a link:
http://tunnelblick.net/alpha/Tunnelblick-Tiger-3.0a2-bonjour-patched.dmg
Still slowly wading through this mess, as CARP+Bridged OpenVPN don't appear to like one another much.
-
I'd really like to see someone without a carp setup try this to see what kind of success they have. Any volunteers? I just want to narrow down the cause.
-
Some quick observations about all of this:
1. We really need OpenVPN to not assign an IP at all to tap0, and just do an ifconfig tap0 up. Assigning an IP futzes things up, but the current pfSense code insists on an IP address assignment in the webui.
2. Bridging works really really well….for all of about 5 minutes at a time. Then it all goes straight to hell. Routing just utterly and completely dies. If you don't connect to the vpn, things stay up marginally longer, then (at least my system does) the system crashes. The system will attempt to shut down (ACPI) if I do a ctrl-alt-del, but it never does. It has to be hard rebooted. It won't take console input, all interfaces stop answering, etc. ???
3. Despite not setting up bridging from the webui, the interface detection code still picks up bridge0, and "knows" that sis0 and tap0 are on the bridge, as when I look at rules.debug. they are included in those script variables at the top.
4. Finally, per many OpenBSD docs, you really should only filter on one interface on a bridge, not both. That said, I take that to mean we shouldn't have a "block all" rule at all on tap0. Just an allow all statement, and any filter rules place on sis0 would then apply to tap0 as well. Sound correct?
EDIT -
I think I've made a breakthrough here. We need to add this to sysctl.conf:
net.link.bridge.pfil_onlyip=0
Apparently without this set, it doesn't want to pass non-IP packets from interface to interface, and this totally hoses up our bridged environment with a tap interface, given that tap is a layer2 thing, and not a layer3. It looks like carp is now working, and tap works. Bridge works. Life seems to be good. We'll see how it holds up after a reboot though. ;)
Here's where I got a clue about it. Note that this was in regards to a wireless interface and layer-2 traffic, but it seems to have cleared things up here.
http://lists.freebsd.org/pipermail/freebsd-net/2006-April/010375.html
-
Alright, I commited the net.link.bridge.pfil_onlyip=0 change.
What do you mean by CARP works correctly with the bridge?
-
Well….
My config is like this:
Two pfsense boxes, identical hardware. sis0 on each is running carp. So we have 172.16.10.2 on the first, and 172.16.10.3 on the second one. They share 172.16.10.1. This is our internal lan (although it is really an opt interface, I need to change that "someday real soon"), and I want to bridge that to tap0.
Originally when I set this up (and it just happened again...grrr), it would work for about 5 mins, bridge tap0 and sis0, all of a sudden 172.16.10.1 would just stop answering. CARP wouldn't fail over, as sis0 was still up and still had it's IP, but it would stop replying to ICMP's. I get to about icmp_seq=288, then nothing. No mention in tcpdump -i bridge0, sis0, or tap0. Nothing. It was really weird.
What's bizarre is that it's almost EXACTLY 4 minutes. I would get a ping reponse about once per second. It's almost as if there is some sort of scheduled task that is killing the bridge. If I do ifconfig bridge0 deletem sis0, it immediately comes back, then I can do ifconfig bridge0 addm sis0, things work for ~4-5 minutes, then we're back to square 1.
Is there something here that rings a bell that perhaps wouldn't be immediately obvious to me? Something that runs as a background agent? I suppose it's possible that something odd happens in the state table that times out, or maybe a buffer is consistently filling up, but I'm having a hard time placing my finger on what would cause this kind of behavior.
-
Is there something here that rings a bell that perhaps wouldn't be immediately obvious to me? Something that runs as a background agent? I suppose it's possible that something odd happens in the state table that times out, or maybe a buffer is consistently filling up, but I'm having a hard time placing my finger on what would cause this kind of behavior.
Strange, I cannot think of anything that runs in the background that would change anything.
-
I just timed it. 5 minutes on the dot. I can cron an ifconfig bridge0 deletem sis0/addm sis0 once every 4 mins to mitigate the problem, but sorta kill any kind of long-term constant-state communications. :P
Really have to ponder this. Doesn't appear to be a pf thing though.
-
Do a killall cron just to make sure its nothing in there stepping on it.
-
Okay, done. did a addm/deletem sis0 at 4:59:10 central time per my nice little mobile phone here. It's on the clock. We'll see how long it lasts. :D
-
Died at 5:04:20 pm central with no crons. Hmm….
addm/deletem sis0 of course revived it.