Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Working on getting OpenVPN server bridging to fly.

    Scheduled Pinned Locked Moved OpenVPN
    94 Posts 13 Posters 85.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      Numbski
      last edited by

      I know this isn't currently supported, but there is a nice writeup on how to get this working on FreeBSD:

      http://www.mired.org/home/mwm/papers/FreeBSD-OpenVPN-Bridging.html

      I'm poking around in my pfSense config as we speak to set this up.  So far no luck, primarily because openvpn.inc insists on having an ifconfig line regardless of what I put in.  I'm trying a manual config file for now to see if I can get it working.  Just thought I'd toss it out there.

      1 Reply Last reply Reply Quote 0
      • N
        Numbski
        last edited by

        Wow, that was almost TOO easy.  The only thing that sucks is that my powerbook won't do Bonjour/Rendezvous/Zeroconf across the tap0 interface. :(

        All we need to do is the following:

        Get your tunnel working so you can connect from a remote location.  Don't bother setting up routing to other networks, just make sure you can get into the vpn, and that traffic flows as exptected.

        Now, the IP range you're using on the VPN, by definition, to this point has been different.  We are going to take tap0 and make it, for lack of a better term, a switch port, connected to another interface, and thus it is going to assume the IP address identity of that other interface.  DO NOT change the IP address settings you've put in, as you'll mess up the rest of your network otherwise (router that can find the same network on two interfaces….doesn't make for a happy router).

        Check "Use Static IP's" (if you haven't already)

        In "custom options", add the following to whatever you already have:

        dev tap0; float; server-bridge 172.16.10.1 255.255.255.0 172.16.10.64 172.16.10.191

        Okay, now 172.16.10.1 should be replaced with the IP address that will be used as the server end of the openvpn tunnel.  I chose that IP because it matched up well with the rest of my configuration, and of course it should be on the same network as the one you're bridging to.  replace 255.255.255.0 with the correct netmask of the network you're bridging to.

        That last two IPs are the beginning and end of your OpenVPN IP assignment range.  I allowed a 32 host block for this purpose.

        Now here's the kicker.

        We have to create bridge0.  In my original config, I went to Interfaces, tap0, and chose to bridge to my other interface (was an opt interface, sis0).  bridge0 gets created, but does not actually add the members tap0 and sis0.  ????

        On the page I linked above, it suggests creating a script that does this:

        ifconfig bridge0 addm sis0 addm tap0 up

        For whatever reason pfSense's code doesn't do this.  I also tried that document's method of creating the script, giving it execute permissions, and then adding it to my "custom options" line, but when I reboot the firewall, the tap0 interface comes up, but it never adds the two interfaces to bridge0.  ???

        So right now, I temporarily added that line to /etc/rc, right before "bootup complete".  Ta da!  Bridged openvpn!  My laptop is now on my opt network no matter where I go! :D

        Now if we can figure out how to get this to work right using the pfSense interface, I'm a happy man.

        1 Reply Last reply Reply Quote 0
        • N
          Numbski
          last edited by

          on the Bonjour/Rendezvous/ZeroConf side of things, per this page I should have a workaround:

          http://www.section6.net/wiki/index.php/Setting_up_a_Secure_Bridged_(Wireless)_Network_with_OpenVPN#A_note_on_OS_X_and_Bonjour

          echo "pass in quick on sis0 dup-to tap0 inet proto udp from any to 224.0.0.251 port = 5353" | pfctl -mf -
          echo "pass in quick on tap0 dup-to sis0 inet proto udp from any to 224.0.0.251 port = 5353" | pfctl -mf -

          HOWEVER…when  I do that, the entire system seems to stop answering any requests at all, and nothing gets put into filter.log for debugging. :\

          Anyone with a clue on that one please let me know.

          1 Reply Last reply Reply Quote 0
          • N
            Numbski
            last edited by

            Hmm.  I've had to resort to turning off bridging in the webui, and create the bridge /etc/rc.  So I now have this:

            ifconfig bridge0 create
            ifconfig bridge0 addm sis0 addm tap0 up
            #echo "pass in quick on sis0 dup-to tap0 inet proto udp from any to 224.0.0.251 port = 5353" | pfctl -mf -
            #echo "pass in quick on tap0 dup-to sis0 inet proto udp from any to 224.0.0.251 port = 5353" | pfctl -mf -

            (commented out the dup-to rules until I figure out why they kill things)

            1 Reply Last reply Reply Quote 0
            • S
              sullrich
              last edited by

              1 Edit /tmp/rules.debug
              2 Add your custom items
              3 pfctl -f /tmp/rules.debug

              1 Reply Last reply Reply Quote 0
              • N
                Numbski
                last edited by

                Hmm.

                It appears that bridge0 needs to be an interface that pfSense recognizes for rules creation.  The moment I enable the bridge and connect to openvpn, no one on either the openvpn or the opt interface I've bridged to can go anywhere, and I'm getting blocks on bridge0 showing up in the filter logs. Yay.

                interfaces.inc looks a lot different from back in December, btw.  Can't figure out where to hack in a quick allowance for bridge0 so I can add it as an opt.

                1 Reply Last reply Reply Quote 0
                • S
                  sullrich
                  last edited by

                  /etc/inc/filter.inc … Search for "outgoing".

                  1 Reply Last reply Reply Quote 0
                  • N
                    Numbski
                    last edited by

                    Here we go.  The problem I have right now appears to be that since I'm running carp on the same interface I'm bridging to, it is causing hiccups.  Wonder if I can bridge to teh carp interface instead?

                    1 Reply Last reply Reply Quote 0
                    • N
                      Numbski
                      last edited by

                      It's more than hiccups.  It's a packet storm kids.

                      I think I'm creating a loop on the LAN that causes a storm.  As soon as a turn off the bridge, life is well again.

                      Not sure precisely how it's happening.  Someone want to try this on a pfsense box without CARP and tell me what kind of luck you have?

                      1 Reply Last reply Reply Quote 0
                      • S
                        sullrich
                        last edited by

                        If you are briding there is no need for the dup-to portions.  Simply allow the traffic.

                        1 Reply Last reply Reply Quote 0
                        • N
                          Numbski
                          last edited by

                          Yeah, I think you're right.  The problem is actually that the mDNSResponder and tap driver on OSX need to be patched.  In case anyone stumbles onto this later, here's a link:

                          http://tunnelblick.net/alpha/Tunnelblick-Tiger-3.0a2-bonjour-patched.dmg

                          Still slowly wading through this mess, as CARP+Bridged OpenVPN don't appear to like one another much.

                          1 Reply Last reply Reply Quote 0
                          • N
                            Numbski
                            last edited by

                            I'd really like to see someone without a carp setup try this to see what kind of success they have.  Any volunteers?  I just want to narrow down the cause.

                            1 Reply Last reply Reply Quote 0
                            • N
                              Numbski
                              last edited by

                              Some quick observations about all of this:

                              1.  We really need OpenVPN to not assign an IP at all to tap0, and just do an ifconfig tap0 up.  Assigning an IP futzes things up, but the current pfSense code insists on an IP address assignment in the webui.

                              2.  Bridging works really really well….for all of about 5 minutes at a time.  Then it all goes straight to hell.  Routing just utterly and completely dies.  If you don't connect to the vpn, things stay up marginally longer, then (at least my system does) the system crashes.  The system will attempt to shut down (ACPI) if I do a ctrl-alt-del, but it never does.  It has to be hard rebooted.  It won't take console input, all interfaces stop answering, etc.  ???

                              3.  Despite not setting up bridging from the webui, the interface detection code still picks up bridge0, and "knows" that sis0 and tap0 are on the bridge, as when I look at rules.debug. they are included in those script variables at the top.

                              4.  Finally, per many OpenBSD docs, you really should only filter on one interface on a bridge, not both.  That said, I take that to mean we shouldn't have a "block all" rule at all on tap0.  Just an allow all statement, and any filter rules place on sis0 would then apply to tap0 as well.  Sound correct?

                              EDIT -

                              I think I've made a breakthrough here.  We need to add this to sysctl.conf:

                              net.link.bridge.pfil_onlyip=0

                              Apparently without this set, it doesn't want to pass non-IP packets from interface to interface, and this totally hoses up our bridged environment with a tap interface, given that tap is a layer2 thing, and not a layer3.  It looks like carp is now working, and tap works.  Bridge works.  Life seems to be good.  We'll see how it holds up after a reboot though. ;)

                              Here's where I got a clue about it.  Note that this was in regards to a wireless interface and layer-2 traffic, but it seems to have cleared things up here.

                              http://lists.freebsd.org/pipermail/freebsd-net/2006-April/010375.html

                              1 Reply Last reply Reply Quote 0
                              • S
                                sullrich
                                last edited by

                                Alright, I commited the net.link.bridge.pfil_onlyip=0 change.

                                What do you mean by CARP works correctly with the bridge?

                                1 Reply Last reply Reply Quote 0
                                • N
                                  Numbski
                                  last edited by

                                  Well….

                                  My config is like this:

                                  Two pfsense boxes, identical hardware.  sis0 on each is running carp.  So we have 172.16.10.2 on the first, and 172.16.10.3 on the second one.  They share 172.16.10.1.  This is our internal lan (although it is really an opt interface, I need to change that "someday real soon"), and I want to bridge that to tap0.

                                  Originally when I set this up (and it just happened again...grrr), it would work for about 5 mins, bridge tap0 and sis0, all of a sudden 172.16.10.1 would just stop answering.  CARP wouldn't fail over, as sis0 was still up and still had it's IP, but it would stop replying to ICMP's.  I get to about icmp_seq=288, then nothing.  No mention in tcpdump -i bridge0, sis0, or tap0.  Nothing.  It was really weird.

                                  What's bizarre is that it's almost EXACTLY 4 minutes.  I would get a ping reponse about once per second.  It's almost as if there is some sort of scheduled task that is killing the bridge.  If I do ifconfig bridge0 deletem sis0, it immediately comes back, then I can do ifconfig bridge0 addm sis0, things work for ~4-5 minutes, then we're back to square 1.

                                  Is there something here that rings a bell that perhaps wouldn't be immediately obvious to me?  Something that runs as a background agent?  I suppose it's possible that something odd happens in the state table that times out, or maybe a buffer is consistently filling up, but I'm having a hard time placing my finger on what would cause this kind of behavior.

                                  1 Reply Last reply Reply Quote 0
                                  • S
                                    sullrich
                                    last edited by

                                    @Numbski:

                                    Is there something here that rings a bell that perhaps wouldn't be immediately obvious to me?  Something that runs as a background agent?  I suppose it's possible that something odd happens in the state table that times out, or maybe a buffer is consistently filling up, but I'm having a hard time placing my finger on what would cause this kind of behavior.

                                    Strange, I cannot think of anything that runs in the background that would change anything.

                                    1 Reply Last reply Reply Quote 0
                                    • N
                                      Numbski
                                      last edited by

                                      I just timed it.  5 minutes on the dot.  I can cron an ifconfig bridge0 deletem sis0/addm sis0 once every 4 mins to mitigate the problem, but sorta kill any kind of long-term constant-state communications. :P

                                      Really have to ponder this.  Doesn't appear to be a pf thing though.

                                      1 Reply Last reply Reply Quote 0
                                      • S
                                        sullrich
                                        last edited by

                                        Do a killall cron just to make sure its nothing in there stepping on it.

                                        1 Reply Last reply Reply Quote 0
                                        • N
                                          Numbski
                                          last edited by

                                          Okay, done.  did a addm/deletem sis0 at 4:59:10 central time per my nice little mobile phone here.  It's on the clock.  We'll see how long it lasts. :D

                                          1 Reply Last reply Reply Quote 0
                                          • N
                                            Numbski
                                            last edited by

                                            Died at 5:04:20 pm central with no crons.  Hmm….

                                            addm/deletem sis0 of course revived it.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.