Bridge OpenVPN network to LAN



  • Hi all,

    Running 2.0-BETA4

    I have an OpenVPN user who I need to bridge to the LAN (needs bonjour based services / .local addresses to resolve) - it needs to function as if he were actually in the office. I read the guide for doing this on 1.3 but apparently that has been obsoleted and this should be more automatic than I'm finding it to be.

    My current setup:
    Server Mode: Remote Access (SSL/TLS + User Auth)
    Backend: Local
    Proto: UDP
    Int: WAN
    Port: 1194
    <snip crypto="" settings,="" lmk="" if="" you="" need="" to="" see="" them="">Tunnel Network: 172.31.32.0/27
    Local Network: 172.31.31.0/27
    Inter-client communication: Allowed
    Dynamic IP: Check
    Address Pool: Check
    DNS Default Domain: Check (mydomain.org)
    DNS Servers: Check (172.31.31.1 - the router)
    NetBIOS Options: Check (b-mode)

    Any input would be great,
    Thanks.
    Ben</snip>



  • @bwoodruff:

    DNS Servers: Check (172.31.31.1 - the router)

    Try 172.31.32.1 for DNS and check the Redirect Gateway Button, see if that helps.



  • @onhel:

    @bwoodruff:

    DNS Servers: Check (172.31.31.1 - the router)

    Try 172.31.32.1 for DNS and check the Redirect Gateway Button, see if that helps.

    Thanks for the suggestion but that didn't seem to help.



  • Any other suggestions?

    I'm kind of surprised this isn't a more common setup…



  • I assume you're using Advanced Outbound NAT.

    Also 2.0 requires pass rules on the OpenVPN interface under Firewall/Rules/OpenVPN, have you done this?  Do you see any firewall blocks in your System Logs?



  • Advanced Outbound NAT?

    ID Proto Source Port Destination Port Gateway Queue Schedule Description
    [add new rule]
    [click to toggle enabled/disabled status] * * * * * * none   OpenVPN neurospark wizard

    This is the rule setup under the specified tab.

    I don't see anything in the firewall log, but it only has the most recent 50 entries so it is difficult to tell.



  • Advanced Outbound NAT:

    In the web GUI, go to Firewall/NAT/Outbound and Select Manual Outbound NAT rule generation.  It should auto create a nat rule for your LAN.  Select the + symbol where your LAN nat rule is which will create a Nat rule based on your LAN.  Now edit this new rule you created and type 172.31.32.0/27 for the Source Network and change the Description name.  You should now have 2 rules.

    WAN          172.31.31.0/27    *    *    *    *    *    NO    LAN AON
    WAN          172.31.32.0/27    *    *    *    *    *    NO    OVPN AON

    From the Random Knowledge of pfSense Sticky under OpenVPN:

    You cannot access windows shares via the "My network places" because windows shares work with UDP-broadcasts.
    The VPN is routed and will block broadcasts.
    If you want to access a windows share you have to access it directly by IP
    ie: start–>run: \IPofServer



  • @onhel:

    Advanced Outbound NAT:

    In the web GUI, go to Firewall/NAT/Outbound and Select Manual Outbound NAT rule generation.  It should auto create a nat rule for your LAN.  Select the + symbol where your LAN nat rule is which will create a Nat rule based on your LAN.  Now edit this new rule you created and type 172.31.32.0/27 for the Source Network and change the Description name.  You should now have 2 rules.

    WAN           172.31.31.0/27     *     *     *     *     *     NO     LAN AON
    WAN           172.31.32.0/27     *     *     *     *     *     NO     OVPN AON

    From the Random Knowledge of pfSense Sticky under OpenVPN:

    You cannot access windows shares via the "My network places" because windows shares work with UDP-broadcasts.
    The VPN is routed and will block broadcasts.
    If you want to access a windows share you have to access it directly by IP
    ie: start–>run: \IPofServer

    I don't have Windows machines on my network, but I do need Bonjour to work properly, and from everything I'm reading it was possible to do so under older versions I'm just trying to find out how to do it in 2.0

    Here is the Firewall/NAT/Outbound screen after making the changes you suggested. Note the last rule is the one you had me create but it seems redundant.

    Mappings:
    
     	 	Interface	Source	Source Port	Destination	Destination Port	NAT Address	NAT Port	Static Port	Description	
    
    		 WAN  	 172.31.31.0/27	 *	 *	 500	 *	 *	
    YES
    Auto created rule for ISAKMP - LAN to WAN 	
    
    		 WAN  	 172.31.31.0/27	 *	 *	 *	 *	 *	
    NO
    Auto created rule for LAN to WAN 	
    
    		 WAN  	 172.31.32.0/27	 *	 *	 *	 *	 *	
    NO
    Auto created rule for OpenVPN server 	
    
    		 WAN  	 192.168.1.1/32	 *	 *	 500	 *	 *	
    YES
    Auto created rule for ISAKMP - HOUSE to WAN 	
    
    		 WAN  	 192.168.1.1/32	 *	 *	 *	 *	 *	
    NO
    Auto created rule for HOUSE to WAN 	
    
    		 WAN  	 172.31.32.0/27	 *	 *	 *	 *	 *	
    NO
    Auto created rule for OpenVPN server 	
    
    		 WAN  	 172.31.32.0/27	 *	 *	 *	 *	 *	
    NO
    Manual created rule for OVPN to WAN 	
    
    

  • Rebel Alliance Developer Netgate

    You don't need to bridge to use Bonjour, if you have a router on both ends, just use Avahi on both sides. It's available as a package for pfSense. Not sure if that would work for a remote mobile client though.

    As for bridging OpenVPN, I don't know that anyone has made that work on 2.0 yet to write a howto. I have done an IPsec+GIF bridge (and could even browse windows shares across it) but that was also site-to-site and not a mobile client.



  • Yeah, this is for mobile clients (OS X). No router on the other end.



  • @bwoodruff:

    Mappings:
     
     	 	Interface	Source	Source Port	Destination	Destination Port	NAT Address	NAT Port	Static Port	Description	
    
    		 WAN  	 172.31.31.0/27	 *	 *	 500	 *	 *	
    YES
    Auto created rule for ISAKMP - LAN to WAN 	
    
    	
    		 WAN  	 172.31.31.0/27	 *	 *	 *	 *	 *	
    NO
    Auto created rule for LAN to WAN 	
    
    	
    		 WAN  	 172.31.32.0/27	 *	 *	 *	 *	 *	
    NO
    Auto created rule for OpenVPN server 	
    
    	
    		 WAN  	 192.168.1.1/32	 *	 *	 500	 *	 *	
    YES
    Auto created rule for ISAKMP - HOUSE to WAN 	
    
    	
    		 WAN  	 192.168.1.1/32	 *	 *	 *	 *	 *	
    NO
    Auto created rule for HOUSE to WAN 	
    
    	
    		 WAN  	 172.31.32.0/27	 *	 *	 *	 *	 *	
    NO
    Auto created rule for OpenVPN server 	
    
    	
    		 WAN  	 172.31.32.0/27	 *	 *	 *	 *	 *	
    NO
    Manual created rule for OVPN to WAN 	
    
    	
    

    Yes, looks like you do have 3 entries for you OpenVPN AON.  Remove 2 of them, only 1 is necessary.



  • Is manual advanced outbound NAT really necessary? It was automatic before. When I turned it and Avahi on my internet stopped working (LAN connectivity was still fine). Switching back to automatic and disabling Avahi restored connectivity.



  • I found this post which says the author accomplished exactly what I'm trying to do but unfortunately doesn't go into much detail:
    http://quintinsmits.com/2009/09/14/bonjour-mdns-via-openvpn-on-linux-with-avahi-deamon

    I tried switching from tun to tap but was still unable to view bonjour services.


Locked