Bridge OpenVPN network to LAN
-
Hi all,
Running 2.0-BETA4
I have an OpenVPN user who I need to bridge to the LAN (needs bonjour based services / .local addresses to resolve) - it needs to function as if he were actually in the office. I read the guide for doing this on 1.3 but apparently that has been obsoleted and this should be more automatic than I'm finding it to be.
My current setup:
Server Mode: Remote Access (SSL/TLS + User Auth)
Backend: Local
Proto: UDP
Int: WAN
Port: 1194
<snip crypto="" settings,="" lmk="" if="" you="" need="" to="" see="" them="">Tunnel Network: 172.31.32.0/27
Local Network: 172.31.31.0/27
Inter-client communication: Allowed
Dynamic IP: Check
Address Pool: Check
DNS Default Domain: Check (mydomain.org)
DNS Servers: Check (172.31.31.1 - the router)
NetBIOS Options: Check (b-mode)Any input would be great,
Thanks.
Ben</snip> -
DNS Servers: Check (172.31.31.1 - the router)
Try 172.31.32.1 for DNS and check the Redirect Gateway Button, see if that helps.
-
@onhel:
DNS Servers: Check (172.31.31.1 - the router)
Try 172.31.32.1 for DNS and check the Redirect Gateway Button, see if that helps.
Thanks for the suggestion but that didn't seem to help.
-
Any other suggestions?
I'm kind of surprised this isn't a more common setup…
-
I assume you're using Advanced Outbound NAT.
Also 2.0 requires pass rules on the OpenVPN interface under Firewall/Rules/OpenVPN, have you done this? Do you see any firewall blocks in your System Logs?
-
Advanced Outbound NAT?
ID Proto Source Port Destination Port Gateway Queue Schedule Description
[add new rule]
[click to toggle enabled/disabled status] * * * * * * none OpenVPN neurospark wizardThis is the rule setup under the specified tab.
I don't see anything in the firewall log, but it only has the most recent 50 entries so it is difficult to tell.
-
Advanced Outbound NAT:
In the web GUI, go to Firewall/NAT/Outbound and Select Manual Outbound NAT rule generation. It should auto create a nat rule for your LAN. Select the + symbol where your LAN nat rule is which will create a Nat rule based on your LAN. Now edit this new rule you created and type 172.31.32.0/27 for the Source Network and change the Description name. You should now have 2 rules.
WAN 172.31.31.0/27 * * * * * NO LAN AON
WAN 172.31.32.0/27 * * * * * NO OVPN AONFrom the Random Knowledge of pfSense Sticky under OpenVPN:
You cannot access windows shares via the "My network places" because windows shares work with UDP-broadcasts.
The VPN is routed and will block broadcasts.
If you want to access a windows share you have to access it directly by IP
ie: start–>run: \IPofServer -
@onhel:
Advanced Outbound NAT:
In the web GUI, go to Firewall/NAT/Outbound and Select Manual Outbound NAT rule generation. It should auto create a nat rule for your LAN. Select the + symbol where your LAN nat rule is which will create a Nat rule based on your LAN. Now edit this new rule you created and type 172.31.32.0/27 for the Source Network and change the Description name. You should now have 2 rules.
WAN 172.31.31.0/27 * * * * * NO LAN AON
WAN 172.31.32.0/27 * * * * * NO OVPN AONFrom the Random Knowledge of pfSense Sticky under OpenVPN:
You cannot access windows shares via the "My network places" because windows shares work with UDP-broadcasts.
The VPN is routed and will block broadcasts.
If you want to access a windows share you have to access it directly by IP
ie: start–>run: \IPofServerI don't have Windows machines on my network, but I do need Bonjour to work properly, and from everything I'm reading it was possible to do so under older versions I'm just trying to find out how to do it in 2.0
Here is the Firewall/NAT/Outbound screen after making the changes you suggested. Note the last rule is the one you had me create but it seems redundant.
Mappings: Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description WAN 172.31.31.0/27 * * 500 * * YES Auto created rule for ISAKMP - LAN to WAN WAN 172.31.31.0/27 * * * * * NO Auto created rule for LAN to WAN WAN 172.31.32.0/27 * * * * * NO Auto created rule for OpenVPN server WAN 192.168.1.1/32 * * 500 * * YES Auto created rule for ISAKMP - HOUSE to WAN WAN 192.168.1.1/32 * * * * * NO Auto created rule for HOUSE to WAN WAN 172.31.32.0/27 * * * * * NO Auto created rule for OpenVPN server WAN 172.31.32.0/27 * * * * * NO Manual created rule for OVPN to WAN -
You don't need to bridge to use Bonjour, if you have a router on both ends, just use Avahi on both sides. It's available as a package for pfSense. Not sure if that would work for a remote mobile client though.
As for bridging OpenVPN, I don't know that anyone has made that work on 2.0 yet to write a howto. I have done an IPsec+GIF bridge (and could even browse windows shares across it) but that was also site-to-site and not a mobile client.
-
Yeah, this is for mobile clients (OS X). No router on the other end.
-
Mappings: Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description WAN 172.31.31.0/27 * * 500 * * YES Auto created rule for ISAKMP - LAN to WAN WAN 172.31.31.0/27 * * * * * NO Auto created rule for LAN to WAN WAN 172.31.32.0/27 * * * * * NO Auto created rule for OpenVPN server WAN 192.168.1.1/32 * * 500 * * YES Auto created rule for ISAKMP - HOUSE to WAN WAN 192.168.1.1/32 * * * * * NO Auto created rule for HOUSE to WAN WAN 172.31.32.0/27 * * * * * NO Auto created rule for OpenVPN server WAN 172.31.32.0/27 * * * * * NO Manual created rule for OVPN to WANYes, looks like you do have 3 entries for you OpenVPN AON. Remove 2 of them, only 1 is necessary.
-
Is manual advanced outbound NAT really necessary? It was automatic before. When I turned it and Avahi on my internet stopped working (LAN connectivity was still fine). Switching back to automatic and disabling Avahi restored connectivity.
-
I found this post which says the author accomplished exactly what I'm trying to do but unfortunately doesn't go into much detail:
http://quintinsmits.com/2009/09/14/bonjour-mdns-via-openvpn-on-linux-with-avahi-deamonI tried switching from tun to tap but was still unable to view bonjour services.
