OpenVPN Bridging config - How To



  • Hi all,

    After scouring the forum and gathering bits and pieces of info on how to get OpenVPN bridging working with 2.0 RC3 I thought I would share my config with those who are struggling to implement a similar setup, first we'll go through site-site openvpn bridge, secondly road-warrior. Note this is shared/key nothing fancy as this was all done for a home environment.

    Site-to-site bridge:

    Both LAN segments are the same private IP range (in this case 192.168.7.0/24)

    Firewall1 - site1 (server) : 192.168.7.254/24
    Firewall2 - site2 (client)  : 192.168.7.1/24

    Lets start configuring OpenVPN first

    Firewall1:

    Server Mode: Peer to Peer (Shared Key)
    Protocol: UDP
    Device Mode: Tap
    Interface: WAN (or your configured external interface)
    Local Port: 1194
    Shared Key: I let it auto generate…you can paste your own if you like (if you let it auto-generate, copy it as we will need to input it on Firewall2)
    Encryption: I left at default AES-128-CBC again you can change to suit your environment
    Tunnel Network: choose something NOT in use here, I stuck with the default 10.0.8.0/29 (I made it a /29 as you don't need many IPs for the bridge).

    SAVE (you don't need anything under advanced/remote network etc....just the above)

    Go to Interfaces > assign > click the + symbol to add an interface and choose the 'ovpns1' from the drop down (this is the openvpn tap interface for the openvpn server we just setup)
    Now go to Interface > OPT1 (or whatever NEW interface it appears as) > check the box for 'enable this interface' > rename to OVPN (for simplicity)
    Now Interfaces > assign > bridges > hit the + > add LAN and OVPN to BRIDGE0

    Navigate to Firewall > Rules
    Create a new rule under WAN Action 'pass' > Interface WAN > protocol UDP > src:any > dst:any > dest port range: OpenVPN (1194)
    Create a rule under OpenVPN to allow ALL traffic: proto * src * dest *
    Create a rule under OVPN to allow ALL traffic: proto * src * dest *
    Create a rule under OVPN to DENY traffic: proto udp src * dest * port 67-68        (this is to deny DHCP from coming from the other side of the bridge)

    now in my troubleshooting I had to edit the server conf file (/var/etc/openvpn/server1.conf  use Diagnostics > edit file > browse to find it) and change the 'ifconfig' option
    because it would input it as ifconfig 10.0.8.1 10.0.8.2 when instead it should have been ifconfig 10.0.8.1 255.255.255.248, I have since seen it appear to work with this step but it doesn't hurt (and it cleans up the logs).

    SAVE

    Firewall1 should be all set, lets move on to Firewall2

    This is almost the same config > navigate to OpenVPN > 'client'

    Server Mode: Peer to Peer: Shared Key
    Protocol: UDP
    Device Mode: tap
    Interface: WAN
    Server Host or address: input the public IP of Firewall1 here
    Server port: 1194
    Shared key: paste key here from Firewall1
    Encryption: match it with Firewall1 in my case AES-128-CBC
    Tunnel Network: 10.0.8.0/29 (same as on Firewall1)

    SAVE

    Edit the client config file /var/etc/openvpn/client1.conf and change the ifconfig to:
    ifconfig 10.0.8.2 255.255.255.248

    SAVE

    Go to Interfaces > assign > click the + symbol to add an interface and choose the 'ovpnc1' from the drop down (this is the openvpn tap interface for the openvpn client we just setup)
    Now go to Interface > OPT1 (or whatever NEW interface it appears as) > check the box for 'enable this interface' > rename to OVPN (for simplicity)
    Now Interfaces > assign > bridges > hit the + > add LAN and OVPN to BRIDGE0

    Navigate to Firewall > Rules
    Create a new rule under WAN Action 'pass' > Interface WAN > protocol UDP > src:any > dst:any > dest port range: OpenVPN (1194)  (I don't think you need this on the client side, but I did it just to be safe)
    Create a rule under OpenVPN to allow ALL traffic: proto * src * dest *
    Create a rule under OVPN to allow ALL traffic: proto * src * dest *
    Create a rule under OVPN to DENY traffic: proto udp src * dest * port 67-68        (this is to deny DHCP from coming from the other side of the bridge)

    At this point you should be able to ping resources across the bridge!

    below are my server1.conf and client1.conf respectively in case you would like to reference (Public IPs masked)

    dev ovpns1
    dev-type tap
    dev-node /dev/tap1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 11.x.x.x
    ifconfig 10.0.8.1 255.255.255.248
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    secret /var/etc/openvpn/server1.secret

    and client

    dev ovpnc1
    dev-type tap
    dev-node /dev/tap1
    writepid /var/run/openvpn_client1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 24.x.x.x
    lport 0
    management /var/etc/openvpn/client1.sock unix
    remote 11.x.x.x 1194
    ifconfig 10.0.8.2 255.255.255.248
    secret /var/etc/openvpn/client1.secret

    I'll get my road-warrior setup up here as well, this is probably a pain to read but hopefully it helps someone.



  • Worked for me too, thanks!



  • Hi.

    Can I use this for VOIP phones? In this case, I would want the phones on the client side use DHCP across the bridge. DHCP okay for this?



  • couple comments:

    -when you create a server or client config on either end of the site, and you choose the first checkbox that says "disable this client" as you're creating it…   when you go to add to the first OPT interface, in the drop down, the ovpnc1 won't be listed.  The first time you actually run the service itself, via the server / client conf... this seems to be when the interface gets created.  So do a quick run to officially set the interface, and enable it.  (I disabled the openvpn server/client, added the interface properly, then restarted the server/client)
        --not sure if it matters overall.

    -I did a routed set up instead of requiring both ends to be on the same subnet.  To do this I filled in the "Remote Network" option under "Tunnel Settings".  This is the subnet of the remote network that you want to talk with once the OpenVPN connection is established.
        -With this set up, I didn't need to change the confs manually, the ifconfig command that it runs worked fine.  I just needed to set the "Tunnel Network" under "Tunnel Settings" the exact same on both sides (server and client).  In my case I used: 10.2.5.0/24 on both ends.

    -Also, I am not sure if by default pfsense and openvpn set the "user nobody" and "group nobody" options.
      --under "Advanced Configuration" on both the server and client, I added this line:

    user nobody;group nobody

    Both the server and client can talk to eachother no problem.  And I can ping hosts on either side from the server and client routers.  Clients can also ping each other on either side of the VPN.

    Both sides of my VPN have static public IPs also... to avoid issues with PPPoE, DHCP, and other dumb problems i've seen in the past with certain ISPs.



  • Hey,

    New to pfSense.  Trying to get bridging between 2 locations to work as described in the 1st post.  The actual connection is made and running.  I can ping between the 2 tunnel IPs (10.0.8.1 <=> 10.0.8.2) from the vpn interface, but thats about it.  I cannot ping between to 2 LAN networks - which are on the same subnet.

    My server & client .confs look exactly like the 1st post(except the live ips,of course). Using the exact same -latest-updated 2.0x64 pfSense versions on both servers.

    Its like there is no route from the vpn tunnel to the lan.  The only thing I have noticed, is on rebooting, I have go back in and edit the .conf files because they change the
    ifconfig back to 10.0.8.1 10.0.8.2  from where i changed it 10.0.8.1 255.255.255.248.  I did save the file after making the changes.

    Both pfSense boxes are fresh installs (3 times) with nothing else running on them.  Each location is independently otherwise working as expected.

    I didn't want to jump in just start adding routes fiddling with it - not enough experience with pfSense anyway.

    Any help would be appreciated…

    Kevin



  • My only thought is firewall?  Check the firewall status logs for blocks of any kind?

    Personally, I like the routed setup.  :)

    You don't need to worry about the interface(s) changing after reboot.

    @profkp:

    Hey,

    New to pfSense.  Trying to get bridging between 2 locations to work as described in the 1st post.   The actual connection is made and running.  I can ping between the 2 tunnel IPs (10.0.8.1 <=> 10.0.8.2) from the vpn interface, but thats about it.  I cannot ping between to 2 LAN networks - which are on the same subnet.

    My server & client .confs look exactly like the 1st post(except the live ips,of course). Using the exact same -latest-updated 2.0x64 pfSense versions on both servers.

    Its like there is no route from the vpn tunnel to the lan.  The only thing I have noticed, is on rebooting, I have go back in and edit the .conf files because they change the
    ifconfig back to 10.0.8.1 10.0.8.2  from where i changed it 10.0.8.1 255.255.255.248.  I did save the file after making the changes.

    Both pfSense boxes are fresh installs (3 times) with nothing else running on them.  Each location is independently otherwise working as expected.

    I didn't want to jump in just start adding routes fiddling with it - not enough experience with pfSense anyway.

    Any help would be appreciated…

    Kevin



  • hi there..,

    good work…thanks to nooblet sharing us the tutorial..

    but i get a problem accessing  zynga poker on FB on both side firewall 1 and 2 while enable the vpn, but if i disable  it ok...

    please help.. ???



  • Kambing…

    So is it just Zygna poker?  (thats weird...)

    With the VPN enabled... it shouldn't affect traffic to the web from either location.  Web traffic should pass through the local router for a client.

    @kambing:

    hi there..,

    good work…thanks to nooblet sharing us the tutorial..

    but i get a problem accessing  zynga poker on FB on both side firewall 1 and 2 while enable the vpn, but if i disable  it ok...

    please help.. ???



  • Can I trouble you to post your roadwarrior config? I need to get this done for a client and I am struggling with it.

    EDIT:

    Got it working, here is my roadwarrior conf. Note I used TLS/SSL instead of Shared Key

    I also didn't specify a network for clients under OpenVPN server setting as I wanted them to get an address on the local network. I also left out the one deny rule for this same reason.

    
    dev tap
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    tls-client
    client
    resolve-retry interface
    remote x.x.x.x 1194
    tls-remote xxxxxxxx
    auth-user-pass
    pkcs12 xxxxxxxx.p12
    tls-auth xxxxxxx.key 1
    
    


  • ya its true , what i do …enable  squid ,all firewall rules open on lan(default)  :P

    @wm408:

    Kambing…

    So is it just Zygna poker?  (thats weird...)

    With the VPN enabled... it shouldn't affect traffic to the web from either location.  Web traffic should pass through the local router for a client.

    @kambing:

    hi there..,

    good work…thanks to nooblet sharing us the tutorial..

    but i get a problem accessing  zynga poker on FB on both side firewall 1 and 2 while enable the vpn, but if i disable  it ok...

    please help.. ???



  • @nooblet:

    now in my troubleshooting I had to edit the server conf file (/var/etc/openvpn/server1.conf  use Diagnostics > edit file > browse to find it) and change the 'ifconfig' option
    because it would input it as ifconfig 10.0.8.1 10.0.8.2 when instead it should have been ifconfig 10.0.8.1 255.255.255.248, I have since seen it appear to work with this step but it doesn't hurt (and it cleans up the logs).

    SAVE

    I don't want to edit file every time I'm open and save openvpn config. And I made litle change in php-file for version pfSense - 2.0.1

    1. On console enter digit 8 - Shell
    2. Invoke editor to edit file /etc/inc/openvpn.inc with command
    ee /etc/inc/openvpn.inc
    3. Goto line 405
    4. Replace 405 line

                                    $conf .= "ifconfig $ip1 $ip2\n";
    
    

    with 4 lines

                                    if ($settings['dev_mode'] != "tap")
                                            $conf .= "ifconfig $ip1 $ip2\n";
                                    else
                                            $conf .= "ifconfig $ip1 $mask\n";
    
    

    5. Goto line 527
    6. Replace 527 line

                            $conf .= "ifconfig $ip2 $ip1\n";
    
    

    with 4 lines

                            if ($settings['dev_mode'] != "tap")
                                    $conf .= "ifconfig $ip2 $ip1\n";
                            else
                                    $conf .= "ifconfig $ip2 $mask\n";
    
    

    That's ALL!

    Now in openvpn config will be correct line for ifconfig command.


Log in to reply