OpenVPN Bridging config - How To

nooblet

Hi all,

After scouring the forum and gathering bits and pieces of info on how to get OpenVPN bridging working with 2.0 RC3 I thought I would share my config with those who are struggling to implement a similar setup, first we'll go through site-site openvpn bridge, secondly road-warrior. Note this is shared/key nothing fancy as this was all done for a home environment.

Site-to-site bridge:

Both LAN segments are the same private IP range (in this case 192.168.7.0/24)

Firewall1 - site1 (server) : 192.168.7.254/24
Firewall2 - site2 (client)  : 192.168.7.1/24

Lets start configuring OpenVPN first

Firewall1:

Server Mode: Peer to Peer (Shared Key)
Protocol: UDP
Device Mode: Tap
Interface: WAN (or your configured external interface)
Local Port: 1194
Shared Key: I let it auto generate…you can paste your own if you like (if you let it auto-generate, copy it as we will need to input it on Firewall2)
Encryption: I left at default AES-128-CBC again you can change to suit your environment
Tunnel Network: choose something NOT in use here, I stuck with the default 10.0.8.0/29 (I made it a /29 as you don't need many IPs for the bridge).

SAVE (you don't need anything under advanced/remote network etc....just the above)

Go to Interfaces > assign > click the + symbol to add an interface and choose the 'ovpns1' from the drop down (this is the openvpn tap interface for the openvpn server we just setup)
Now go to Interface > OPT1 (or whatever NEW interface it appears as) > check the box for 'enable this interface' > rename to OVPN (for simplicity)
Now Interfaces > assign > bridges > hit the + > add LAN and OVPN to BRIDGE0

Navigate to Firewall > Rules
Create a new rule under WAN Action 'pass' > Interface WAN > protocol UDP > src:any > dst:any > dest port range: OpenVPN (1194)
Create a rule under OpenVPN to allow ALL traffic: proto * src * dest *
Create a rule under OVPN to allow ALL traffic: proto * src * dest *
Create a rule under OVPN to DENY traffic: proto udp src * dest * port 67-68        (this is to deny DHCP from coming from the other side of the bridge)

now in my troubleshooting I had to edit the server conf file (/var/etc/openvpn/server1.conf  use Diagnostics > edit file > browse to find it) and change the 'ifconfig' option
because it would input it as ifconfig 10.0.8.1 10.0.8.2 when instead it should have been ifconfig 10.0.8.1 255.255.255.248, I have since seen it appear to work with this step but it doesn't hurt (and it cleans up the logs).

SAVE

Firewall1 should be all set, lets move on to Firewall2

This is almost the same config > navigate to OpenVPN > 'client'

Server Mode: Peer to Peer: Shared Key
Protocol: UDP
Device Mode: tap
Interface: WAN
Server Host or address: input the public IP of Firewall1 here
Server port: 1194
Shared key: paste key here from Firewall1
Encryption: match it with Firewall1 in my case AES-128-CBC
Tunnel Network: 10.0.8.0/29 (same as on Firewall1)

SAVE

Edit the client config file /var/etc/openvpn/client1.conf and change the ifconfig to:
ifconfig 10.0.8.2 255.255.255.248

SAVE

Go to Interfaces > assign > click the + symbol to add an interface and choose the 'ovpnc1' from the drop down (this is the openvpn tap interface for the openvpn client we just setup)
Now go to Interface > OPT1 (or whatever NEW interface it appears as) > check the box for 'enable this interface' > rename to OVPN (for simplicity)
Now Interfaces > assign > bridges > hit the + > add LAN and OVPN to BRIDGE0

Navigate to Firewall > Rules
Create a new rule under WAN Action 'pass' > Interface WAN > protocol UDP > src:any > dst:any > dest port range: OpenVPN (1194)  (I don't think you need this on the client side, but I did it just to be safe)
Create a rule under OpenVPN to allow ALL traffic: proto * src * dest *
Create a rule under OVPN to allow ALL traffic: proto * src * dest *
Create a rule under OVPN to DENY traffic: proto udp src * dest * port 67-68        (this is to deny DHCP from coming from the other side of the bridge)

At this point you should be able to ping resources across the bridge!

below are my server1.conf and client1.conf respectively in case you would like to reference (Public IPs masked)

dev ovpns1
dev-type tap
dev-node /dev/tap1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 11.x.x.x
ifconfig 10.0.8.1 255.255.255.248
lport 1194
management /var/etc/openvpn/server1.sock unix
secret /var/etc/openvpn/server1.secret

and client

dev ovpnc1
dev-type tap
dev-node /dev/tap1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 24.x.x.x
lport 0
management /var/etc/openvpn/client1.sock unix
remote 11.x.x.x 1194
ifconfig 10.0.8.2 255.255.255.248
secret /var/etc/openvpn/client1.secret

I'll get my road-warrior setup up here as well, this is probably a pain to read but hopefully it helps someone.

nydiow

Worked for me too, thanks!

jits

Hi.

Can I use this for VOIP phones? In this case, I would want the phones on the client side use DHCP across the bridge. DHCP okay for this?

wm408

couple comments:

-when you create a server or client config on either end of the site, and you choose the first checkbox that says "disable this client" as you're creating it…   when you go to add to the first OPT interface, in the drop down, the ovpnc1 won't be listed.  The first time you actually run the service itself, via the server / client conf... this seems to be when the interface gets created.  So do a quick run to officially set the interface, and enable it.  (I disabled the openvpn server/client, added the interface properly, then restarted the server/client)
    --not sure if it matters overall.

-I did a routed set up instead of requiring both ends to be on the same subnet.  To do this I filled in the "Remote Network" option under "Tunnel Settings".  This is the subnet of the remote network that you want to talk with once the OpenVPN connection is established.
    -With this set up, I didn't need to change the confs manually, the ifconfig command that it runs worked fine.  I just needed to set the "Tunnel Network" under "Tunnel Settings" the exact same on both sides (server and client).  In my case I used: 10.2.5.0/24 on both ends.

-Also, I am not sure if by default pfsense and openvpn set the "user nobody" and "group nobody" options.
  --under "Advanced Configuration" on both the server and client, I added this line:

user nobody;group nobody

Both the server and client can talk to eachother no problem.  And I can ping hosts on either side from the server and client routers.  Clients can also ping each other on either side of the VPN.

Both sides of my VPN have static public IPs also... to avoid issues with PPPoE, DHCP, and other dumb problems i've seen in the past with certain ISPs.

profkp

Hey,

New to pfSense.  Trying to get bridging between 2 locations to work as described in the 1st post.  The actual connection is made and running.  I can ping between the 2 tunnel IPs (10.0.8.1 <=> 10.0.8.2) from the vpn interface, but thats about it.  I cannot ping between to 2 LAN networks - which are on the same subnet.

My server & client .confs look exactly like the 1st post(except the live ips,of course). Using the exact same -latest-updated 2.0x64 pfSense versions on both servers.

Its like there is no route from the vpn tunnel to the lan.  The only thing I have noticed, is on rebooting, I have go back in and edit the .conf files because they change the
ifconfig back to 10.0.8.1 10.0.8.2  from where i changed it 10.0.8.1 255.255.255.248.  I did save the file after making the changes.

Both pfSense boxes are fresh installs (3 times) with nothing else running on them.  Each location is independently otherwise working as expected.

I didn't want to jump in just start adding routes fiddling with it - not enough experience with pfSense anyway.

Any help would be appreciated…

Kevin

wm408

My only thought is firewall?  Check the firewall status logs for blocks of any kind?

Personally, I like the routed setup.  :)

You don't need to worry about the interface(s) changing after reboot.

@profkp:

Hey,

New to pfSense.  Trying to get bridging between 2 locations to work as described in the 1st post.   The actual connection is made and running.  I can ping between the 2 tunnel IPs (10.0.8.1 <=> 10.0.8.2) from the vpn interface, but thats about it.  I cannot ping between to 2 LAN networks - which are on the same subnet.

My server & client .confs look exactly like the 1st post(except the live ips,of course). Using the exact same -latest-updated 2.0x64 pfSense versions on both servers.

Its like there is no route from the vpn tunnel to the lan.  The only thing I have noticed, is on rebooting, I have go back in and edit the .conf files because they change the
ifconfig back to 10.0.8.1 10.0.8.2  from where i changed it 10.0.8.1 255.255.255.248.  I did save the file after making the changes.

Both pfSense boxes are fresh installs (3 times) with nothing else running on them.  Each location is independently otherwise working as expected.

I didn't want to jump in just start adding routes fiddling with it - not enough experience with pfSense anyway.

Any help would be appreciated…

Kevin

kambing

hi there..,

good work…thanks to nooblet sharing us the tutorial..

but i get a problem accessing  zynga poker on FB on both side firewall 1 and 2 while enable the vpn, but if i disable  it ok...

please help.. ???

wm408

Kambing…

So is it just Zygna poker?  (thats weird...)

With the VPN enabled... it shouldn't affect traffic to the web from either location.  Web traffic should pass through the local router for a client.

@kambing:

hi there..,

good work…thanks to nooblet sharing us the tutorial..

but i get a problem accessing  zynga poker on FB on both side firewall 1 and 2 while enable the vpn, but if i disable  it ok...

please help.. ???

Ximerian

Can I trouble you to post your roadwarrior config? I need to get this done for a client and I am struggling with it.

EDIT:

Got it working, here is my roadwarrior conf. Note I used TLS/SSL instead of Shared Key

I also didn't specify a network for clients under OpenVPN server setting as I wanted them to get an address on the local network. I also left out the one deny rule for this same reason.

dev tap
persist-tun
persist-key
proto udp
cipher AES-128-CBC
tls-client
client
resolve-retry interface
remote x.x.x.x 1194
tls-remote xxxxxxxx
auth-user-pass
pkcs12 xxxxxxxx.p12
tls-auth xxxxxxx.key 1

kambing

ya its true , what i do …enable  squid ,all firewall rules open on lan(default)  :P

@wm408:

Kambing…

So is it just Zygna poker?  (thats weird...)

With the VPN enabled... it shouldn't affect traffic to the web from either location.  Web traffic should pass through the local router for a client.

@kambing:

hi there..,

good work…thanks to nooblet sharing us the tutorial..

but i get a problem accessing  zynga poker on FB on both side firewall 1 and 2 while enable the vpn, but if i disable  it ok...

please help.. ???

vicpryl

@nooblet:

now in my troubleshooting I had to edit the server conf file (/var/etc/openvpn/server1.conf  use Diagnostics > edit file > browse to find it) and change the 'ifconfig' option
because it would input it as ifconfig 10.0.8.1 10.0.8.2 when instead it should have been ifconfig 10.0.8.1 255.255.255.248, I have since seen it appear to work with this step but it doesn't hurt (and it cleans up the logs).

SAVE

I don't want to edit file every time I'm open and save openvpn config. And I made litle change in php-file for version pfSense - 2.0.1

1. On console enter digit 8 - Shell
2. Invoke editor to edit file /etc/inc/openvpn.inc with command
ee /etc/inc/openvpn.inc
3. Goto line 405
4. Replace 405 line

                                $conf .= "ifconfig $ip1 $ip2\n";

with 4 lines

                                if ($settings['dev_mode'] != "tap")
                                        $conf .= "ifconfig $ip1 $ip2\n";
                                else
                                        $conf .= "ifconfig $ip1 $mask\n";

5. Goto line 527
6. Replace 527 line

                        $conf .= "ifconfig $ip2 $ip1\n";

with 4 lines

                        if ($settings['dev_mode'] != "tap")
                                $conf .= "ifconfig $ip2 $ip1\n";
                        else
                                $conf .= "ifconfig $ip2 $mask\n";

That's ALL!

Now in openvpn config will be correct line for ifconfig command.