Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HOW TO: OpenVPN TAP Bridging with LAN

    Scheduled Pinned Locked Moved
    OpenVPN
    1
    1
    73.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      esink
      last edited by

      For a few days. I've been trying to get TAP to work.  I finally found this guide last night, and it most definitely works!  Source –> http://hardforum.com/showthread.php?t=1663797

      First step we need to do is create our Certificate Authority.

      1. Login to the web admin
      2. Goto System --> Cert Manager
      3. First thing to do is create a CA
      4. Hit the Plus button
      5. Give it descriptive name
      6. Next you can either Import an existing CA you might have or create a new one. If you have an existing cert paste it into the box. Otherwise choose Create an Internal Certificate Authority and fill in the information below.

      Once thats done we need to create our certificates for the OpenVPN server as well as any users we want to connect

      1. While still in System --> Cert Manager, click the Certificates tab

      The process for creating a Cert for the server and users are almost identical.

      2. In the Method Drop down box make sure it says "Create an Internal Cert"
      3. Give a descriptive name. A good idea to specify server/username
      4. In the Certificate Authority drop down choose the CA you just created.
      5. In Certificate Type drop down specify whether this Cert is for the server or a user.
      6. Fill out the rest of the info for location
      7. Repeat process again for other users keeping in mind the OpenVPN server (pfsense) must have its own cert as well as any users. Create as many certs as you need based off the original CA created earlier

      Its probably a good idea to create a revokation list. This way you can easily keep people from connecting. To create a revocation list:

      1. While Still in System --> Cert Manager click the Cert Revocation tab
      2. Press the plus button next to the CA you created.
      3. Method should be create an internal Cert Revo list. Give it a name and verify the CA is in the drop down box.
      4. Press save.
      5. Youll notice a new line with an edit button. This is where you can revoke or restore certificates for users.

      Now we have our Certs!

      I brought this up on the pfsense forums numerous times when it comes to bridging. Their setup gui always asked for a tunnel network. There is no tunnel network when using tap/bridging mode. Yet the gui required you to enter one. This essentially wouldnt allow you to do this through the gui. Thankfully after I brought this to their attention as im sure many other people did they released a package to fix this problem.

      To install this package:

      1. goto System ---> Packages
      2. Click the Available Packages Tab
      3. Install the OpenVPN tap Bridging Fix package

      Time to setup our OpenVPN instance on pfsense.

      1. Goto VPN ---> OpenVPN
      2. Make sure you're on the server tab. And click the + button to add a server.
      3. Going down the line:
      Uncheck that disables the serer
      Server Mode: Remote Access (SSL/TLS)
      Protocol: UDP
      Device Mode: TAP
      Interface: WAN
      Local port: 1194 (default port but you can choose whatever port you like)
      Description: *************

      Crypto Settings:

      TLS Authentication: Check both check boxes
      Peer Certificate Authority: Use the CA we created ealier
      Peer Revoke List: use the revoke list creates ealier
      Server Certificate: This is where you use the Server Certificate created ealier, NOT any of the user certs
      DH Paramters Length: I have mine set to 1024
      Encryption Algorithm: I use AES-128-CBC
      Hardware Crypto: I use the BSD Cryptodev engine. I have a beefy processor and i THINK it should take advantage of that
      Cert Depth: One

      tunnel Settings
      Tunnel Network: leave Blank. No tunnel network with Bridging
      Bridge DHCP: Check this box
      Bridge Interface: Your LAN interface (or whatever interface you want remote clients to be on)
      Server DHCP Start/Stop: You can specify an IP range here. However since its bridging you can leave it blank. Your internal DHCP server will take care of it. I leave them blank. One thing to keep in mind is that a client's IP will not be displayed on the Dashboard Widget if you leave the range blank. I'll be brining this up on the fpsense forums.
      Redirect Gateway: SEE NOTE AT THE END
      Concurrent Connections: self explanatory
      Compression: I check this
      TOS: I leave unchecked
      Inter-client communication: If you want different remote clients to be able to talk to each other check this box
      Duplicate connections: This will allow different people with the same certs you give them to connect. Not recommended, but I'm sure theres instances where it might be required.

      Client Settings:
      Dynamic IP: checked
      Address Pool: unchecked
      DNS Default domain: if you have one enter it here
      DNS Servers: specify up to 4
      NTP Server: you can specify up to 2
      Wins Server: if you have one

      Advance config is left blank.

      Press save, and your OVPN server is created.

      The next thing to do is create a Firewall Rule to allow your OpenVPN traffic to pass.

      1. GoTo Firewall ---> Rules
      2. Click the plus button to add a rule
      3. Going down the line:
      Action: Pass
      Disabled: unchecked
      Interface: WAN
      Protocol: UDP
      Source: any
      Destination: WAN Address
      Destination Port Range: This is the port of your OpenVPN server
      Give it a description
      SAVE!

      Next thing we have to do is create a bridge. When clients connect to the OpenVPN server it is connecting to the OpenVPN interface. We must bridge that interface with the LAN.

      To do this:
      1. goto Interfaces ---> Assign
      2. Press the + button to add an interface
      3. It will probably show up as OPT1, in the drop down box choose your OpenVPN instance
      4. goto Interfaces ---> OPT1
      5. Enable the Interface
      6. Give it a better description
      7. Leave the rest default.
      8. Save
      9. While still in the Interfaces ---> Assign click the Bridges tab
      10. Press the plus button to create a bridge.
      11. Choose TWO interfaces you want to bridge (your LAN, and the interface we just made for your OpenVPN server) by clicking on them using the CTRL button, give it a description and SAVE.

      Now we need to get clients connected

      The easiest way is to install the OpenVPN Client Export Package. Using the steps outline to install the tap fix install the OpenVPN Client Export Package.

      Once that is finished we can export the config files used by clients

      1. go back to VPN ---> OpenVPN
      2. Click the Client Export Tab
      3. If you did everything correctly you should see export Options for the Server and that of any user you created.
      4. Choose your OpenVPN server in Remote Acccess Server
      5. You can choose to export the config using your WAN IP or a dyndns hostname if you have that setup
      6. Leave everything else default
      7. Choose the user you want to export and choose the Configuration Archive.

      Next steps are done the remote PC's

      1. Download OpenVPN: http://swupdate.openvpn.org/communit....2-install.exe
      2. Install OpenVPN
      3. Naviate to where you just installed OpenVPN. In that folder should be a config folder.
      4. The contents of the config archive we just downloaded go in this folder.
      5. Load up the OpenVPN GUI
      6. It will place an icon in the System Tray
      7. Right click the icon and choose connect.
      8. DONE!

      Hope this helps.

      1 Reply Last reply Reply Quote 1
      • First post
        Last post