PfSense 2.0.1 - OpenVPN tap/bridging mode issues



  • Hello,

    I'm still working one week on getting up a working OpenVPN remote network with tap/bridging mode. I've read several tutorials/HOWTO's, man pages, forum-posts and articles on pfSense Wiki and OpenVPN Documentation. But it don't work yet.

    I've successfully created my keys and put them into the pfSense box. I've installed the "tap bridging fix" on pfsense. I've created a new OpenVPN-Server on pfSense, created a bride-device, and I've successfully connected via certs from my client (Ubuntu 11.10) to the router. But I can't reach any machine on the internal network.

    Many times I read that it's not possible to set up an OpenVPN in tap/bridging mode with pfSense Version 2.0.1 (known issue?!). But I found a tutorial (http://hardforum.com/showthread.php?t=1663797) where someone said it's possible and working. So what is correct?

    So what is the problem with my config. Hope anyone has an idea.

    And at least, here the log from my client connecting to the Router via Openvpn.

    
    # openvpn --config client.conf --script-security 2
    Wed Apr 18 18:36:49 2012 OpenVPN 2.2.0 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Jul  4 2011
    Wed Apr 18 18:36:49 2012 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
    Wed Apr 18 18:36:49 2012 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Enter Private Key Password:
    Wed Apr 18 18:36:53 2012 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Wed Apr 18 18:36:53 2012 WARNING: file '/etc/openvpn/ta.key' is group or others accessible
    Wed Apr 18 18:36:53 2012 Control Channel Authentication: using '/etc/openvpn/ta.key' as a OpenVPN static key file
    Wed Apr 18 18:36:53 2012 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Wed Apr 18 18:36:53 2012 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Wed Apr 18 18:36:53 2012 LZO compression initialized
    Wed Apr 18 18:36:53 2012 Control Channel MTU parms [ L:1590 D:166 EF:66 EB:0 ET:0 EL:0 ]
    Wed Apr 18 18:36:53 2012 Socket Buffers: R=[126976->131072] S=[126976->131072]
    Wed Apr 18 18:36:53 2012 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
    Wed Apr 18 18:36:53 2012 Local Options hash (VER=V4): 'a7133b47'
    Wed Apr 18 18:36:53 2012 Expected Remote Options hash (VER=V4): 'c5677ab3'
    Wed Apr 18 18:36:53 2012 UDPv4 link local: [undef]
    Wed Apr 18 18:36:53 2012 UDPv4 link remote: [AF_INET]9.9.9.9:1194
    Wed Apr 18 18:36:53 2012 TLS: Initial packet from [AF_INET]9.9.9.9:1194, sid=e19da0d4 b45b5daf
    Wed Apr 18 18:36:54 2012 VERIFY OK: depth=1, /C=DE/ST=state/L=City/O=Company/CN=pfsense/emailAddress=admin@domain
    Wed Apr 18 18:36:54 2012 VERIFY OK: depth=0, /C=DE/ST=state/L=City/O=Company/CN=pfsense/emailAddress=admin@domain
    Wed Apr 18 18:36:55 2012 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Wed Apr 18 18:36:55 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Wed Apr 18 18:36:55 2012 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Wed Apr 18 18:36:55 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Wed Apr 18 18:36:55 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
    Wed Apr 18 18:36:55 2012 [pfsense] Peer Connection Initiated with [AF_INET]9.9.9.9:1194
    Wed Apr 18 18:36:57 2012 SENT CONTROL [pfsense]: 'PUSH_REQUEST' (status=1)
    Wed Apr 18 18:36:57 2012 PUSH: Received control message: 'PUSH_REPLY,route 10.0.0.0 255.0.0.0,dhcp-option DOMAIN local.domain,dhcp-option DNS 10.0.0.1,redirect-gateway def1,redirect-gateway local def1,ping 10,ping-restart 60'
    Wed Apr 18 18:36:57 2012 OPTIONS IMPORT: timers and/or timeouts modified
    Wed Apr 18 18:36:57 2012 OPTIONS IMPORT: route options modified
    Wed Apr 18 18:36:57 2012 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Wed Apr 18 18:36:57 2012 ROUTE default_gateway=192.168.9.2
    Wed Apr 18 18:36:57 2012 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
    Wed Apr 18 18:36:57 2012 OpenVPN ROUTE: failed to parse/resolve route for host/network: 10.0.0.0
    Wed Apr 18 18:36:57 2012 TUN/TAP device tap0 opened
    Wed Apr 18 18:36:57 2012 TUN/TAP TX queue length set to 100
    Wed Apr 18 18:36:57 2012 NOTE: unable to redirect default gateway -- VPN gateway parameter (--route-gateway or --ifconfig) is missing
    Wed Apr 18 18:36:57 2012 Initialization Sequence Completed
    
    

    After these, there is no tap-device on my client set.

    Thanks for helping
    Greets
    Christoph


  • Rebel Alliance Developer Netgate

    Can you show your client config file?

    Also from the pfSense side, the output of "ifconfig -a" and perhaps the config from /var/etc/openvpn/ for this server.

    The code is better on 2.1 for tap bridging (though bridging in general is broken there at the moment) but I made the tap fix package to backport most of the good bits. I've installed it several times and had it working.

    Also, if you are not giving DHCP from the OpenVPN instance on pfSense (your server bridge start/end boxes are blank) it will try to get DHCP from the DHCP server on your LAN1 interface. Trying to pass DNS servers and a default domain may be conflicting with that. Either fill in a Server Bridge DHCP Start/End box, or clear out the search domain and DNS server.


Log in to reply