Migration from Monowall to PFSense



  • (Sorry about my english !)

    I was user of Monowall and I have an OpenVPN Tunnel between 2 offices.
    I don't know the config of the server office, but my client OpenVPN config look's like this:

    <if>tap1</if>
      <cport>5001</cport>
      <type>tap</type>
      <proto>udp</proto>
      <sport>1194</sport>
      <ver>2</ver>
      <saddr>xxxxxxxxxxxxx</saddr>
      <descr>VPN</descr>
      <ca_cert>XXX</ca_cert>
      <cli_cert>XXX</cli_cert>
      <cli_key>XXX</cli_key>
      <crypto>BF-CBC</crypto>

    That configuration gives me an ip like 192.168.5.4. My LAN IP is 172.16.1.0/24. This, merged with a static route saing that all that want to go to 192.168.2.0/24 (the other office IPs) passes through 192.168.5.1 (the gateway of the subnet where openVPN sends me inn), works for me.

    PFSense doesnt create TAP interface, so i cannot create the route. I cannot ping 192.168.5.1 … I cannot do anything.

    If I see the logs ... i understand that im connected:

    Somebody can help me ?

    Tnx a lot.

    Sebastián

    Jun 3 20:31:48 openvpn[21383]: Initialization Sequence Completed
    Jun 3 20:31:47 openvpn[21383]: /etc/rc.filter_configure tun0 1500 1541 192.168.5.4 255.255.255.0 init
    Jun 3 20:31:47 openvpn[21383]: /sbin/ifconfig tun0 192.168.5.4 255.255.255.0 mtu 1500 netmask 255.255.255.255 up
    Jun 3 20:31:47 openvpn[21383]: TUN/TAP device /dev/tun0 opened
    Jun 3 20:31:47 openvpn[21383]: WARNING: Since you are using –dev tun, the second argument to --ifconfig must be an IP address. You are using something (255.255.255.0) that looks more like a netmask. (silence this warning with --ifconfig-nowarn)
    Jun 3 20:31:45 openvpn[21383]: [fwarg] Peer Connection Initiated with 200.80.231.196:1194
    Jun 3 20:31:45 openvpn[21383]: WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1532'
    Jun 3 20:31:45 openvpn[21383]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1573'
    Jun 3 20:31:45 openvpn[21383]: WARNING: 'dev-type' is used inconsistently, local='dev-type tun', remote='dev-type tap'
    Jun 3 20:31:42 openvpn[21383]: UDPv4 link remote: 200.80.231.196:1194
    Jun 3 20:31:42 openvpn[21383]: UDPv4 link local (bound): [undef]:1194
    Jun 3 20:31:42 openvpn[21382]: WARNING: file '/var/etc/openvpn_client0.key' is group or others accessible
    Jun 3 20:31:42 openvpn[21382]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Jun 3 20:31:42 openvpn[21382]: WARNING: using –pull/--client and --ifconfig together is probably not what you want
    Jun 3 20:31:42 openvpn[21382]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
    Jun 3 20:31:42 openvpn[21382]: OpenVPN 2.0.6 i386-portbld-freebsd6.1 [SSL] [LZO] built on Apr 6 2006
    Jun 3 20:31:40 openvpn[293]: SIGTERM[hard,] received, process exiting
    Jun 3 20:31:40 openvpn[293]: /etc/rc.filter_configure tun0 1500 1541 192.168.5.4 255.255.255.0 init
    Jun 3 20:31:40 openvpn[293]: event_wait : Interrupted system call (code=4)



  • The errors you post show that one end is using TUN and one TAP - from the openvpn man page:

    You cannot mix them, as they represent different underlying protocols.

    If I understand it correctly, TUN devices are for routing and TAP devices for bridging.  As you want to route then you want to use the TUN device at both ends.



  • Ok,

    but it seems that pfsense takes TUN as default.
    Monowall had a combobox to select between TUN or TAP … how can i change this into pfsense ?



  • Don't know I'm afraid, I'm still fairly new to pfSense myself :)




Log in to reply