Migration from Monowall to PFSense

sebas

(Sorry about my english !)

I was user of Monowall and I have an OpenVPN Tunnel between 2 offices.
I don't know the config of the server office, but my client OpenVPN config look's like this:

<if>tap1</if>
  <cport>5001</cport>
  <type>tap</type>
  <proto>udp</proto>
  <sport>1194</sport>
  <ver>2</ver>
  <saddr>xxxxxxxxxxxxx</saddr>
  <descr>VPN</descr>
  <ca_cert>XXX</ca_cert>
  <cli_cert>XXX</cli_cert>
  <cli_key>XXX</cli_key>
  <crypto>BF-CBC</crypto>

That configuration gives me an ip like 192.168.5.4. My LAN IP is 172.16.1.0/24. This, merged with a static route saing that all that want to go to 192.168.2.0/24 (the other office IPs) passes through 192.168.5.1 (the gateway of the subnet where openVPN sends me inn), works for me.

PFSense doesnt create TAP interface, so i cannot create the route. I cannot ping 192.168.5.1 … I cannot do anything.

If I see the logs ... i understand that im connected:

Somebody can help me ?

Tnx a lot.

Sebastián

Jun 3 20:31:48 openvpn[21383]: Initialization Sequence Completed
Jun 3 20:31:47 openvpn[21383]: /etc/rc.filter_configure tun0 1500 1541 192.168.5.4 255.255.255.0 init
Jun 3 20:31:47 openvpn[21383]: /sbin/ifconfig tun0 192.168.5.4 255.255.255.0 mtu 1500 netmask 255.255.255.255 up
Jun 3 20:31:47 openvpn[21383]: TUN/TAP device /dev/tun0 opened
Jun 3 20:31:47 openvpn[21383]: WARNING: Since you are using –dev tun, the second argument to --ifconfig must be an IP address. You are using something (255.255.255.0) that looks more like a netmask. (silence this warning with --ifconfig-nowarn)
Jun 3 20:31:45 openvpn[21383]: [fwarg] Peer Connection Initiated with 200.80.231.196:1194
Jun 3 20:31:45 openvpn[21383]: WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1532'
Jun 3 20:31:45 openvpn[21383]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1573'
Jun 3 20:31:45 openvpn[21383]: WARNING: 'dev-type' is used inconsistently, local='dev-type tun', remote='dev-type tap'
Jun 3 20:31:42 openvpn[21383]: UDPv4 link remote: 200.80.231.196:1194
Jun 3 20:31:42 openvpn[21383]: UDPv4 link local (bound): [undef]:1194
Jun 3 20:31:42 openvpn[21382]: WARNING: file '/var/etc/openvpn_client0.key' is group or others accessible
Jun 3 20:31:42 openvpn[21382]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Jun 3 20:31:42 openvpn[21382]: WARNING: using –pull/--client and --ifconfig together is probably not what you want
Jun 3 20:31:42 openvpn[21382]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Jun 3 20:31:42 openvpn[21382]: OpenVPN 2.0.6 i386-portbld-freebsd6.1 [SSL] [LZO] built on Apr 6 2006
Jun 3 20:31:40 openvpn[293]: SIGTERM[hard,] received, process exiting
Jun 3 20:31:40 openvpn[293]: /etc/rc.filter_configure tun0 1500 1541 192.168.5.4 255.255.255.0 init
Jun 3 20:31:40 openvpn[293]: event_wait : Interrupted system call (code=4)

Cry Havok

The errors you post show that one end is using TUN and one TAP - from the openvpn man page:

You cannot mix them, as they represent different underlying protocols.

If I understand it correctly, TUN devices are for routing and TAP devices for bridging.  As you want to route then you want to use the TUN device at both ends.

sebas

Ok,

but it seems that pfsense takes TUN as default.
Monowall had a combobox to select between TUN or TAP … how can i change this into pfsense ?

Cry Havok

Don't know I'm afraid, I'm still fairly new to pfSense myself :)

GruensFroeschli

http://doc.pfsense.org/index.php/Setting_up_OpenVPN_with_pfSense

part at the bottom: "advanced hackery"