Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Client not getting IP from DHCP server in bridge mode

    Scheduled Pinned Locked Moved OpenVPN
    1 Posts 1 Posters 5.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      chicklet427
      last edited by

      I'm using bridge mode because we have a user with a notebook that is connected to the office domain and routing mode does not give him access to his network shares when connected to the VPN from a remote location.  After researching this for a bit it seem bridge mode is suggested for this scenario (correct me if I'm wrong, I'm new to this).  I followed the steps from here: http://hardforum.com/showthread.php?t=1663797

      This is how the network is set up:

      Office:
      Internal LAN 192.168.0.1/24
      pfsense box & OpenVPN server internal IP is 192.168.0.220 (DHCP server is off)
      pfsense external static IP is XXX.XXX.XXX.114
      DHCP server IP is 192.168.0.20 (Windows Server 2003)

      Home:
      Internal LAN 192.168.11.1/24
      pfsense box: 192.168.11.1 (DHCP server is on)
      Client IP: 192.168.11.4 (Windows 7 x64 computer)

      DHCP on the office LAN is from the Windows server, I have it set up so that only clients with a DHCP reservation get the default gateway, so that shouldn't be a problem for the VPN clients since I didn't set up reservations for them. When I connect from the client at home the OpenVPN icon turns green yet when I do and ipconfig /all on the client, it's not getting an IP from the DHCP server and using an autoconfiguration address instead:

      Windows IP Configuration
      
         Host Name . . . . . . . . . . . . : MAXIMUS-PC
         Primary Dns Suffix  . . . . . . . : 
         Node Type . . . . . . . . . . . . : Hybrid
         IP Routing Enabled. . . . . . . . : No
         WINS Proxy Enabled. . . . . . . . : No
         DNS Suffix Search List. . . . . . : localdomain
      
      Ethernet adapter Local Area Connection 2:
      
         Connection-specific DNS Suffix  . : 
         Description . . . . . . . . . . . : TAP-Win32 Adapter V9
         Physical Address. . . . . . . . . : 00-FF-F9-7A-7A-BE
         DHCP Enabled. . . . . . . . . . . : Yes
         Autoconfiguration Enabled . . . . : Yes
         Link-local IPv6 Address . . . . . : fe80::24ce:cfd8:c20b:eefe%28(Preferred) 
         Autoconfiguration IPv4 Address. . : 169.254.238.254(Preferred) 
         Subnet Mask . . . . . . . . . . . : 255.255.0.0
         Default Gateway . . . . . . . . . : 
         DHCPv6 IAID . . . . . . . . . . . : 486604793
         DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-4E-6E-D2-84-C9-B2-37-70-09
         DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                             fec0:0:0:ffff::2%1
                                             fec0:0:0:ffff::3%1
         NetBIOS over Tcpip. . . . . . . . : Enabled
      
      Wireless LAN adapter Wireless Network Connection:
      
         Connection-specific DNS Suffix  . : localdomain
         Description . . . . . . . . . . . : D-Link DWA-556 Xtreme N PCIe Desktop Adapter
         Physical Address. . . . . . . . . : 84-C9-B2-37-70-09
         DHCP Enabled. . . . . . . . . . . : Yes
         Autoconfiguration Enabled . . . . : Yes
         Link-local IPv6 Address . . . . . : fe80::e19a:63b5:230e:6e2a%10(Preferred) 
         IPv4 Address. . . . . . . . . . . : 192.168.11.4(Preferred) 
         Subnet Mask . . . . . . . . . . . : 255.255.255.0
         Lease Obtained. . . . . . . . . . : August-24-12 6:37:42 AM
         Lease Expires . . . . . . . . . . : August-24-12 8:37:42 AM
         Default Gateway . . . . . . . . . : 192.168.11.1
         DHCP Server . . . . . . . . . . . : 192.168.11.1
         DHCPv6 IAID . . . . . . . . . . . : 193251762
         DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-4E-6E-D2-84-C9-B2-37-70-09
         DNS Servers . . . . . . . . . . . : 192.168.11.1
         NetBIOS over Tcpip. . . . . . . . : Enabled
      

      Here is the server1.conf from the office pfsense box:

      dev ovpns1
      dev-type tap
      dev-node /dev/tap1
      writepid /var/run/openvpn_server1.pid
      #user nobody
      #group nobody
      script-security 3
      daemon
      keepalive 10 60
      ping-timer-rem
      persist-tun
      persist-key
      proto udp
      cipher AES-128-CBC
      up /usr/local/sbin/ovpn-linkup
      down /usr/local/sbin/ovpn-linkdown
      local XXX.XXX.XXX.114
      engine cryptodev
      tls-server
      mode server
      tls-verify /var/etc/openvpn/server1.tls-verify.php
      lport 1194
      management /var/etc/openvpn/server1.sock unix
      max-clients 5
      push "route 192.168.0.1 255.255.255.0"
      push "dhcp-option WINS 192.168.0.20"
      client-to-client
      ca /var/etc/openvpn/server1.ca 
      cert /var/etc/openvpn/server1.cert 
      key /var/etc/openvpn/server1.key 
      dh /etc/dh-parameters.1024
      crl-verify /var/etc/openvpn/server1.crl-verify 
      tls-auth /var/etc/openvpn/server1.tls-auth 0
      comp-lzo
      persist-remote-ip
      float
      server-bridge
      

      Here is the client config:

      dev tap
      persist-tun
      persist-key
      proto udp
      cipher AES-128-CBC
      tls-client
      client
      resolv-retry infinite
      remote XXX.XXX.XXX.114 1194
      tls-remote "XXXCert"
      pkcs12 pfsense-udp-1194.p12
      tls-auth pfsense-udp-1194-tls.key 1
      comp-lzo
      

      Here is the log from the client after connecting:

      Fri Aug 24 06:38:02 2012 OpenVPN 2.2.0 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] [IPv6 payload 20110521-1 (2.2.0)] built on May 21 2011
      Enter Management Password:
      Fri Aug 24 06:38:03 2012 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
      Fri Aug 24 06:38:03 2012 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
      Fri Aug 24 06:38:03 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
      Fri Aug 24 06:38:03 2012 Control Channel Authentication: using 'pfsense-udp-1194-tls.key' as a OpenVPN static key file
      Fri Aug 24 06:38:03 2012 LZO compression initialized
      Fri Aug 24 06:38:03 2012 UDPv4 link local (bound): [undef]:1194
      Fri Aug 24 06:38:03 2012 UDPv4 link remote: xxx.xxx.xxx.114:1194
      Fri Aug 24 06:38:05 2012 [NovaCert] Peer Connection Initiated with xxx.xxx.xxx.114:1194
      Fri Aug 24 06:38:07 2012 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
      Fri Aug 24 06:38:07 2012 OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.0.1
      Fri Aug 24 06:38:07 2012 open_tun, tt->ipv6=0
      Fri Aug 24 06:38:07 2012 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{F97A7ABE-379F-482B-8A75-4A6832E744D5}.tap
      Fri Aug 24 06:38:07 2012 Successful ARP Flush on interface [28] {F97A7ABE-379F-482B-8A75-4A6832E744D5}
      Fri Aug 24 06:38:12 2012 Initialization Sequence Completed
      Fri Aug 24 06:40:50 2012 SIGTERM[hard,] received, process exiting
      

      And this is the OpenVPN log from the office pfsense box:

      Aug 24 06:38:10 	openvpn[50248]: xxx.xxx.xxx.184:12046 Re-using SSL/TLS context
      Aug 24 06:38:10 	openvpn[50248]: xxx.xxx.xxx.184:12046 LZO compression initialized
      Aug 24 06:38:11 	openvpn: Found certificate /C=CA/ST=xxx/L=xxx/O=xxx/emailAddress=xxx@xxx.com/CN=Certificate_generated_by_Wizard with 
      
      depth 1
      Aug 24 06:38:11 	openvpn: Found certificate /C=CA/ST=xxx/L=xxx/O=xxx/emailAddress=xxx@xxx.com/CN=xxx.local with depth 0
      Aug 24 06:38:12 	openvpn[50248]: xxx.xxx.xxx.184:12046 [xxx.local] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.184:12046
      Aug 24 06:38:12 	openvpn[50248]: xxx.local/xxx.xxx.xxx.184:12046 MULTI: no dynamic or static remote --ifconfig address is available 
      
      for xxx.local/xxx.xxx.xxx.184:12046
      Aug 24 06:38:14 	openvpn[50248]: xxx.local/xxx.xxx.xxx.184:12046 send_push_reply(): safe_cap=960
      Aug 24 06:42:57 	openvpn[50248]: xxx.local/xxx.xxx.xxx.184:12046 [xxx.local] Inactivity timeout (--ping-restart), restarting
      Aug 24 08:03:55 	openvpn[50248]: event_wait : Interrupted system call (code=4)
      Aug 24 08:03:55 	openvpn[50248]: /usr/local/sbin/ovpn-linkdown ovpns1 1500 1590 init
      Aug 24 08:03:55 	openvpn[50248]: SIGTERM[hard,] received, process exiting
      Aug 24 08:03:56 	openvpn[22218]: OpenVPN 2.2.0 amd64-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 
      
      20110424-2 (2.2RC2)] built on Aug 11 2011
      Aug 24 08:03:56 	openvpn[22218]: NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will 
      
      often take on its own IP address that is different from what the LAN adapter was previously set to
      Aug 24 08:03:56 	openvpn[22218]: NOTE: the current --script-security setting may allow this configuration to call user-defined 
      
      scripts
      Aug 24 08:03:56 	openvpn[22218]: Initializing OpenSSL support for engine 'cryptodev'
      Aug 24 08:03:56 	openvpn[22218]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key 
      
      file
      Aug 24 08:03:56 	openvpn[22218]: TUN/TAP device /dev/tap1 opened
      Aug 24 08:03:56 	openvpn[22218]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1590 init
      Aug 24 08:03:56 	openvpn[23338]: UDPv4 link local (bound): [AF_INET]xxx.xxx.xxx.114:1194
      Aug 24 08:03:56 	openvpn[23338]: UDPv4 link remote: [undef]
      Aug 24 08:03:56 	openvpn[23338]: Initialization Sequence Completed
      

      The only option I see on the OpenVPN server config page that seems relevant is "Redirect Gateway", but I've tried with this checked and unchecked but still the same result both ways.  Should it be checked or not checked?  The How To webpage was unclear on this.  Also, I did manually add "server-bridge" to the "advanced configuration" section in pfsense which was suggested on another website but that didn't work either.  So what should the gateway be and how do I specify that in the configuration?  It seems like the more I research this topic, the more confused I get.

      1 Reply Last reply Reply Quote 1
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.