Client not getting IP from DHCP server in bridge mode
-
I'm using bridge mode because we have a user with a notebook that is connected to the office domain and routing mode does not give him access to his network shares when connected to the VPN from a remote location. After researching this for a bit it seem bridge mode is suggested for this scenario (correct me if I'm wrong, I'm new to this). I followed the steps from here: http://hardforum.com/showthread.php?t=1663797
This is how the network is set up:
Office:
Internal LAN 192.168.0.1/24
pfsense box & OpenVPN server internal IP is 192.168.0.220 (DHCP server is off)
pfsense external static IP is XXX.XXX.XXX.114
DHCP server IP is 192.168.0.20 (Windows Server 2003)Home:
Internal LAN 192.168.11.1/24
pfsense box: 192.168.11.1 (DHCP server is on)
Client IP: 192.168.11.4 (Windows 7 x64 computer)DHCP on the office LAN is from the Windows server, I have it set up so that only clients with a DHCP reservation get the default gateway, so that shouldn't be a problem for the VPN clients since I didn't set up reservations for them. When I connect from the client at home the OpenVPN icon turns green yet when I do and ipconfig /all on the client, it's not getting an IP from the DHCP server and using an autoconfiguration address instead:
Windows IP Configuration Host Name . . . . . . . . . . . . : MAXIMUS-PC Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : localdomain Ethernet adapter Local Area Connection 2: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : TAP-Win32 Adapter V9 Physical Address. . . . . . . . . : 00-FF-F9-7A-7A-BE DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::24ce:cfd8:c20b:eefe%28(Preferred) Autoconfiguration IPv4 Address. . : 169.254.238.254(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.0.0 Default Gateway . . . . . . . . . : DHCPv6 IAID . . . . . . . . . . . : 486604793 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-4E-6E-D2-84-C9-B2-37-70-09 DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1 fec0:0:0:ffff::2%1 fec0:0:0:ffff::3%1 NetBIOS over Tcpip. . . . . . . . : Enabled Wireless LAN adapter Wireless Network Connection: Connection-specific DNS Suffix . : localdomain Description . . . . . . . . . . . : D-Link DWA-556 Xtreme N PCIe Desktop Adapter Physical Address. . . . . . . . . : 84-C9-B2-37-70-09 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::e19a:63b5:230e:6e2a%10(Preferred) IPv4 Address. . . . . . . . . . . : 192.168.11.4(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : August-24-12 6:37:42 AM Lease Expires . . . . . . . . . . : August-24-12 8:37:42 AM Default Gateway . . . . . . . . . : 192.168.11.1 DHCP Server . . . . . . . . . . . : 192.168.11.1 DHCPv6 IAID . . . . . . . . . . . : 193251762 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-4E-6E-D2-84-C9-B2-37-70-09 DNS Servers . . . . . . . . . . . : 192.168.11.1 NetBIOS over Tcpip. . . . . . . . : Enabled
Here is the server1.conf from the office pfsense box:
dev ovpns1 dev-type tap dev-node /dev/tap1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-128-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local XXX.XXX.XXX.114 engine cryptodev tls-server mode server tls-verify /var/etc/openvpn/server1.tls-verify.php lport 1194 management /var/etc/openvpn/server1.sock unix max-clients 5 push "route 192.168.0.1 255.255.255.0" push "dhcp-option WINS 192.168.0.20" client-to-client ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key dh /etc/dh-parameters.1024 crl-verify /var/etc/openvpn/server1.crl-verify tls-auth /var/etc/openvpn/server1.tls-auth 0 comp-lzo persist-remote-ip float server-bridge
Here is the client config:
dev tap persist-tun persist-key proto udp cipher AES-128-CBC tls-client client resolv-retry infinite remote XXX.XXX.XXX.114 1194 tls-remote "XXXCert" pkcs12 pfsense-udp-1194.p12 tls-auth pfsense-udp-1194-tls.key 1 comp-lzo
Here is the log from the client after connecting:
Fri Aug 24 06:38:02 2012 OpenVPN 2.2.0 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] [IPv6 payload 20110521-1 (2.2.0)] built on May 21 2011 Enter Management Password: Fri Aug 24 06:38:03 2012 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Fri Aug 24 06:38:03 2012 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page). Fri Aug 24 06:38:03 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Fri Aug 24 06:38:03 2012 Control Channel Authentication: using 'pfsense-udp-1194-tls.key' as a OpenVPN static key file Fri Aug 24 06:38:03 2012 LZO compression initialized Fri Aug 24 06:38:03 2012 UDPv4 link local (bound): [undef]:1194 Fri Aug 24 06:38:03 2012 UDPv4 link remote: xxx.xxx.xxx.114:1194 Fri Aug 24 06:38:05 2012 [NovaCert] Peer Connection Initiated with xxx.xxx.xxx.114:1194 Fri Aug 24 06:38:07 2012 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options Fri Aug 24 06:38:07 2012 OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.0.1 Fri Aug 24 06:38:07 2012 open_tun, tt->ipv6=0 Fri Aug 24 06:38:07 2012 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{F97A7ABE-379F-482B-8A75-4A6832E744D5}.tap Fri Aug 24 06:38:07 2012 Successful ARP Flush on interface [28] {F97A7ABE-379F-482B-8A75-4A6832E744D5} Fri Aug 24 06:38:12 2012 Initialization Sequence Completed Fri Aug 24 06:40:50 2012 SIGTERM[hard,] received, process exiting
And this is the OpenVPN log from the office pfsense box:
Aug 24 06:38:10 openvpn[50248]: xxx.xxx.xxx.184:12046 Re-using SSL/TLS context Aug 24 06:38:10 openvpn[50248]: xxx.xxx.xxx.184:12046 LZO compression initialized Aug 24 06:38:11 openvpn: Found certificate /C=CA/ST=xxx/L=xxx/O=xxx/emailAddress=xxx@xxx.com/CN=Certificate_generated_by_Wizard with depth 1 Aug 24 06:38:11 openvpn: Found certificate /C=CA/ST=xxx/L=xxx/O=xxx/emailAddress=xxx@xxx.com/CN=xxx.local with depth 0 Aug 24 06:38:12 openvpn[50248]: xxx.xxx.xxx.184:12046 [xxx.local] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.184:12046 Aug 24 06:38:12 openvpn[50248]: xxx.local/xxx.xxx.xxx.184:12046 MULTI: no dynamic or static remote --ifconfig address is available for xxx.local/xxx.xxx.xxx.184:12046 Aug 24 06:38:14 openvpn[50248]: xxx.local/xxx.xxx.xxx.184:12046 send_push_reply(): safe_cap=960 Aug 24 06:42:57 openvpn[50248]: xxx.local/xxx.xxx.xxx.184:12046 [xxx.local] Inactivity timeout (--ping-restart), restarting Aug 24 08:03:55 openvpn[50248]: event_wait : Interrupted system call (code=4) Aug 24 08:03:55 openvpn[50248]: /usr/local/sbin/ovpn-linkdown ovpns1 1500 1590 init Aug 24 08:03:55 openvpn[50248]: SIGTERM[hard,] received, process exiting Aug 24 08:03:56 openvpn[22218]: OpenVPN 2.2.0 amd64-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 11 2011 Aug 24 08:03:56 openvpn[22218]: NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to Aug 24 08:03:56 openvpn[22218]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Aug 24 08:03:56 openvpn[22218]: Initializing OpenSSL support for engine 'cryptodev' Aug 24 08:03:56 openvpn[22218]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file Aug 24 08:03:56 openvpn[22218]: TUN/TAP device /dev/tap1 opened Aug 24 08:03:56 openvpn[22218]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1590 init Aug 24 08:03:56 openvpn[23338]: UDPv4 link local (bound): [AF_INET]xxx.xxx.xxx.114:1194 Aug 24 08:03:56 openvpn[23338]: UDPv4 link remote: [undef] Aug 24 08:03:56 openvpn[23338]: Initialization Sequence Completed
The only option I see on the OpenVPN server config page that seems relevant is "Redirect Gateway", but I've tried with this checked and unchecked but still the same result both ways. Should it be checked or not checked? The How To webpage was unclear on this. Also, I did manually add "server-bridge" to the "advanced configuration" section in pfsense which was suggested on another website but that didn't work either. So what should the gateway be and how do I specify that in the configuration? It seems like the more I research this topic, the more confused I get.