Client not getting IP from DHCP server in bridge mode



  • I'm using bridge mode because we have a user with a notebook that is connected to the office domain and routing mode does not give him access to his network shares when connected to the VPN from a remote location.  After researching this for a bit it seem bridge mode is suggested for this scenario (correct me if I'm wrong, I'm new to this).  I followed the steps from here: http://hardforum.com/showthread.php?t=1663797

    This is how the network is set up:

    Office:
    Internal LAN 192.168.0.1/24
    pfsense box & OpenVPN server internal IP is 192.168.0.220 (DHCP server is off)
    pfsense external static IP is XXX.XXX.XXX.114
    DHCP server IP is 192.168.0.20 (Windows Server 2003)

    Home:
    Internal LAN 192.168.11.1/24
    pfsense box: 192.168.11.1 (DHCP server is on)
    Client IP: 192.168.11.4 (Windows 7 x64 computer)

    DHCP on the office LAN is from the Windows server, I have it set up so that only clients with a DHCP reservation get the default gateway, so that shouldn't be a problem for the VPN clients since I didn't set up reservations for them. When I connect from the client at home the OpenVPN icon turns green yet when I do and ipconfig /all on the client, it's not getting an IP from the DHCP server and using an autoconfiguration address instead:

    Windows IP Configuration
    
       Host Name . . . . . . . . . . . . : MAXIMUS-PC
       Primary Dns Suffix  . . . . . . . : 
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : localdomain
    
    Ethernet adapter Local Area Connection 2:
    
       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : TAP-Win32 Adapter V9
       Physical Address. . . . . . . . . : 00-FF-F9-7A-7A-BE
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::24ce:cfd8:c20b:eefe%28(Preferred) 
       Autoconfiguration IPv4 Address. . : 169.254.238.254(Preferred) 
       Subnet Mask . . . . . . . . . . . : 255.255.0.0
       Default Gateway . . . . . . . . . : 
       DHCPv6 IAID . . . . . . . . . . . : 486604793
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-4E-6E-D2-84-C9-B2-37-70-09
       DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                           fec0:0:0:ffff::2%1
                                           fec0:0:0:ffff::3%1
       NetBIOS over Tcpip. . . . . . . . : Enabled
    
    Wireless LAN adapter Wireless Network Connection:
    
       Connection-specific DNS Suffix  . : localdomain
       Description . . . . . . . . . . . : D-Link DWA-556 Xtreme N PCIe Desktop Adapter
       Physical Address. . . . . . . . . : 84-C9-B2-37-70-09
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::e19a:63b5:230e:6e2a%10(Preferred) 
       IPv4 Address. . . . . . . . . . . : 192.168.11.4(Preferred) 
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Lease Obtained. . . . . . . . . . : August-24-12 6:37:42 AM
       Lease Expires . . . . . . . . . . : August-24-12 8:37:42 AM
       Default Gateway . . . . . . . . . : 192.168.11.1
       DHCP Server . . . . . . . . . . . : 192.168.11.1
       DHCPv6 IAID . . . . . . . . . . . : 193251762
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-4E-6E-D2-84-C9-B2-37-70-09
       DNS Servers . . . . . . . . . . . : 192.168.11.1
       NetBIOS over Tcpip. . . . . . . . : Enabled
    

    Here is the server1.conf from the office pfsense box:

    dev ovpns1
    dev-type tap
    dev-node /dev/tap1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local XXX.XXX.XXX.114
    engine cryptodev
    tls-server
    mode server
    tls-verify /var/etc/openvpn/server1.tls-verify.php
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    max-clients 5
    push "route 192.168.0.1 255.255.255.0"
    push "dhcp-option WINS 192.168.0.20"
    client-to-client
    ca /var/etc/openvpn/server1.ca 
    cert /var/etc/openvpn/server1.cert 
    key /var/etc/openvpn/server1.key 
    dh /etc/dh-parameters.1024
    crl-verify /var/etc/openvpn/server1.crl-verify 
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    comp-lzo
    persist-remote-ip
    float
    server-bridge
    

    Here is the client config:

    dev tap
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    tls-client
    client
    resolv-retry infinite
    remote XXX.XXX.XXX.114 1194
    tls-remote "XXXCert"
    pkcs12 pfsense-udp-1194.p12
    tls-auth pfsense-udp-1194-tls.key 1
    comp-lzo
    

    Here is the log from the client after connecting:

    Fri Aug 24 06:38:02 2012 OpenVPN 2.2.0 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] [IPv6 payload 20110521-1 (2.2.0)] built on May 21 2011
    Enter Management Password:
    Fri Aug 24 06:38:03 2012 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
    Fri Aug 24 06:38:03 2012 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
    Fri Aug 24 06:38:03 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Fri Aug 24 06:38:03 2012 Control Channel Authentication: using 'pfsense-udp-1194-tls.key' as a OpenVPN static key file
    Fri Aug 24 06:38:03 2012 LZO compression initialized
    Fri Aug 24 06:38:03 2012 UDPv4 link local (bound): [undef]:1194
    Fri Aug 24 06:38:03 2012 UDPv4 link remote: xxx.xxx.xxx.114:1194
    Fri Aug 24 06:38:05 2012 [NovaCert] Peer Connection Initiated with xxx.xxx.xxx.114:1194
    Fri Aug 24 06:38:07 2012 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
    Fri Aug 24 06:38:07 2012 OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.0.1
    Fri Aug 24 06:38:07 2012 open_tun, tt->ipv6=0
    Fri Aug 24 06:38:07 2012 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{F97A7ABE-379F-482B-8A75-4A6832E744D5}.tap
    Fri Aug 24 06:38:07 2012 Successful ARP Flush on interface [28] {F97A7ABE-379F-482B-8A75-4A6832E744D5}
    Fri Aug 24 06:38:12 2012 Initialization Sequence Completed
    Fri Aug 24 06:40:50 2012 SIGTERM[hard,] received, process exiting
    

    And this is the OpenVPN log from the office pfsense box:

    Aug 24 06:38:10 	openvpn[50248]: xxx.xxx.xxx.184:12046 Re-using SSL/TLS context
    Aug 24 06:38:10 	openvpn[50248]: xxx.xxx.xxx.184:12046 LZO compression initialized
    Aug 24 06:38:11 	openvpn: Found certificate /C=CA/ST=xxx/L=xxx/O=xxx/emailAddress=xxx@xxx.com/CN=Certificate_generated_by_Wizard with 
    
    depth 1
    Aug 24 06:38:11 	openvpn: Found certificate /C=CA/ST=xxx/L=xxx/O=xxx/emailAddress=xxx@xxx.com/CN=xxx.local with depth 0
    Aug 24 06:38:12 	openvpn[50248]: xxx.xxx.xxx.184:12046 [xxx.local] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.184:12046
    Aug 24 06:38:12 	openvpn[50248]: xxx.local/xxx.xxx.xxx.184:12046 MULTI: no dynamic or static remote --ifconfig address is available 
    
    for xxx.local/xxx.xxx.xxx.184:12046
    Aug 24 06:38:14 	openvpn[50248]: xxx.local/xxx.xxx.xxx.184:12046 send_push_reply(): safe_cap=960
    Aug 24 06:42:57 	openvpn[50248]: xxx.local/xxx.xxx.xxx.184:12046 [xxx.local] Inactivity timeout (--ping-restart), restarting
    Aug 24 08:03:55 	openvpn[50248]: event_wait : Interrupted system call (code=4)
    Aug 24 08:03:55 	openvpn[50248]: /usr/local/sbin/ovpn-linkdown ovpns1 1500 1590 init
    Aug 24 08:03:55 	openvpn[50248]: SIGTERM[hard,] received, process exiting
    Aug 24 08:03:56 	openvpn[22218]: OpenVPN 2.2.0 amd64-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 
    
    20110424-2 (2.2RC2)] built on Aug 11 2011
    Aug 24 08:03:56 	openvpn[22218]: NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will 
    
    often take on its own IP address that is different from what the LAN adapter was previously set to
    Aug 24 08:03:56 	openvpn[22218]: NOTE: the current --script-security setting may allow this configuration to call user-defined 
    
    scripts
    Aug 24 08:03:56 	openvpn[22218]: Initializing OpenSSL support for engine 'cryptodev'
    Aug 24 08:03:56 	openvpn[22218]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key 
    
    file
    Aug 24 08:03:56 	openvpn[22218]: TUN/TAP device /dev/tap1 opened
    Aug 24 08:03:56 	openvpn[22218]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1590 init
    Aug 24 08:03:56 	openvpn[23338]: UDPv4 link local (bound): [AF_INET]xxx.xxx.xxx.114:1194
    Aug 24 08:03:56 	openvpn[23338]: UDPv4 link remote: [undef]
    Aug 24 08:03:56 	openvpn[23338]: Initialization Sequence Completed
    

    The only option I see on the OpenVPN server config page that seems relevant is "Redirect Gateway", but I've tried with this checked and unchecked but still the same result both ways.  Should it be checked or not checked?  The How To webpage was unclear on this.  Also, I did manually add "server-bridge" to the "advanced configuration" section in pfsense which was suggested on another website but that didn't work either.  So what should the gateway be and how do I specify that in the configuration?  It seems like the more I research this topic, the more confused I get.


Locked