4. Client not getting IP from DHCP server in bridge mode

Client not getting IP from DHCP server in bridge mode

  • C

    I'm using bridge mode because we have a user with a notebook that is connected to the office domain and routing mode does not give him access to his network shares when connected to the VPN from a remote location.  After researching this for a bit it seem bridge mode is suggested for this scenario (correct me if I'm wrong, I'm new to this).  I followed the steps from here: http://hardforum.com/showthread.php?t=1663797

    This is how the network is set up:

    Office:
    Internal LAN 192.168.0.1/24
    pfsense box & OpenVPN server internal IP is 192.168.0.220 (DHCP server is off)
    pfsense external static IP is XXX.XXX.XXX.114
    DHCP server IP is 192.168.0.20 (Windows Server 2003)

    Home:
    Internal LAN 192.168.11.1/24
    pfsense box: 192.168.11.1 (DHCP server is on)
    Client IP: 192.168.11.4 (Windows 7 x64 computer)

    DHCP on the office LAN is from the Windows server, I have it set up so that only clients with a DHCP reservation get the default gateway, so that shouldn't be a problem for the VPN clients since I didn't set up reservations for them. When I connect from the client at home the OpenVPN icon turns green yet when I do and ipconfig /all on the client, it's not getting an IP from the DHCP server and using an autoconfiguration address instead:

    Windows IP Configuration

   Host Name . . . . . . . . . . . . : MAXIMUS-PC
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : localdomain

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : TAP-Win32 Adapter V9
   Physical Address. . . . . . . . . : 00-FF-F9-7A-7A-BE
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::24ce:cfd8:c20b:eefe%28(Preferred) 
   Autoconfiguration IPv4 Address. . : 169.254.238.254(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 
   DHCPv6 IAID . . . . . . . . . . . : 486604793
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-4E-6E-D2-84-C9-B2-37-70-09
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . : localdomain
   Description . . . . . . . . . . . : D-Link DWA-556 Xtreme N PCIe Desktop Adapter
   Physical Address. . . . . . . . . : 84-C9-B2-37-70-09
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::e19a:63b5:230e:6e2a%10(Preferred) 
   IPv4 Address. . . . . . . . . . . : 192.168.11.4(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : August-24-12 6:37:42 AM
   Lease Expires . . . . . . . . . . : August-24-12 8:37:42 AM
   Default Gateway . . . . . . . . . : 192.168.11.1
   DHCP Server . . . . . . . . . . . : 192.168.11.1
   DHCPv6 IAID . . . . . . . . . . . : 193251762
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-4E-6E-D2-84-C9-B2-37-70-09
   DNS Servers . . . . . . . . . . . : 192.168.11.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

    Here is the server1.conf from the office pfsense box:

    dev ovpns1
dev-type tap
dev-node /dev/tap1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local XXX.XXX.XXX.114
engine cryptodev
tls-server
mode server
tls-verify /var/etc/openvpn/server1.tls-verify.php
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 5
push "route 192.168.0.1 255.255.255.0"
push "dhcp-option WINS 192.168.0.20"
client-to-client
ca /var/etc/openvpn/server1.ca 
cert /var/etc/openvpn/server1.cert 
key /var/etc/openvpn/server1.key 
dh /etc/dh-parameters.1024
crl-verify /var/etc/openvpn/server1.crl-verify 
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo
persist-remote-ip
float
server-bridge

    Here is the client config:

    dev tap
persist-tun
persist-key
proto udp
cipher AES-128-CBC
tls-client
client
resolv-retry infinite
remote XXX.XXX.XXX.114 1194
tls-remote "XXXCert"
pkcs12 pfsense-udp-1194.p12
tls-auth pfsense-udp-1194-tls.key 1
comp-lzo

    Here is the log from the client after connecting:

    Fri Aug 24 06:38:02 2012 OpenVPN 2.2.0 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] [IPv6 payload 20110521-1 (2.2.0)] built on May 21 2011
Enter Management Password:
Fri Aug 24 06:38:03 2012 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Fri Aug 24 06:38:03 2012 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
Fri Aug 24 06:38:03 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Aug 24 06:38:03 2012 Control Channel Authentication: using 'pfsense-udp-1194-tls.key' as a OpenVPN static key file
Fri Aug 24 06:38:03 2012 LZO compression initialized
Fri Aug 24 06:38:03 2012 UDPv4 link local (bound): [undef]:1194
Fri Aug 24 06:38:03 2012 UDPv4 link remote: xxx.xxx.xxx.114:1194
Fri Aug 24 06:38:05 2012 [NovaCert] Peer Connection Initiated with xxx.xxx.xxx.114:1194
Fri Aug 24 06:38:07 2012 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
Fri Aug 24 06:38:07 2012 OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.0.1
Fri Aug 24 06:38:07 2012 open_tun, tt->ipv6=0
Fri Aug 24 06:38:07 2012 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{F97A7ABE-379F-482B-8A75-4A6832E744D5}.tap
Fri Aug 24 06:38:07 2012 Successful ARP Flush on interface [28] {F97A7ABE-379F-482B-8A75-4A6832E744D5}
Fri Aug 24 06:38:12 2012 Initialization Sequence Completed
Fri Aug 24 06:40:50 2012 SIGTERM[hard,] received, process exiting

    And this is the OpenVPN log from the office pfsense box:

    Aug 24 06:38:10 	openvpn[50248]: xxx.xxx.xxx.184:12046 Re-using SSL/TLS context
Aug 24 06:38:10 	openvpn[50248]: xxx.xxx.xxx.184:12046 LZO compression initialized
Aug 24 06:38:11 	openvpn: Found certificate /C=CA/ST=xxx/L=xxx/O=xxx/emailAddress=xxx@xxx.com/CN=Certificate_generated_by_Wizard with 

depth 1
Aug 24 06:38:11 	openvpn: Found certificate /C=CA/ST=xxx/L=xxx/O=xxx/emailAddress=xxx@xxx.com/CN=xxx.local with depth 0
Aug 24 06:38:12 	openvpn[50248]: xxx.xxx.xxx.184:12046 [xxx.local] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.184:12046
Aug 24 06:38:12 	openvpn[50248]: xxx.local/xxx.xxx.xxx.184:12046 MULTI: no dynamic or static remote --ifconfig address is available 

for xxx.local/xxx.xxx.xxx.184:12046
Aug 24 06:38:14 	openvpn[50248]: xxx.local/xxx.xxx.xxx.184:12046 send_push_reply(): safe_cap=960
Aug 24 06:42:57 	openvpn[50248]: xxx.local/xxx.xxx.xxx.184:12046 [xxx.local] Inactivity timeout (--ping-restart), restarting
Aug 24 08:03:55 	openvpn[50248]: event_wait : Interrupted system call (code=4)
Aug 24 08:03:55 	openvpn[50248]: /usr/local/sbin/ovpn-linkdown ovpns1 1500 1590 init
Aug 24 08:03:55 	openvpn[50248]: SIGTERM[hard,] received, process exiting
Aug 24 08:03:56 	openvpn[22218]: OpenVPN 2.2.0 amd64-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 

20110424-2 (2.2RC2)] built on Aug 11 2011
Aug 24 08:03:56 	openvpn[22218]: NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will 

often take on its own IP address that is different from what the LAN adapter was previously set to
Aug 24 08:03:56 	openvpn[22218]: NOTE: the current --script-security setting may allow this configuration to call user-defined 

scripts
Aug 24 08:03:56 	openvpn[22218]: Initializing OpenSSL support for engine 'cryptodev'
Aug 24 08:03:56 	openvpn[22218]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key 

file
Aug 24 08:03:56 	openvpn[22218]: TUN/TAP device /dev/tap1 opened
Aug 24 08:03:56 	openvpn[22218]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1590 init
Aug 24 08:03:56 	openvpn[23338]: UDPv4 link local (bound): [AF_INET]xxx.xxx.xxx.114:1194
Aug 24 08:03:56 	openvpn[23338]: UDPv4 link remote: [undef]
Aug 24 08:03:56 	openvpn[23338]: Initialization Sequence Completed

    The only option I see on the OpenVPN server config page that seems relevant is "Redirect Gateway", but I've tried with this checked and unchecked but still the same result both ways.  Should it be checked or not checked?  The How To webpage was unclear on this.  Also, I did manually add "server-bridge" to the "advanced configuration" section in pfsense which was suggested on another website but that didn't work either.  So what should the gateway be and how do I specify that in the configuration?  It seems like the more I research this topic, the more confused I get.

    0
Locked
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy