Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN site-to-site, bridged, SSL certificates, missing some config. [Solved]

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 2 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L Offline
      lelik67
      last edited by

      What is working:

      Office 1:
      –-------
      LAN: 192.168.1.0/24
      Pfsense configured as bridged OpenVPN server with SSL certificates.

      Office 2:

      LAN: 192.168.2.0/24
      Pfsense configured as bridged OpenVPN server with SSL certificates.

      If I am in Office 2, I install client certificates from Office 1 on my laptop, and using OpenVPN client (windoz/linux) connect to pfsense server of Office 1. I have full access to any LAN computer on Office 1.
      Same true in reverse, If I am in Office 1, I install client certificates from Office 2 on my laptop, and using OpenVPN client (windoz/linux) connect to Office 2. I have full access to any LAN computer on Office 2.

      In theory, I can install client certificates from Office 2 and OpenVPN client in every computer in Office 1, and everybody from Office 1 would have access to   Office 2 LAN computers, but obviously it's a lot of work as same can be accomplished with site-to-site setup. All guides, I so is either "shared key"  or "tunneled" (not "bridged").

      Now below my experiment with setting site-to-site:

      Assuming:
      Office 1  = server
      Office 2  = client

      Office 1:

      Created additional client certificate for Office 2.

      Office 2:

      Imported following certificates:
      -Certificate Authority / Office 1 (Office1-server.crt)
      -User Certificate ( client.crt + client.key)

      Client tab:
      Server Mode: Peer to Peer (SSL/TLS)
      Protocol: UDP
      Device mode: tap
      Interface:WAN
      Local port: empty
      Server host or address: Office 1 ip
      Server port: 1194
      Proxy host or address: empty
      Proxy port: empty

      TLS Authentication: Enable authentication of TLS packets.
      Pasted Office 1 tls shared key
      Peer Certificate Authority: pointed to imported Certificate Authority / Office 1
      Client Certificate: pointed to imported User Certificate

      Everything else is empty

      Save

      Status-> OpenVPN shows "connected", but I cannot ping anything from Office 1.

      Missing something? Not correct altogether? Any suggestions?

      Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • B Offline
        bardelot
        last edited by

        Which version of pfSense are you using? I believe 'tap' mode is broken in 2.0.x, however there should be a fix in the packages that is called 'OpenVPN tap Bridging Fix'.

        [1] http://forum.pfsense.org/index.php/topic,41065.0.html
        [2] http://hardforum.com/showthread.php?t=1663797

        Btw: If you are trying to bridge the two LANs you should use the same subnet.

        1 Reply Last reply Reply Quote 0
        • L Offline
          lelik67
          last edited by

          I am using pfSense 2.0.x.
          I an aware that 'tap' mode is broken and I installed 'OpenVPN tap Bridging Fix' and it's working.

          Could you please elaborate a little bit on it must be the same subnet on both networks?

          If it's indeed the case, I guess I have to use 'tun' plus buid a tunnel between them instead:
          LAN: 192.168.1.0/24 <–> 10.8.0.0/24 <--> 192.168.2.0/24.

          1 Reply Last reply Reply Quote 0
          • B Offline
            bardelot
            last edited by

            For the differences and advantages / disadvantages between the routing and bridging setup there are lots of information available. As a starter I suggest the OpenVPN FAQ [1].

            e.g.
            Q: What is Bridging?
            A: Bridging is a technique for creating a virtual, wide-area ethernet LAN, running on a single subnet.

            [1] http://openvpn.net/index.php/open-source/faq.html

            1 Reply Last reply Reply Quote 0
            • L Offline
              lelik67
              last edited by

              Thanks.
              Will configure  routing setup instead.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.