OpenVPN site-to-site, bridged, SSL certificates, missing some config. [Solved]



  • What is working:

    Office 1:
    –-------
    LAN: 192.168.1.0/24
    Pfsense configured as bridged OpenVPN server with SSL certificates.

    Office 2:

    LAN: 192.168.2.0/24
    Pfsense configured as bridged OpenVPN server with SSL certificates.

    If I am in Office 2, I install client certificates from Office 1 on my laptop, and using OpenVPN client (windoz/linux) connect to pfsense server of Office 1. I have full access to any LAN computer on Office 1.
    Same true in reverse, If I am in Office 1, I install client certificates from Office 2 on my laptop, and using OpenVPN client (windoz/linux) connect to Office 2. I have full access to any LAN computer on Office 2.

    In theory, I can install client certificates from Office 2 and OpenVPN client in every computer in Office 1, and everybody from Office 1 would have access to   Office 2 LAN computers, but obviously it's a lot of work as same can be accomplished with site-to-site setup. All guides, I so is either "shared key"  or "tunneled" (not "bridged").

    Now below my experiment with setting site-to-site:

    Assuming:
    Office 1  = server
    Office 2  = client

    Office 1:

    Created additional client certificate for Office 2.

    Office 2:

    Imported following certificates:
    -Certificate Authority / Office 1 (Office1-server.crt)
    -User Certificate ( client.crt + client.key)

    Client tab:
    Server Mode: Peer to Peer (SSL/TLS)
    Protocol: UDP
    Device mode: tap
    Interface:WAN
    Local port: empty
    Server host or address: Office 1 ip
    Server port: 1194
    Proxy host or address: empty
    Proxy port: empty

    TLS Authentication: Enable authentication of TLS packets.
    Pasted Office 1 tls shared key
    Peer Certificate Authority: pointed to imported Certificate Authority / Office 1
    Client Certificate: pointed to imported User Certificate

    Everything else is empty

    Save

    Status-> OpenVPN shows "connected", but I cannot ping anything from Office 1.

    Missing something? Not correct altogether? Any suggestions?

    Thanks in advance.



  • Which version of pfSense are you using? I believe 'tap' mode is broken in 2.0.x, however there should be a fix in the packages that is called 'OpenVPN tap Bridging Fix'.

    [1] http://forum.pfsense.org/index.php/topic,41065.0.html
    [2] http://hardforum.com/showthread.php?t=1663797

    Btw: If you are trying to bridge the two LANs you should use the same subnet.



  • I am using pfSense 2.0.x.
    I an aware that 'tap' mode is broken and I installed 'OpenVPN tap Bridging Fix' and it's working.

    Could you please elaborate a little bit on it must be the same subnet on both networks?

    If it's indeed the case, I guess I have to use 'tun' plus buid a tunnel between them instead:
    LAN: 192.168.1.0/24 <–> 10.8.0.0/24 <--> 192.168.2.0/24.



  • For the differences and advantages / disadvantages between the routing and bridging setup there are lots of information available. As a starter I suggest the OpenVPN FAQ [1].

    e.g.
    Q: What is Bridging?
    A: Bridging is a technique for creating a virtual, wide-area ethernet LAN, running on a single subnet.

    [1] http://openvpn.net/index.php/open-source/faq.html



  • Thanks.
    Will configure  routing setup instead.


Log in to reply