OpenVPN with Static IP client. HOW ??

scarpy

Hi all and Happy New Year !!  ;D

I'm trying to configure an OpenVPN connection to connect one client (laptop win xp) to my LAN.
OpenVPN works fine with dinamic IPs ( i can get connected)
but I need my remote client to have a static IP in the same LAN class (172.16.11.0/24)
due to a lot of routing/gateway limitations in my very-complex-LAN structure.

I read in the forum that i could solve it with subnetting,
but I cannot use these techniques because my LAN (172.16.11.0/24) is FULL of machines
and i can't reserve an address range for OPENVPN.
In fact i have about 246 machines in 172.16.11.0/24,
otherwise i could use subnetting in /29.
(P.S. Address Pool can't be /30. It needs more IPs, so at least, it has to be /29, Right ??)

So the only way is to use static IPs but i can't get it working.

Please help me with some example.
Thanks,
Alex

GruensFroeschli

i dont really understand:
could you make a diagramm where you intend to put your VPN clients?

you write that your VPN client has to be in 172.16.11.0/8 but then that you have 246 clients in 172.16.11.0/24

(btw: 172.16.11.0/8 is not allowed: –> private range is 172.16.x.x/12 )

couldnt you just assign another 172.16.x.x subnet to your VPN clients?

if you NEED to have your VPN client within 172.16.11.0/24 you wont be able to achieve that with routing.
you might need to bridge your VPN to your LAN

http://doc.pfsense.org/index.php/VPN_Capability_OpenVPN --> at the bottom
it has been reported stable if you dont use CARP.

scarpy

Hi GruensFroeschli !
I made i mistake.. In fact, as you supposed, everything is in (172.16.11.0/24).

I'll try bridging my VPN to my LAN..

Thanks again,
Alex

scarpy

@GruensFroeschli:

if you NEED to have your VPN client within 172.16.11.0/24 you wont be able to achieve that with routing.
you might need to bridge your VPN to your LAN

http://doc.pfsense.org/index.php/VPN_Capability_OpenVPN –> at the bottom
it has been reported stable if you dont use CARP.

My PfSense Box hasn't tap0 interface!!  How can I create it ??
Thanks,
Alex

GruensFroeschli

@scarpy:

@GruensFroeschli:

if you NEED to have your VPN client within 172.16.11.0/24 you wont be able to achieve that with routing.
you might need to bridge your VPN to your LAN

http://doc.pfsense.org/index.php/VPN_Capability_OpenVPN –> at the bottom
it has been reported stable if you dont use CARP.

My PfSense Box hasn't tap0 interface!!  How can I create it ??
Thanks,
Alex

scarpy

@scarpy:

My PfSense Box hasn't tap0 interface!!  How can I create it ??
Thanks,
Alex

I tried everything explained at the bottom of
http://doc.pfsense.org/index.php/VPN_Capability_OpenVPN
but i had no success:

in conf/config.xml i put these lines:

<earlyshellcmd>ifconfig bridge0 create</earlyshellcmd>
<earlyshellcmd>ifconfig bridge0 addm vr0 up</earlyshellcmd>
<shellcmd>ifconfig bridge0 addm tap0</shellcmd>

but i got these messages when booting:

**bridge0 eth address XX:xx:XX:XX
ifconfig: SIOCIFCREATE invalid argument

ifconfig: BRDGADD tap0: no such file or directory**

I also tried with
<shellcmd>ifconfig bridge0 addm tap</shellcmd>
with the same result.

I also tried from the shell prompt:

**# ifconfig tap0 create
ifconfig: SIOCIFCREATE: Invalid argument

ifconfig tap create

ifconfig: SIOCIFCREATE: Invalid argument**

but nothing to do!!

My kldstat output is:

kldstat

Id Refs Address    Size    Name
1    1 0xc0400000 71530c  kernel

Thanks for your help.
Alex

Cry Havok

What version of pfSense are you using?  If it's not 1.2 then I suspect you'll need to upgrade.

scarpy

@Cry:

What version of pfSense are you using?  If it's not 1.2 then I suspect you'll need to upgrade.

I upgraded to 1.2RC3.. but nothing changed!!!

Cry Havok

Are those lines still in config.xml, or did the upgrade remove them?

scarpy

@Cry:

Are those lines still in config.xml, or did the upgrade remove them?

Still there..

<earlyshellcmd>ifconfig bridge0 create</earlyshellcmd>
<earlyshellcmd>ifconfig bridge0 addm vr0 up</earlyshellcmd>

The 2 lines above work, in fact I have the bridge0 "learning" in Status | Interfaces menu, but can't add the tap0 interface..

<shellcmd>ifconfig bridge0 addm tap0</shellcmd>
returns:

ifconfig: BRDGADD tap0: No such file or directory

Thanks again.
Alex

bennor3814

After following the instructions in the VPN Capability OpenVPN doc to open a VPN Client Bridge, are there any special settings in the Firewall Rules that need to be made? My problem is when the OpenVPN Tunnel is enabled after configuring it with the bridge settings I no longer can send emails. My email program hangs while trying to send and receive email. If I disable the OpenVPN Tunnel I can send email.

Other than than when the OpenVPN tunnel is enabled offsite roadwarriors can connect without issue.

For anyone who gets the "ifconfig: BRDGADD tap0: No such file or directory" error check your server bridge entry in the OpenVPN custom options field. The tap0 gave me errors until I realized that the LAN setting for the server bridge was wrong and corrected it and rebooted the machine. The other strange thing is the "<shellcmd>ifconfig bridge0 addm tap0</shellcmd>" entry in the config.xml file seems to not stay at the bottom of the three entries that get entered. After entering them it moved up the next time I looked at the file so it was the first of the three entries for this bridging setup.