[solved]pfSense TAP config: can't see LAN clients, no broadcast



  • We are moving from Endian FW to pfSense 2.2.1. Our staff uses OpenVPN to get access to their PCs via remote desktop. We need to use broadcast packets for Wake on LAN, so I learned that we have to use TAP.
    I tried to replicate our working OpenVPN setting from Endian, but on pfSense I can't see other clients when connecting over OpenVPN. Using my network scanner I can see just my own IP.
    I'm reading a lot, but I didn't find any thread which was helpful for me. Most people are using TUN, lots of posts didn't give enough details.
    I compared our pfSense OpenVPN server config to our old working setup, but didn't find any relevant differences. The only real difference is "–multihome": that isn't relevant in our new setup (just one WAN/ one LAN interface).

    I read several OpenVPN docs, googled a lot, did a lot of testing with several different configs, but didn't find a solution.
    I saw a reference to a tutorial using an additional bridge interface, but from my understanding TAP is already bridging, so I shouldn't need that.

    Here is our setting:

    Two NICs: WAN + LAN
    Network 192.168.10.0/24

    There are two VPN servers running: one for TUN (port 1194), one for TAP (port 1196).
    TUN is not of interest at the moment, we are just looking at TAP. (Running or stopping TUN server doesn't seem to affect our TAP connection):

    Server config:

    dev ovpns1
    verb 1
    dev-type tap
    dev-node /dev/tap1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-256-CBC
    auth SHA256
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-connect /usr/local/sbin/openvpn.attributes.sh
    client-disconnect /usr/local/sbin/openvpn.attributes.sh
    local xx.xx.xx.xx
    engine cryptodev
    tls-server
    server-bridge 192.168.10.1 255.255.255.0 192.168.10.240 192.168.10.250
    client-config-dir /var/etc/openvpn-csc
    auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' false server1" via-env
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'VPN' 1"
    lport 1196
    management /var/etc/openvpn/server1.sock unix
    max-clients 6
    push "route 192.168.10.0 255.255.255.0"
    push "dhcp-option DOMAIN ourdomain.local"
    push "register-dns"
    client-to-client
    ca /var/etc/openvpn/server1.ca 
    cert /var/etc/openvpn/server1.cert 
    key /var/etc/openvpn/server1.key 
    dh /etc/dh-parameters.2048
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    passtos
    persist-remote-ip
    float
    

    Our client config:

    
    dev tap
    persist-tun
    persist-key
    cipher AES-256-CBC
    auth SHA256
    tls-client
    client
    resolv-retry infinite
    remote ourdyn.domain 1196 udp
    lport 0
    verify-x509-name "our VPN" name
    auth-user-pass
    pkcs12 pfSense-udp-1196.p12
    tls-auth pfSense-udp-tls.key 1
    ns-cert-type server
    passtos
    

    My route shows (client on Win 8.1 - rough translation):

    IPv4-Routentabelle

    active routes:
    target mask gateway interface metric
    0.0.0.0 0.0.0.0 10.156.191.194 10.156.191.196 296
    10.156.191.0 255.255.255.0 Connected 10.156.191.196 296
    10.156.191.196 255.255.255.255 Connected 10.156.191.196 296
    10.156.191.255 255.255.255.255 Connected 10.156.191.196 296
    127.0.0.0 255.0.0.0 Connected 127.0.0.1 306
    127.0.0.1 255.255.255.255 Connected 127.0.0.1 306
    127.255.255.255 255.255.255.255 Connected 127.0.0.1 306
    192.168.10.0 255.255.255.0 Connected 192.168.10.240 276
    192.168.10.0 255.255.255.0 192.168.10.1 192.168.10.240 21
    192.168.10.240 255.255.255.255 Connected 192.168.10.240 276
    192.168.10.255 255.255.255.255 Connected 192.168.10.240 276
    192.168.56.0 255.255.255.0 Connected 192.168.56.1 276
    192.168.56.1 255.255.255.255 Connected 192.168.56.1 276
    192.168.56.255 255.255.255.255 Connected 192.168.56.1 276
    224.0.0.0 240.0.0.0 Connected 127.0.0.1 306
    224.0.0.0 240.0.0.0 Connected 192.168.56.1 276
    224.0.0.0 240.0.0.0 Connected 10.156.191.196 296
    224.0.0.0 240.0.0.0 Connected 192.168.10.240 276
    255.255.255.255 255.255.255.255 Connected 127.0.0.1 306
    255.255.255.255 255.255.255.255 Connected 192.168.56.1 276
    255.255.255.255 255.255.255.255 Connected 10.156.191.196 296
    255.255.255.255 255.255.255.255 Connected 192.168.10.240 276

    static routes:
      no

    See attachments for our FW settings.

    Any one any clue what I'm missing here?









  • Despite what some people told in other threads:
    I seems that we need interface bridging to get our setup working.
    I followed this old howto and now everything works perfect.

    So, to get it short: if your OpenVPN clients should access your whole network, including broadcasting WOL packages, then follow the howto above (and don't listen to guys who tell you TAP doesn't need bridging  ;) )



  • Who was saying that TAP does not need bridging?

    It has always needed bridging.



  • Sorry, I don't remember who it was. I searched a lot here and I don't have time to look for this thread in my browser history.
    Anyway, I found the solution and I don't care for this wrong information any more. That's the nature of forums at the internet. Not all information you find is correct  ;)


Log in to reply