[solved]pfSense TAP config: can't see LAN clients, no broadcast

  • We are moving from Endian FW to pfSense 2.2.1. Our staff uses OpenVPN to get access to their PCs via remote desktop. We need to use broadcast packets for Wake on LAN, so I learned that we have to use TAP.
    I tried to replicate our working OpenVPN setting from Endian, but on pfSense I can't see other clients when connecting over OpenVPN. Using my network scanner I can see just my own IP.
    I'm reading a lot, but I didn't find any thread which was helpful for me. Most people are using TUN, lots of posts didn't give enough details.
    I compared our pfSense OpenVPN server config to our old working setup, but didn't find any relevant differences. The only real difference is "–multihome": that isn't relevant in our new setup (just one WAN/ one LAN interface).

    I read several OpenVPN docs, googled a lot, did a lot of testing with several different configs, but didn't find a solution.
    I saw a reference to a tutorial using an additional bridge interface, but from my understanding TAP is already bridging, so I shouldn't need that.

    Here is our setting:

    Two NICs: WAN + LAN

    There are two VPN servers running: one for TUN (port 1194), one for TAP (port 1196).
    TUN is not of interest at the moment, we are just looking at TAP. (Running or stopping TUN server doesn't seem to affect our TAP connection):

    Server config:

    dev ovpns1
    verb 1
    dev-type tap
    dev-node /dev/tap1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    keepalive 10 60
    proto udp
    cipher AES-256-CBC
    auth SHA256
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-connect /usr/local/sbin/openvpn.attributes.sh
    client-disconnect /usr/local/sbin/openvpn.attributes.sh
    local xx.xx.xx.xx
    engine cryptodev
    client-config-dir /var/etc/openvpn-csc
    auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' false server1" via-env
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'VPN' 1"
    lport 1196
    management /var/etc/openvpn/server1.sock unix
    max-clients 6
    push "route"
    push "dhcp-option DOMAIN ourdomain.local"
    push "register-dns"
    ca /var/etc/openvpn/server1.ca 
    cert /var/etc/openvpn/server1.cert 
    key /var/etc/openvpn/server1.key 
    dh /etc/dh-parameters.2048
    tls-auth /var/etc/openvpn/server1.tls-auth 0

    Our client config:

    dev tap
    cipher AES-256-CBC
    auth SHA256
    resolv-retry infinite
    remote ourdyn.domain 1196 udp
    lport 0
    verify-x509-name "our VPN" name
    pkcs12 pfSense-udp-1196.p12
    tls-auth pfSense-udp-tls.key 1
    ns-cert-type server

    My route shows (client on Win 8.1 - rough translation):


    active routes:
    target mask gateway interface metric 296 Connected 296 Connected 296 Connected 296 Connected 306 Connected 306 Connected 306 Connected 276 21 Connected 276 Connected 276 Connected 276 Connected 276 Connected 276 Connected 306 Connected 276 Connected 296 Connected 276 Connected 306 Connected 276 Connected 296 Connected 276

    static routes:

    See attachments for our FW settings.

    Any one any clue what I'm missing here?

  • Despite what some people told in other threads:
    I seems that we need interface bridging to get our setup working.
    I followed this old howto and now everything works perfect.

    So, to get it short: if your OpenVPN clients should access your whole network, including broadcasting WOL packages, then follow the howto above (and don't listen to guys who tell you TAP doesn't need bridging  ;) )

  • Who was saying that TAP does not need bridging?

    It has always needed bridging.

  • Sorry, I don't remember who it was. I searched a lot here and I don't have time to look for this thread in my browser history.
    Anyway, I found the solution and I don't care for this wrong information any more. That's the nature of forums at the internet. Not all information you find is correct  ;)

Log in to reply