OpenVPN Bridge to VLAN Containing Windows 2012 R2 DHCP/DNS Server - Setup



  • Hey all. First post here.

    I have a recently setup network that looks like this:

    192.168.1.0/24  : VLAN 0  : Management, pfSense DHCP/DNS @ 192.168.1.1
    192.168.10.0/24 : VLAN 10 : Windows Domain, Server 2012 DHCP/DNS @ 192.168.10.2
    192.168.20.0/24 : VLAN 20 : Shared, pfSense DHCP/DNS @ 192.168.20.1
    192.168.30.0/24 : VLAN 30 : Guest, pfSense DHCP/DNS @ 192.168.30.1

    Firewall Rules are set so that:
    VLAN 0  : Complete access to all VLANs, WAN
    VLAN 10 : Access to VLAN 10, WAN
    VLAN 20 : Access to VLAN 10, VLAN 20, VLAN 30
    VLAN 30 : Access to VLAN 20, VLAN 30, WAN

    Everything is NAT-ed properly and everything functions as expected, even a bunch of trunk-ed Unifi UAPs.

    With that out of the way, I am new to both pfSense and OpenVPN, and have followed this somewhat dated guide here: https://www.highlnk.com/2013/12/configuring-openvpn-on-pfsense/

    My goal is to make OpenVPN connection to VLAN 10 as if you are on the Windows domain network, with support for at least RDP, SMB/CIFS (accessing network shares), and neighborhood discovery. I would guess I have to bridge VPN traffic over to VLAN10 so as to get everything in the same broadcast domain. It would be ideal if the client PC can be relayed to the Windows Server 2012 DHCP server on LAN 10, and report an IP address within the DHCP range specified by Server 2012. Furthermore, it would be nice if even WAN traffic would be routed through the VPN.

    I have setup self-signed certifications and users, the OpenVPN server etc., and got as far as being able to ping every instance of pfSense across all VLANs and communicate with all devices outside VLAN10, including ESXI servers, managed switches, etc. This is with the virtual IP range set as either 192.168.40.0/24 or 10.0.8.0/24. EDIT: I can ping systems within VLAN 10 at this stage as well (Server 2012, PCs).

    Here are my issues:

    1. Despite checking off "Redirect Gateway - Force all client generated traffic through the tunnel.," the client machine's Default Gateway is left empty, meaning WAN requests go to another connection. The DNS Server configuration option (192.168.10.2, Server 2012) is present, however.

    2. On attempting to bridge interfaces, the client machine can no longer ping anything in any VLAN. I realize that only one of the bridged connections should have an IP address assigned, but the VPN tunnel interface needs to be assigned virtual IPs. I'm not entirely sure how this is supposed to work. Yes, I have set firewall rules to allow the VPN interface, the bridge interface, and the "OpenVPN" non-interface full access to everything.

    Attached is what my interfaces widget looks like on the dashboard. Also included is the "Interface assignments" section under "Interfaces."

    I'm guessing there is something more that needs to be done to get the bridge to work and that there is client-side configuration to be done to get the "Redirect Gateway" option to work. Maybe there is a way to point OpenVPN to the bridge instead of virtual IPs?

    Any insight is appreciated.

    Putting this away for the day, will respond tomorrow.