Instructions on OpenVPN TAP with pfsense (server) and Windows (client)



  • I have a couple of questions that I thought this would be the best place to ask.

    I have a home network. It's on the 192.168.8.0/22 subnet. pfsense is running on a celeron based machine, the LAN cable goes out to a 16 port switch that connects a few dd-wrt access /UniFi access points and a few wired clients. pfsense is setup to do static DHCP mappings based on MAC addresses.

    I have a Windows 8.1 pro laptop. When travelling, I would like to be able to "get on" the 192.168.8.0/22 subnet and access my LAN machines as though I were at home. Currently, I work around this by SSH with local forwards to my laptop, but it is getting tedious.

    (Note: I do NOT intend to use the VPN connection as a "secure browsing" solution. I already have PIA VPN for that, so that's fine. What I am looking for is a "bridge mode" to my home)

    So here are my questions ->

    1. Should the OpenVPN "server" be set up on the perimeter pfsense router, or can I set up "inside" my home lan. I have a beefy machine serving as a VM host so I don't mind setting up another pfsense VM to act as a OpenVPN server appliance, or any other VM appliance. If it can be done either ways, can someone explain the pros and cons of having the OpenVPN server on the perimeter pfsense vs port forwarding on the perimeter pfsense to an internal OpenVPN appliance?

    2. Can I get DNS on my local lan? My LAN domain is "hdmhome" and currently, within the LAN, I access my machines as "desktop.hdmhome", "homelab.hdmhome" and so on. Can I do this when connected from my laptop in a coffee shop?

    3. Finally, just about everywhere I search, there are instructions for doing this with a TUN device, which is not what I am looking for. Are there are any "pfsense official" instructions to doing this for a TAP connection?

    Again, while I would prefer having a OpenVPN appliance + port forwards, if the recommendation is to go with the OpenVPN server on the perimeter router, I don't mind (I am just not sure if my  Celeron 1037U based pfsense router has AES-NI support in the CPU. I know my virtual machine host does). Any guidelines?



  • Why do you want to do it with a TAP device?

    I suggest to implement it in your perimeter firewall and check how it works, the worst case its that present a lower velocity (for cpu saturation) of course, it depends on transfer rate and other services running on firewall.

    I´ve read that version 2.2.4 present a lower VPN velocity (maybe a bug?), pfsense 2.1.5 works better, check this https://forum.pfsense.org/index.php?topic=99536.0

    Regards



  • @ega:

    Why do you want to do it with a TAP device?

    I suggest to implement it in your perimeter firewall and check how it works, the worst case its that present a lower velocity (for cpu saturation) of course, it depends on transfer rate and other services running on firewall.

    I´ve read that version 2.2.4 present a lower VPN velocity (maybe a bug?), pfsense 2.1.5 works better, check this https://forum.pfsense.org/index.php?topic=99536.0

    Regards

    My understanding was that a TAP device is what lets me bridge to my existing home lan, and that a TUN device creates an link solely between my Windows 8.1 laptop and the OpenVPN server. That's not what I want, what I want is to "be assigned an IP on my home lan". Isn't TAP what I need?



  • Ok necessarily you need the vpn client is assigned an IP LAN?

    I´ve implemented a OpenVPN server, TUN device, TCP protocol, and roadwarrior clients, so I can access LAN resources (shared directories, mapping hosts by IP address), with no problem, and of course can ping any device on the LAN.

    Of course, by my client I can access local resources, but it can´t be done backward (local client cant ping vpn client)

    If this solve your need, I can help u with ur deployment



  • @ega:

    Ok necessarily you need the vpn client is assigned an IP LAN?

    Would be convenient, but not absolutely necessary. The requirements you have mentioned below are more important to me.

    @ega:

    I´ve implemented a OpenVPN server, TUN device, TCP protocol, and roadwarrior clients, so I can access LAN resources (shared directories, mapping hosts by IP address), with no problem, and of course can ping any device on the LAN.

    Perfect, this is exactly what I am looking for (the ability to access LAN resources (shared directories (typically SAMBA/smbfs), remote desktop(3389) to Windows machines, SSH(22) to linux machines, other TCP services (such as deluge torrent client, plex etc).

    Just out of curiosity, can the LAN machines be accessed by name rather than IP addresses? Meaning, can the VPN server provide DNS services to the VPN clients for the local LAN as well? (This would be ideal, as it makes life very easy).

    @ega:

    Of course, by my client I can access local resources, but it can´t be done backward (local client cant ping vpn client)

    yep, that's ok. I want to be able to access my LAN resources with my laptop, I don't care about going the other way.

    @ega:

    If this solve your need, I can help u with ur deployment

    Outside of being able to access LAN machines through name, everything you have said is pretty much what I am looking to do. I would really appreciate any guidelines you have !



  • Yes, the VPN server can provide DNS server for the remote client.

    Follow this instructions

    https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server

    Keep me posted if anything goes wrong


Log in to reply