Netgate SG-1000 microFirewall

Author Topic: OpenVPN TAP TCP traffic not passing, ICMP works  (Read 1213 times)

0 Members and 1 Guest are viewing this topic.

Offline shimpa

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
OpenVPN TAP TCP traffic not passing, ICMP works
« on: February 21, 2017, 06:05:50 am »
hi folks,

Recently I've come across this strange issue with OpenVPN when using it in TAP mode.

It's set up correctly (well obviously it isn't since it's not working but I have no idea what to change).

- It's in Remote access mode (SSL/TLS with auth)
- no tunnel network
- bridged with LAN interface
- DHCP inside the LAN pool
- disabled compression
- TOS IP header checked
- Inter-client comm allowed
- allow duplicate connecitons
- allow dynamic IP changes
- Provide a virtual adapter IP address to clients
- no custom options

I've bridged the LAN and the TAP OpenVPN interface
- the bridge interface is enabled

On TAP OpenVPN interface and bridge interface as well as LAN interface there is allow any/any rule on top
There is an allow UDP/1199 on WAN (that's the service port, not using the default 1194)

The clients connect just fine, receive the IP address from the pfSense's LAN DHCP service as they should and ping works between the VPN clients and the actual LAN devices both ways (from LAN to OVPN client and vice versa).

Even UDP works (traceroute).

The issue is with TCP connections. I can't access the pfsense web config on LAN side. There's a lot of multicasting devices on the LAN side (Xboxes) and the states are there but can't seem to actually start a TCP session across the VPN.

I've played around with the MTU using the fragment xxxx;mssfix in the advanced options (the xxxx ranging from 1000 to 1400, tried about a dozen of random numbers) but that makes it only worse. No matter what MTU I set there nothing passes anymore, not even ICMP.

If anyone has any ideas I'd greatly appreciate it,

cheers,

Damir

Offline tomtom13

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: OpenVPN TAP TCP traffic not passing, ICMP works
« Reply #1 on: May 03, 2017, 01:43:11 pm »
I was wondering whenever you actually got to fix this issue.

I'm having a similar problem where TCP can't get to pfsense main gui over VPN but ping get there just fine. I also am not able to query DNS that is on pf sense over vpn ... which is mighty bizarre !

Offline coffeecup25

  • Jr. Member
  • **
  • Posts: 92
  • Karma: +1/-12
    • View Profile
Re: OpenVPN TAP TCP traffic not passing, ICMP works
« Reply #2 on: May 05, 2017, 11:43:45 am »
I was wondering whenever you actually got to fix this issue.

I'm having a similar problem where TCP can't get to pfsense main gui over VPN but ping get there just fine. I also am not able to query DNS that is on pf sense over vpn ... which is mighty bizarre !

I can't speak to your problems, but I used this reference for my tap server and it worked perfectly out of the box.

https://hardforum.com/threads/pfsense-2-0-1-openvpn-configuration-guide.1663797/

Hope it helps.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15192
  • Karma: +1414/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: OpenVPN TAP TCP traffic not passing, ICMP works
« Reply #3 on: May 05, 2017, 12:51:46 pm »
I am curious to why anyone would want to setup a tap vs a tun in the first place.. What is the use case that justifies tap?
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline kpa

  • Hero Member
  • *****
  • Posts: 1233
  • Karma: +138/-6
    • View Profile
Re: OpenVPN TAP TCP traffic not passing, ICMP works
« Reply #4 on: May 05, 2017, 02:36:34 pm »
I am curious to why anyone would want to setup a tap vs a tun in the first place.. What is the use case that justifies tap?

Zeroconf/mDNS for the VPN client and similar multicast/broadcast based discovery services is just about the only thing I can think of.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15192
  • Karma: +1414/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: OpenVPN TAP TCP traffic not passing, ICMP works
« Reply #5 on: May 05, 2017, 02:51:10 pm »
All of which makes zero sense for a remote user or site to site.

So I am curious what the OP is using that needs tap?
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline coffeecup25

  • Jr. Member
  • **
  • Posts: 92
  • Karma: +1/-12
    • View Profile
Re: OpenVPN TAP TCP traffic not passing, ICMP works
« Reply #6 on: May 06, 2017, 08:15:49 am »
All of which makes zero sense for a remote user or site to site.

So I am curious what the OP is using that needs tap?

OpenVPN offers this explanation: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting and
 https://openvpn.net/index.php/open-source/faq/75-general/309-what-is-the-difference-between-bridging-and-routing.html

For me, originally, I started with OpenVPN on DD-WRT. I could not access my home network using it so I assumed tun was for routing through the internet using your home network and tap was to access your home network. Documentation was and still is generally bad here. A few exceptions apply, but DD-WRT in general is massively more complicated with respect to OpenVPN than pfSense.

The tap/tun belief turned out to be wrong after I converted to pfSense and was encouraged to play around with tun a little more to use tun for both. Tun can easily pass through and access the home resources.

Until I upgraded to Windows 10 pro creators, I could access the home resources a little easier using tap than tun. With tap. it was as simple as being at home. With tun, I had to remember network notations and think a little differently. Windows 10 CU appears to force me to use network notation for everything, even at home. Weird.

Anyway, for most people tun is enough.

It would be great if someplace in the pfSense documentation someone said this or something similar.

If the OP insists on tap, this is the documentation I used to set it up. It worked the first time. https://hardforum.com/threads/pfsense-2-0-1-openvpn-configuration-guide.1663797/

Re: site to site: I just set one up to using a pfSense instance and a DD-WRT router. The client export worked perfectly for it. I wanted to use the more advanced server with user certificates but the client export didn't work for it and I couldn't figure out what certificates went where. I'll be testing it out of town later this month. I plan to use / try a tp-link WR702n in wireless client mode to get past the captive portal and plug the DD-WRT site to site router into the travel router. Anecdotal reports say it should work. If it works, I know of a small wireless travel router that supports DD-WRT and OpenVPN client for $25 or so.

« Last Edit: May 06, 2017, 08:24:51 am by coffeecup25 »

Offline AngelG

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: OpenVPN TAP TCP traffic not passing, ICMP works
« Reply #7 on: May 14, 2017, 03:32:42 am »

[...]

I've bridged the LAN and the TAP OpenVPN interface
- the bridge interface is enabled

On TAP OpenVPN interface and bridge interface as well as LAN interface there is allow any/any rule on top
There is an allow UDP/1199 on WAN (that's the service port, not using the default 1194)

The clients connect just fine, receive the IP address from the pfSense's LAN DHCP service as they should and ping works between the VPN clients and the actual LAN devices both ways (from LAN to OVPN client and vice versa).

Even UDP works (traceroute).

The issue is with TCP connections. I can't access the pfsense web config on LAN side. There's a lot of multicasting devices on the LAN side (Xboxes) and the states are there but can't seem to actually start a TCP session across the VPN.

[...]


I have the same problem with a similar configuration. Two pfsense connected through tap VPN with bridges to LAN. All traffic from LAN-1 to LAN-2 is ok. I have another LAN (LAN-2B) in one side not bridged. Routing are ok because all ICMP packets goes well from LAN-2B to LAN-1 and from LAN-2B to LAN-2, but i haven't TCP traffic from LAN-2B to LAN-2.


Any solution?
----------------------------------
 
I find the solution: I have configured Hybrid Outbound NAT, and i have created one Outbound NAT Rule from my LAN-2B to my LAN-B. All work fine now.  :)
Why ICMP traffic go but not tcp whithout NAT? I don't know.   ::)

« Last Edit: May 14, 2017, 10:14:59 am by AngelG »

Offline Rai80

  • Newbie
  • *
  • Posts: 12
  • Karma: +1/-0
    • View Profile
Re: OpenVPN TAP TCP traffic not passing, ICMP works
« Reply #8 on: February 07, 2018, 03:26:26 pm »
Same problem here. Setup remote access VPN with tap interface. Manually made a bridge with lan and ovpns1 interface as member.
Connection works ok. I can ping all IP addresses on LAN from VPN. Firewall rules configured as allow any traffic.
With wireshark I see the LAN broadcast traffic. But im unable to connect with tcp to the pfsense box http/ssh.

I could fix it temporary to recreate the bridge. After it works for a few hours. After some time it stops....