Netgate SG-1000 microFirewall

Author Topic: [SOLVED] OpenVPN 2.4 tap bridge problem access to LAN  (Read 1760 times)

0 Members and 1 Guest are viewing this topic.

Offline Irbis

  • Newbie
  • *
  • Posts: 12
  • Karma: +1/-0
    • View Profile
[SOLVED] OpenVPN 2.4 tap bridge problem access to LAN
« on: April 06, 2017, 04:50:22 am »
Hi all!
I have a same problem with setup OpenVPN.

remote sede 176.10.10.10                        pfsense 85.10.10.10
                       10.70.0.129     tap tunnel                10.70.0.249


The certificates are issued, the tunnel is configured, the connection is fine, I take IP from DHCP (10.1.70.129). On the remote side through the tunnel I only see the pfsense and no one else in the local network pfsense.

After configure OpenVPN server I create interface OPT1 from ovpns1 and create bridge em1 (LAN) and OPT1 (ovpns1).

server cfgs:
Code: [Select]
dev ovpns1
verb 1
dev-type tap
dev-node /dev/tap1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 85.10.10.10
tls-server
server-bridge 10.1.70.249 255.255.255.0 10.1.70.129 10.1.70.135
client-config-dir /var/etc/openvpn-csc/server1
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'PFSense-OpenVPN-cert' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 2
push "route 10.1.70.0 255.255.255.0"
push "route 10.0.0.0 255.0.0.0"
push "dhcp-option DNS 10.1.91.250"
push "dhcp-option DNS 10.1.91.251"
push "dhcp-option DNS 10.1.90.102"
push "dhcp-option NTP 10.1.91.100"
client-to-client
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.4096
crl-verify /var/etc/openvpn/server1.crl-verify
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo adaptive
persist-remote-ip
float
client cfgs:
Code: [Select]
dev tap
persist-tun
persist-key
cipher AES-256-CBC
auth SHA256
tls-client
client
resolv-retry infinite
remote 85.10.10.10 1194 udp
pkcs12 gateway-udp-1194-irbis-crt-0.p12
tls-auth gateway-udp-1194-irbis-crt-0-tls.key 1
ns-cert-type server
comp-lzo adaptive

P.S. Just noticed that if you enable ARP proxy, everything works except the receiving IP when connecting.
« Last Edit: May 25, 2017, 02:29:11 pm by Irbis »

Offline Irbis

  • Newbie
  • *
  • Posts: 12
  • Karma: +1/-0
    • View Profile
Re: OpenVPN 2.4 tap bridge problem
« Reply #1 on: April 06, 2017, 01:58:01 pm »
What is wrong?

On client routing:
Code: [Select]
...
10.0.0.0     255.0.0.0           10.1.70.249        10.1.70.129    291
10.1.70.0    255.255.255.0       On-link            10.1.70.129    291
10.1.70.129  255.255.255.255     On-link            10.1.70.129    291
10.1.70.255  255.255.255.255     On-link            10.1.70.129    291
...
But available only pfsense.

Code: [Select]
ping 10.1.70.249

Exchange of packets at the 10.1.70.249 with 32 bytes of data:
The response from 10.1.70.249: bytes=32 time=51мс TTL=64
The response from 10.1.70.249: bytes=32 time=25ms TTL=64

Code: [Select]
ping 10.1.70.254

Exchange of packets at the 10.1.70.254 with 32 bytes of data:
The response from 10.1.70.129: destination host unreachable.
Timed out for the request.
Timed out for the request.


Offline Irbis

  • Newbie
  • *
  • Posts: 12
  • Karma: +1/-0
    • View Profile
Re: OpenVPN 2.4 tap bridge problem access to LAN
« Reply #2 on: April 10, 2017, 02:36:50 am »
Anyone have ideas why does not work routing on pfsense?

Offline big_D

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: OpenVPN 2.4 tap bridge problem access to LAN
« Reply #3 on: April 10, 2017, 05:03:32 am »
Have you set up the openVPN Firewall rules (a rule to allow all traffic should be there), the WAN interface should also have the default rule. If you used the Wizard, then the rules should have been set automatically.

If there are rules in place, is ping allowed?

Offline Irbis

  • Newbie
  • *
  • Posts: 12
  • Karma: +1/-0
    • View Profile
Re: OpenVPN 2.4 tap bridge problem access to LAN
« Reply #4 on: April 10, 2017, 06:14:50 am »
Yes, rule for "any to any" was present on OpenVPN adapter.
I try add rule for WAN any protocols fo any to any, but now work still. IMHO to add a rule "all to all" on WAN dangerous.
« Last Edit: April 10, 2017, 07:00:50 am by Irbis »

Offline jtl

  • Jr. Member
  • **
  • Posts: 35
  • Karma: +0/-0
    • View Profile
Re: OpenVPN 2.4 tap bridge problem access to LAN
« Reply #5 on: April 23, 2017, 11:35:18 am »
Having same problem with pfSense 2.3.3_1 which also running the LAN/handling DHCP

Client is a OS X 10.11 machine with Tunnelblick. The client cannot get an IP from the DHCP server or pass packets, and it self assigns a 169.254 address.

Offline Irbis

  • Newbie
  • *
  • Posts: 12
  • Karma: +1/-0
    • View Profile
Re: OpenVPN 2.4 tap bridge problem access to LAN
« Reply #6 on: April 24, 2017, 07:40:04 am »
Having same problem with pfSense 2.3.3_1 which also running the LAN/handling DHCP

Client is a OS X 10.11 machine with Tunnelblick. The client cannot get an IP from the DHCP server or pass packets, and it self assigns a 169.254 address.
Hi. I have this problem when set wrong bridge adapter on OpenVPN tab.
If you to adjust like on the screenshots, then DHCP is working correctly and has access to pfsense is also. But in LAN there is no access.

Offline Irbis

  • Newbie
  • *
  • Posts: 12
  • Karma: +1/-0
    • View Profile
Re: OpenVPN 2.4 tap bridge problem access to LAN
« Reply #7 on: April 27, 2017, 01:28:41 pm »
Forgot to say that pfsense is also installed on the virtual machine VMware (ESXi + distributed switch). The search led to the need to enable promiscuous mode.
But not....

Offline Irbis

  • Newbie
  • *
  • Posts: 12
  • Karma: +1/-0
    • View Profile
Re: OpenVPN 2.4 tap bridge problem access to LAN
« Reply #8 on: May 02, 2017, 02:12:35 pm »
Someone tell me how to build a bridge correctly.
IMHO the problem is in the bridge, more precisely in ARP.

Offline Irbis

  • Newbie
  • *
  • Posts: 12
  • Karma: +1/-0
    • View Profile
Re: OpenVPN 2.4 tap bridge problem access to LAN
« Reply #9 on: May 10, 2017, 12:50:08 pm »
WAIDW?
« Last Edit: May 10, 2017, 02:06:33 pm by Irbis »

Offline bk

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
Re: OpenVPN 2.4 tap bridge problem access to LAN
« Reply #10 on: May 16, 2017, 02:25:15 pm »
Someone tell me how to build a bridge correctly.
IMHO the problem is in the bridge, more precisely in ARP.

In the past I followed this post (https://forum.pfsense.org/index.php?topic=46984.0) and had the same problem as you but on another hypervisor (Hyper-V).
The solution was to enable "MAC spoofing" on the pfSense's LAN interface which is a member of the bridge. The other bridge member is the interface assigned to OpenVPN's Remote Access-mode (tap) server.

For ESXi the solution is the same:



Offline Irbis

  • Newbie
  • *
  • Posts: 12
  • Karma: +1/-0
    • View Profile
Re: OpenVPN 2.4 tap bridge problem access to LAN
« Reply #11 on: May 17, 2017, 01:41:30 am »
Thanks for the reply.
But what if the VMware distribution switch is used? There is no configuration globally enable promiscuous mode. I can enable  only on private VLAN. As I understand, it need to setup only VLAN to which  belongs the LAN adapter pfsense.

Offline bk

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
Re: OpenVPN 2.4 tap bridge problem access to LAN
« Reply #12 on: May 18, 2017, 04:51:11 am »
Thanks for the reply.
But what if the VMware distribution switch is used? There is no configuration globally enable promiscuous mode. I can enable  only on private VLAN. As I understand, it need to setup only VLAN to which  belongs the LAN adapter pfsense.

See this article: http://wiki.vmug.com/index.php/Configuring_Distributed_Switches_in_vCenter_6
Security

Security Settings are on a Distributed Switch Portgroup are exactly the same as those found on the properties of the Standard Switch or its portgroups. The following information is a direct copy of the information from the Standard Switch content.



By default Promiscuous Mode is set to reject - and this prevents packet capturing software installed to compromised virtual machine for being used to gather more network traffic to facilitate a hack. Nonetheless it could modified by a genuine network administrator to capture packets as part of network troubleshooting. Even with this option enabled it would not stop an administrator from receiving packets to the VM. Another reason to change this option to Accept if you want to run intrusion detection software inside a VM. Such intrusion detection needs to be able to sniff network traffic as part its process of protecting the network. Finally, a less well-known reason for loosening the security on promiscuous mode is to allow so called "Nested ESX" configurations. This is where ESX is installed into a VM. This generally done in homelab and testing environments, not generally recommended for production use.

Offline Irbis

  • Newbie
  • *
  • Posts: 12
  • Karma: +1/-0
    • View Profile
Re: OpenVPN 2.4 tap bridge problem access to LAN
« Reply #13 on: May 19, 2017, 01:34:12 pm »
I turned on promiscuous mode, but it didn't help.
Noticed the following things when working through a tunnel.
Do ping machines behind pfsense is also ( let it be 10.3.100.250) through the tunnel
Have:
1 - the local machine (10.1.70.129) through the tunnel sends an icmp packet to the address 10.3.100.250
2 - pfsense is also not located with the end destination on the same network and sends the packet to the default gateway (10.1.70.254)
3 - next package in the chain, which we do not particularly interesting, gets on 10.3.100.250
4 - 10.3.100.250 sends a response which falls as a result 10.1.70.254
5 - 10.1.70.254 asks what mac have  10.1.70.129?
6 - 10.1.70.129 says: my mac is xx:xx:xx:xx:xx:xx:xx:xx
7 - This ARP reply never reaches 10.1.70.254!
8 - 10.1.70.254 asked again but no reply and receives. As a result packet with the answer to ping is lost.

The question is: why pfsense is also reject ARP from local machine?

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21099
  • Karma: +1380/-25
    • View Profile
Re: OpenVPN 2.4 tap bridge problem access to LAN
« Reply #14 on: May 22, 2017, 08:09:29 am »
You have to enable all of those. It has to be able to do forged transmits and MAC changes or it can't send out traffic from bridged clients, and it needs promiscuous mode to receive the taffic.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!