Netgate Store

Author Topic: Openvpn tap 2.4.2_RELEASE-p1 does it work?  (Read 1086 times)

0 Members and 1 Guest are viewing this topic.

Offline simon.lock

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Openvpn tap 2.4.2_RELEASE-p1 does it work?
« on: January 08, 2018, 08:15:53 am »
Openvpn tap 2.4.2_RELEASE-p1

I am just wondering if anybody has had any success setting up openvpn in "tap" mode on pfSense 2.4.2? My feeling is it simply doesn't work on this release.


Connecting is no problem but gaining access to LAN resources and also internet access through the tunnel whilst connected is a very different story. I have been using openvpn, both tap and tun, for a few years now on raspberry pi's without any problems but hoped I could now migrate to pfsense. The "tun" solution was easy to setup using the wizard.

I've looked at the generated tap server configuration file and it doesn't seem to even contain a "server-bridge" statement

e.g. server-bridge [Local IP Address] [Local Netmask] [VPN client address pool start] [VPN client address pool End]

as suggested on the openvpn site https://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html


Thanks in advance.

Offline rsloan

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Re: Openvpn tap 2.4.2_RELEASE-p1 does it work?
« Reply #1 on: January 09, 2018, 04:58:07 am »
Hi

I wanted to use tap on 2.4.2_RELEASE-p1 as well, but had no joy. You seem to be having more luck that me though as I can't get tun  to work properly either. I have a post at:

https://forum.pfsense.org/index.php?topic=142196.0

But know one has managed to help me so far.

Regards,

Robert.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21840
  • Karma: +1526/-26
    • View Profile
Re: Openvpn tap 2.4.2_RELEASE-p1 does it work?
« Reply #2 on: January 09, 2018, 11:04:15 am »
tap works just fine if you configure it properly and know its limits and how it works.

There is a lot of confusion because people expect it to behave like tun + a bridge and that just isn't how it works, and it can't really work that way without some nudging. Routing through tap to the Internet or other subnets requires a gateway, but with a typical tap setup you don't have that since the tunnel network is empty. In these cases, you must manually push a gateway to clients using advanced options (e.g. push "route-gateway 192.168.1.1"; but substitute your actual LAN IP address.)

The GUI could probably be slightly smarter and guess what route-gateway to push based on the selected bridge interface, but I'm not sure if that should always be on or be its own separate option. You can apply that patch using the system patches package and see if it makes a difference.

server-bridge only appears if you fill in the start/stop dhcp range. If you want DHCP to pass through to the existing LAN DHCP (bridge enabled but the start/stop range is empty), that directive won't be in the config.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline simon.lock

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: Openvpn tap 2.4.2_RELEASE-p1 does it work?
« Reply #3 on: January 09, 2018, 04:02:58 pm »
Thank you Jimp for you reply. You certainly are correct regarding the the "server-bridge" directive I've just checked it out. I already push "route-gateway 192.168.148.1", where the IP specified is that of my LAN interface, as an option. But still fail to gain access to the internet and to resolve names from the unbound DNS Resolver when connected. Do you specify the LAN interface directly or the created bridge interface "BR0" in my case (LAN+TAP) as the Bridge Interface in the tap server configuration page?

I've also specified pass any rules for both the TAP interface and the created bridge "BR0" interface without any luck.

Offline simon.lock

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: Openvpn tap 2.4.2_RELEASE-p1 does it work?
« Reply #4 on: January 09, 2018, 04:08:59 pm »
Hi

I wanted to use tap on 2.4.2_RELEASE-p1 as well, but had no joy. You seem to be having more luck that me though as I can't get tun  to work properly either. I have a post at:

https://forum.pfsense.org/index.php?topic=142196.0

But know one has managed to help me so far.

Regards,

Robert.


I was reminded of this YouTube video (https://www.youtube.com/watch?v=xiy52Hn5bTc&ab_channel=ChunkyTech) by seewolf in another post. I found this video useful when setting the tun server on pfsense. In fact I was the last person to comment on that video 2 weeks ago suggestions a tap tutorial :-)

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21840
  • Karma: +1526/-26
    • View Profile
Re: Openvpn tap 2.4.2_RELEASE-p1 does it work?
« Reply #5 on: January 09, 2018, 05:53:54 pm »
Thank you Jimp for you reply. You certainly are correct regarding the the "server-bridge" directive I've just checked it out. I already push "route-gateway 192.168.148.1", where the IP specified is that of my LAN interface, as an option. But still fail to gain access to the internet and to resolve names from the unbound DNS Resolver when connected. Do you specify the LAN interface directly or the created bridge interface "BR0" in my case (LAN+TAP) as the Bridge Interface in the tap server configuration page?

I've also specified pass any rules for both the TAP interface and the created bridge "BR0" interface without any luck.

Must be something in your settings yet. My tap bridge user gets an IP address from the LAN subnet, it can query unbound just fine, and once I push it a route-gateway it can reach the Internet through the bridge. NAT shouldn't be a concern since it's the same subnet as LAN, same with unbound ACLs, the LAN subnet is already allowed. As long as the firewall passes it through it should work.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21840
  • Karma: +1526/-26
    • View Profile
Re: Openvpn tap 2.4.2_RELEASE-p1 does it work?
« Reply #6 on: January 10, 2018, 11:01:21 am »
I added a GUI option to 2.4.3 which can push a route-gateway based on the selected bridge interface. It should make things easier/more obvious for users hitting that barrier.

https://redmine.pfsense.org/issues/8267
The commit will show up there in a few moments.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline simon.lock

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: Openvpn tap 2.4.2_RELEASE-p1 does it work?
« Reply #7 on: January 11, 2018, 02:33:46 pm »

Thank you again for this Jimp. It will certainly prove very valuable to many others in the next version of pfSense. I however had already implemented the route-gateway directive after viewing the initial complaints shown in openvpn GUI client logs.

I have created an interface for the openvpn tap server (ovpns2) and called it TAP
I've created a bridge interface (BRIDGE0) and called it BR0 which combines TAP with LAN

In the openvpn server configuration page which "Bridge Interface" should I select? BR0, TAP or LAN? I've tried all combinations without success.


In PfSense Viewing Status / Interfaces (shown attached)

The TAP Interface always shows "In/Out errors 0/1" might this be the cause of my problems?

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21840
  • Karma: +1526/-26
    • View Profile
Re: Openvpn tap 2.4.2_RELEASE-p1 does it work?
« Reply #8 on: January 11, 2018, 02:37:29 pm »
In OpenVPN you select the local interface that the VPN is bridged to, so LAN is the Bridge Interface.

What settings are on the TAP interface in the GUI? It should really just be the enable checkbox and the name, other settings left at 'none'.

Can you show the rest of your OpenVPN configuration? You can mask any private info, but please try to keep at least the last first and last octet of any networks you have filled in, along with their subnet masks.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline simon.lock

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: Openvpn tap 2.4.2_RELEASE-p1 does it work?
« Reply #9 on: January 11, 2018, 03:04:17 pm »
Thanks Jimp your feedback is much appreciated. My TAP interface is simply enabled, given a name and a description and nothing more.

The openvpn generated configuration is listed below:

dev ovpns2
verb 1
dev-type tap
dev-node /dev/tap2
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-256-CBC
auth SHA512
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local 109.xxx.xxx.65
engine rdrand
tls-server
mode server
username-as-common-name
auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user TxxxxU= true server2 1194" via-env
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'server' 1"
lport 1194
management /var/etc/openvpn/server2.sock unix
max-clients 10
push "dhcp-option DOMAIN simon.lan"
push "dhcp-option DNS 192.168.148.1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "block-outside-dns"
push "register-dns"
push "dhcp-option WINS 192.168.148.101"
push "redirect-gateway def1"
ca /var/etc/openvpn/server2.ca
cert /var/etc/openvpn/server2.cert
key /var/etc/openvpn/server2.key
dh /etc/dh-parameters.4096
crl-verify /var/etc/openvpn/server2.crl-verify
tls-crypt /var/etc/openvpn/server2.tls-crypt
ncp-ciphers AES-256-GCM:AES-128-GCM
compress lz4-v2
push "compress lz4-v2"
passtos
persist-remote-ip
float
push "route-gateway 192.168.148.1"
« Last Edit: January 11, 2018, 03:21:30 pm by simon.lock »

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21840
  • Karma: +1526/-26
    • View Profile
Re: Openvpn tap 2.4.2_RELEASE-p1 does it work?
« Reply #10 on: January 12, 2018, 10:29:06 am »
Nothing stands out there that I can see. The only difference in mine is that I'm using slightly different compression, ciphers/auth, and not pushing as many DNS servers.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline simon.lock

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: Openvpn tap 2.4.2_RELEASE-p1 does it work?
« Reply #11 on: January 12, 2018, 12:13:47 pm »
Thanks Jimp. The additional dns servers were only added in the hope of getting to the internet through the tunnel and because the pfsense dns doesn't respond when connected. The compression, ciphers and auth must be correct and valid because I always successfully connect.

Could it be that the openvpn tap interface always shows an error (The TAP Interface always shows "In/Out errors 0/1" might this be the cause of my problems?). That's my only remaining guess.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21840
  • Karma: +1526/-26
    • View Profile
Re: Openvpn tap 2.4.2_RELEASE-p1 does it work?
« Reply #12 on: January 12, 2018, 12:15:58 pm »
No a single error wouldn't mean anything, and mine shows the same (one single output error).

Check your firewall rules, logs, and when you're attempting connections, check what the state table looks like when traffic from the client is trying to reach the internet.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline simon.lock

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: Openvpn tap 2.4.2_RELEASE-p1 does it work?
« Reply #13 on: January 13, 2018, 08:24:53 am »
Thanks for eliminating the one single output error on my TAP interface as being the cause of my problems. I have no complicated rules in place whatsoever and will need to bring my laptop from work, so I'll have 2 computers on my home LAN, to do proper diagnosis of the states table while connecting. Might even try to investigate using wireshark.

Offline simon.lock

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: Openvpn tap 2.4.2_RELEASE-p1 does it work?
« Reply #14 on: January 14, 2018, 05:21:15 am »
I'm sure openvpn tap problems are directly related to dns.

I can connect every time, access mapped drives and even see machines listed in the windows 10 network and also access their samba shares. I can also connect to local web services on my LAN by ip address.

The Internet access problems and names not resolving when using the openvpn tap server are dns related despite the "route-gateway xx.xx.xx.xx" directive.

My network card receives the correct dns settings etc but still cannot communicate with the dns resolver.

In addition to this almost every time I make a change to the openvpn tap server settings and press the save button, the unbound dns resolver service stops running and I then need to restart it manually. Might this be a bug?