Netgate Store

Author Topic: Openvpn tap 2.4.2_RELEASE-p1 does it work?  (Read 1085 times)

0 Members and 1 Guest are viewing this topic.

Offline simon.lock

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: Openvpn tap 2.4.2_RELEASE-p1 does it work?
« Reply #15 on: January 17, 2018, 10:44:37 am »
Hi Jimp

I did as you suggested but unfortunately I'm no nearer to a solution. I hope you might be able to point me closer to the right direction.

When I connect to my OpenVpn tap server from a laptop tethered to my iPhone for an Internet connection, I can connect every time.

I receive the expected IP address 192.168.148.244 and my network adapter lists 192.168.148.1 as the DNS server which is the local IP address of my pfSense box.

   Connection-specific DNS Suffix  . : simon.lan
   Description . . . . . . . . . . . : TAP-Windows Adapter V9
   Physical Address. . . . . . . . . : 00-FF-62-D8-1A-D2
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.148.244(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : 17 January 2018 13:13:22
   Lease Expires . . . . . . . . . . : 17 January 2019 13:13:21
   Default Gateway . . . . . . . . . :
   DHCP Server . . . . . . . . . . . : 192.168.148.0
   DNS Servers . . . . . . . . . . . : 192.168.148.1
   Primary WINS Server . . . . . . . : 192.168.148.101
   NetBIOS over Tcpip. . . . . . . . : Enabled
   
The DHCP Server listed however, looks somewhat strange as it lists my subnet as the DHCP Server. I've not seen that before.


This is a "print route - 4" from the connected laptop.
 
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      172.20.10.1      172.20.10.2     20
          0.0.0.0        128.0.0.0    192.168.148.1  192.168.148.244    259
   109.154.145.65  255.255.255.255      172.20.10.1      172.20.10.2    276
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
        128.0.0.0        128.0.0.0    192.168.148.1  192.168.148.244    259
      172.20.10.0  255.255.255.240         On-link       172.20.10.2    276
      172.20.10.2  255.255.255.255         On-link       172.20.10.2    276
     172.20.10.15  255.255.255.255         On-link       172.20.10.2    276
    192.168.148.0    255.255.255.0         On-link   192.168.148.244    259
  192.168.148.244  255.255.255.255         On-link   192.168.148.244    259
  192.168.148.255  255.255.255.255         On-link   192.168.148.244    259
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link   192.168.148.244    259
        224.0.0.0        240.0.0.0         On-link       172.20.10.2    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link   192.168.148.244    259
  255.255.255.255  255.255.255.255         On-link       172.20.10.2    276
===========================================================================


Attached below is a screen shot of the Status Page for OpenVPN. All looks completely normal to me. (TAPStatus.JPG)
However, I've noticed that when I disconnect the client from the OpenVPN session, that pfSense still shows the session as connected.


I've also attached both the OpenVPN log files (verbosity=6) for my TAP adapter (TAP_Svr_Log.txt) and also the states table when connected. (TAP_Adapter_States.txt)

I've obscured my public IP to show ww.xx.yy.zz and my Common Name to myCN.

I can see that many calls from my adapter to the dns server are being made (port 53) but I'm not sure what MULTIPLE:MULTIPLE means.

e.g.

TAP   udp   192.168.148.244:61989 -> 192.168.148.1:53   MULTIPLE:MULTIPLE   4/4   332B/552B   
TAP   udp   192.168.148.244:59203 -> 192.168.148.1:53   MULTIPLE:MULTIPLE   4/4   276B/496B   
TAP   udp   192.168.148.244:53117 -> 192.168.148.1:53   MULTIPLE:MULTIPLE   4/4   248B/940B   
TAP   udp   192.168.148.244:63584 -> 192.168.148.1:53   MULTIPLE:MULTIPLE   4/4   248B/312B   

Thanks very much in advance. I'm sure the solution must be something trivial that I'm missing.

Offline simon.lock

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: Openvpn tap 2.4.2_RELEASE-p1 does it work?
« Reply #16 on: February 04, 2018, 02:06:46 pm »
OpenVPN TAP solution

Block Outside DNS
This prevents DNS working period. Regardless of whether the client is a Win 10 machine or not. Win 7 is also affected. This must NOT be enabled for TAP.

Redirect IPv4 Gateway

Doesn't work properly for both TUN and TAP solutions. I had to disable this option and add the statement: push "redirect-gateway def1" to the custom options. This makes it the last statement in the generated conf files. It's subtle but without doing this the public IP address used by the connected clients is NOT the public IP address used by pfsense.

TAP now connect, clients use the correct tunnelled public IP address, I have internet access and “some” sort of DNS resolution from pfsense Resolver.
DNS Resolver works perfectly with TUN.

DNS generally resolves to a hostnames but not the fully qualified names including the DNS Default Domain name. I shouldn't have to specify DNS Default Domain in the configuration as the clients connect by DHCP. But even specifying an entry for DNS Default Domain makes no difference.

I think the OpenVPN TAP solution need some refinement. I hope this helps someone.

Offline xel

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: Openvpn tap 2.4.2_RELEASE-p1 does it work?
« Reply #17 on: March 01, 2018, 01:05:08 am »
Thank you could achieve your TAP bridge simon.lock.

Can you give us how your final config looks like..?

I was trying the custom
Code: [Select]
push "redirect-gateway def1"; but my Tunnelblick client can't deliver me ay DHCP information.  Without that redirect-gateway option, I can ping to any machine on network, but can't access services like webGUI on gateway.   My shares on NET are looking there.

Cheers.