OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: epoch on July 26, 2017, 01:43:15 am

Title: [SOLVED] Bridge+OpenVPN: possible? how?
Post by: epoch on July 26, 2017, 01:43:15 am
Hello all.
I have a new APU2C4 running 17.1.11 (very smooth install process) and I am back to looking at the state of OpenVPN in kernel bridged mode.

I start with 3 interfaces activated and assigned: LAN, WAN, OPT1.
I want an OpenVPN server that use a tap device that gets bridged to the LAN. I don't want any fancy features offered by OVPN, I want my clients to use the regular DHCP, DNS etc. available on the LAN.

I've selected WAN as the value for option "Interface", I understand this is the address OVPN listens on.
I can select "tap" as  the OVPN device. But what then?
There is a "bridge interface" option in settings, it is stuck to "none".
I don't understand the help text that comes with it: "The interface to which this tap instance will be bridged. This is not done automatically. You must assign this interface and create the bridge separately. "

I created a bridge, added LAN to it, even added a half-baked ovpns1 interface that got somehow created, that didn't help and overall it doesn't make much sense.

Can I bridge an OpenVPN tap and the LAN interface? How?

Thanks in advance.
Title: Re: Bridge+OpenVPN: possible? how?
Post by: epoch on July 26, 2017, 12:57:27 pm
Ok, sorry for the noise, I spoke too soon.
I have what looks like a working bridge now.
When all is verified to work properly I will post a short recipe.
Title: Re: Bridge+OpenVPN: possible? how?
Post by: epoch on August 08, 2017, 11:36:07 pm
And I am back.
Oh yes, I did setup a routed tunnel with the nice wizard, but then some devices on the network wouldn't reply properly so instead of figuring out why I decided to use a bridged tunnel, because it works.

I've found one little snag yet: in the interfaces list (Firewall) you end up with a spurious "Openvpn" interface, that isn't really an interface (not found with ifconfig), and simply shouldn't be there.

I've seen a panic or core dump, but frankly I can't say what happened. The setup seems to work solidly.
I haven't hooked my tunnel to an OTP system, that's my next move.

Here is a brief how-to:
 - First, how not to: make a backup, and have an optional interface active so that you can keep control of the firewall at all times. I managed to lock myself out, and if it wasn't for the awsome backup restore option on the console, I would have had to factory reset my install...

 - Now for the interfaces: you need to have one interface assigned and enabled, set its IPv4/v6 config to "none". Lets say the interfaces is "LAN", I have renamed it "_LAN".
Then in "Other Types", create a bridge, choose "_LAN" as its unique member, assign that interface, enable it and give it an IP configuration and a name. I chose to call it "LAN"

 - Now in VPN>OpenVPN create a server, device "tap", set your crypto options, don't specify any tunnel or client settings (unless some are dear to your heart), and in "Advanced" just put: "mode server" (no quotes). Hit Save.
The OpenVPN daemon starts, it looks happy but in fact it is *not* bridged to "LAN".

 - Come back to Interfaces, assign and enable the newly created interface "ovpns1", IP config set to "none". I renamed this interface "_TAP".
Now in Other Types, revisit the definition of Bridge0 (aka "LAN") and add interface "_TAP" as a member.
Now your OpenVPN daemon is bridged.

 - Go back to VPN and restart your server.

 - In Systems>Settings>Tunables I've set net.link.bridge.pfil_member=0 and net.link.bridge.pfil_bridge=1. Otherwise you have to repeat rules to allow traffic between members of the bridge.

I would advise rebooting, and then you should have OpenVPN running in bridged mode. The DHCP server operating on the "LAN" interface will take care of connecting clients.
You can override that and have OpenVPN serve DHCP leases himself. I don't like this faux-DHCP featureset much, and I don't think it is much faster than the DHCP server built in OPNsense.
If the tunnel is too slow for clients to negociate a DHCP lease, I'd consider a secondary DHCP server on the remote side, or simply a manual IP config for clients tap interfaces (opnvpn can "push" these, YMMV according to the OpenVPN client type you're using.)   

Besides this spurious "OpenVPN" tab in the interfaces list, I think this works fine.
Title: Re: Bridge+OpenVPN: possible? how?
Post by: epoch on August 09, 2017, 12:04:49 am
TOTP integration is awesome!
And the official doc is excellent, up-to-date, concise and precise.

(now can I have this option to hide that "openvpn" tab :D )
Title: Re: Bridge+OpenVPN: possible? how?
Post by: franco on August 09, 2017, 08:01:12 am
Hi epoch,

The OpenVPN tab is not spurious, it controls inbound connectivity for (all) your OpenVPN tunnels. If you don't set a rule there, users won't be able to connect from the remote.


PS: Glad you like the TOTP. The only thing that's not documented at this point is that the token / password order can now be flipped. Some people have asked for that and so it went into a 17.1.x release not too long ago.
Title: Re: [SOLVED] Bridge+OpenVPN: possible? how?
Post by: franco on August 09, 2017, 08:03:07 am
PPS: There is a tutorial / how-to section in the forums where your helpful steps would fit better as others will find them more easily.