OPNsense Forum

English Forums => Tutorials and FAQs => Topic started by: epoch on August 11, 2017, 12:23:20 pm

Title: How-to: OpenVPN in bridged mode - OPNsense 17.1, 17.7
Post by: epoch on August 11, 2017, 12:23:20 pm

(original thread) (https://forum.opnsense.org/index.php?topic=5575.0)
With 17.7, here is how to setup OpenVPN in bridged mode. In this case this is for a "server", but this works for peer-to-peer mode as well.
I've run it lightly for a few days, I see no issue related to the bridge. As you'd expect DHCP comes across.

First, how not to: make a backup, and have an optional interface active so that you can keep control of the firewall at all times. I managed to lock myself out, and if it wasn't for the awesome backup restore option on the console, I would have had to factory reset my install...

Ok, start:

• Interfaces: you need to have one interface assigned and enabled, set its IPv4/v6 config to "none". Lets say the interfaces is "LAN", I have renamed it "_LAN".
  Then in "Other Types", create a bridge, choose "_LAN" as its unique member, assign that interface, enable it and give it an IP configuration and a name. I chose to call that bridge "LAN"
• In VPN>OpenVPN create a server, device "tap", set your crypto options, don't specify any tunnel or client settings (unless some are dear to your heart), and in "Advanced" just put: "mode server" (no quotes). Hit Save.
  The OpenVPN daemon starts, it looks happy but in fact it is *not* bridged to "LAN".
• Come back to Interfaces, assign and enable the newly created interface "ovpns1", IP config set to "none". I renamed this interface "_TAP".
• Now in Other Types, revisit the definition of Bridge0 (aka "LAN") and add interface "_TAP" as a member.
  
• Your OpenVPN daemon is really bridged now. Go back to VPN and restart your server.
• In Systems>Settings>Tunables I've set net.link.bridge.pfil_member=0 and net.link.bridge.pfil_bridge=1. Otherwise you have to repeat rules on each interface members (+the bridge itself?) to allow traffic between members of the bridge.

I would advise rebooting, and then you should have OpenVPN running in bridged mode. The DHCP server operating on the "LAN" interface will take care of connecting clients.
You can override that and have OpenVPN serve DHCP leases himself. I don't like this faux-DHCP featureset much, and I don't think it is faster than the DHCP server built in OPNsense.
If the tunnel is too slow for clients to negotiate a DHCP lease, I'd consider a secondary DHCP server on the remote side, or simply a manual IP config for clients tap interfaces (opnvpn can also "push" these, YMMV according to the OpenVPN client type you're using.)

In the firewall rules you will now have an empty "OPENVPN" tab. If you look at the end of the thread I linked at the top of this post, you'll see admin Franco says the tab is useful. I think it is useless in this case, I just leave it alone empty.

HTH

Title: Re: How-to: OpenVPN in bridged mode - OPNsense 17.1, 17.7
Post by: epoch on April 25, 2018, 02:40:31 pm

FYI, still ok on 18.1.

Title: And now site-to-site static key bridged mode - OPNsense 17.7, 18.1
Post by: epoch on April 25, 2018, 05:09:43 pm

A quick follow-up, here is the recipe for a site-to-site bridged config.
The idea is to let the router on site A manage site B completely, esp. via its DHCP server. This is why none of the special OpenVPN options related to client management are used (IP pool, Bridge settings...)

The motions you'll have to go through will be more accurately described in the FP, but basically this is the workflow for both sites:

• Create a bridge, assign an interface,— NB: not a VLAN it does not work AFAIK
• Create your OVPN client or server config, select tap and your options,
• Activate the created ovpn<s|c><number> interface and assign it to the bridge, (ovpncX = client tap #X, ovpnsY = server tap #Y)
• (Re)Start the OVPN instance,
• Check your filtering rules.

Make sure your IP setup does not conflict across sites, you're on a single network.
In this example you just need to configure the DHCP server on site A, but in general using a 172.16/12 or 10/8 network for your sites can make management easier.

Now the OVPN settings for a site-to-site static key setup.
The following setup should work as-is with net.link.bridge.pfil_member=0 and net.link.bridge.pfil_bridge=1 set in System>Settings>Tunables
If you don't set these, you'll need to define filtering rules per bridge member interface. This was not tested, you're on your own.

• Server side
  On site A router, go to VPN>OpenVPN>Servers, click on "Add server".
  Here are the main options you want to set:
• General info:
  Server Mode: Peer to Peer (Shared Key)
  Device mode: tap
  Interface: <your WAN interface>
  
• Crypto settings:
  Shared Key, select "Automatically generate a shared key."
  Encryption, Auth, Hw crypto: YMMV, I suggest you start with the defaults.
  
• Tunnel Settings:
  Everything empty, except:
  Compression: Select "Enabled w/ Adaptive Compression" (whatever you choose, make sure both sides match)
  Type-of-Service: selected. Both options mildly useful but they don't hurt AFAIK.
  Yes, bridge interface is set to "none". The DHCP server on site A manages the network.
  
• Client settings:
  All empty. Uncheck Address Pool.
  
• Advanced:
  dev tap
  persist-tun
  ifconfig-nowarn
  ping-timer-rem
  
Now Save, assign the ovpnsX interface to the bridge, restart the OVPN server. It should go green.
Check your incoming filtering rule on the WAN interface to allow the client to connect. BTW, prefer udp rather than tcp for the tunnel, tcp-over-tcp can cause more issues than it solves.
Go back to the server configuration and copy the generated key. You'll need to paste it in the client config.

• Client side
  On site B router, make sure the DHCP server is deactivated on the bridged interface.
  Then go to VPN>OpenVPN>Clients, click on "Add client".
  Here are the main options you want to set:
• General info:
  Server Mode: Peer to Peer (Shared Key)
  Device mode: tap
  Interface: <your WAN interface>
  Remote Server: <public IP or name of site A>
  Retry DNS resolution: check "Infinitely resolve remote server"
  
• User Authentication Settings: leave empty
• Crypto settings:
  Uncheck "Automatically generate a shared key.", then paste the key that was generated on the server side. (or your secret won't match)
  Encryption, Auth, Hw crypto: if you changed anything to the default, check you match settings on the other side.
  
• Tunnel Settings:
  Everything empty, except:
  Compression: Select "Enabled w/ Adaptive Compression" (whatever you choose, make sure both sides match)
  Type-of-Service: selected. Both options mildly useful but they don't hurt AFAIK.
  
• Advanced:
  dev tap
  persist-tun
  ifconfig-nowarn
  
Now Save, assign the ovpncX interface to the bridge, restart the OVPN client. It should go green.
Check your filtering rule on the bridged interface. You can open IPv4 any to any and set the gateway for that rule to the automatically generated <ovpncX_name>_VPNV4 gateway.
If you create a schedule (Firewall>Settings>Schedules) you can activate/deactivate the rule according to time-of-day.

You now have a single LAN spanning over 2 sites, congratulations.

Title: Re: How-to: OpenVPN in bridged mode - OPNsense 17.1, 17.7
Post by: klausagnoletti on July 29, 2019, 10:35:49 pm

Hey, I know it's been a while since this post, but I want to do something similar to be able to do dlna across subnets, so to speak. I have a home network with opnsense firewall and a debian linux firewall offsite where my unraid server with plex is. In order for a dlna client on my home network to see the plex server and play media from it, I figured this is exactly what I need.

For my understanding could you please make a network drawing of your setup with network ranges etc? That would really help a lot.

Thanks

/klaus

Title: Re: How-to: OpenVPN in bridged mode - OPNsense 17.1, 17.7
Post by: nalah on September 02, 2020, 06:00:28 pm

still ok on 20.7.1
just add/modifiy on firewall rules (on server side) for _LAN IPv4 any to any because default rules are with : Source _LAN net, and _LAN has no address  ;)

Title: Re: How-to: OpenVPN in bridged mode - OPNsense 17.1, 17.7
Post by: theplum on November 21, 2022, 02:49:22 pm

I tried the steps out but have no luck...please help... using verson 22.7.8

When I try to connect through VPN, the connection can be established but the client cannot obtain an IP address from the DHCP server. The following error is found in DHCP server log

Error   dhcpd   send_packet6: No route to host
Error   dhcpd   dhcpv6: send_packet6() sent -1 of 117 bytes

And the following OpenVPN log

Error   openvpn   remote/118.xxx.xxx.xxx:57797 MULTI: no dynamic or static remote--ifconfig address is available for remote/118.xxx.xxx.xxx:57797
Warning   openvpn   Could not determine IPv4/IPv6 protocol. Using AF_INET6

Title: Re: How-to: OpenVPN in bridged mode - OPNsense 17.1, 17.7
Post by: theplum on November 22, 2022, 06:10:19 am

Update: I tried to assign an IP address through the OpenVPN instead, by using the server bridge option. However, the VPN client can contact servers in the LAN but not vice versa. Have I missed something in the tutorial?  :-\

Title: Re: How-to: OpenVPN in bridged mode - OPNsense 17.1, 17.7
Post by: tuaris on December 05, 2022, 07:51:37 am

I don't know how I got it to work, but it's working... I think.  There are some hosts on the LAN side I can't access.  Not sure if it's due to the sub-class C subnet mask I setup on the bridge, but I can ping hosts outside that sub class C subnet.

Would appreciate some suggestions, especially on the firewall rules part.  Also... it's unclear from the instructions on top (first post) what the state of the LAN interface should be and what the purpose of the _LAN interface is?  I didn't set one up and it worked?

Here is my configuration (screenshots)

My OpenVPN Server Settings:

(http://venus.morante.net/downloads/unibia/screenshots/opnsense/openvpn/opnsense-tap-openvpn-openvpn-server-config-general.png)
(http://venus.morante.net/downloads/unibia/screenshots/opnsense/openvpn/opnsense-tap-openvpn-openvpn-server-config-tunnel.png)

Interface Overview and Assignments:

(http://venus.morante.net/downloads/unibia/screenshots/opnsense/openvpn/opnsense-tap-openvpn-Overview-Interfaces.png)
(http://venus.morante.net/downloads/unibia/screenshots/opnsense/openvpn/opnsense-tap-openvpn-Assignments.png)

Bridge Interface (I called in LAN1):
(http://venus.morante.net/downloads/unibia/screenshots/opnsense/openvpn/opnsense-tap-openvpn-Bridge.png)
(http://venus.morante.net/downloads/unibia/screenshots/opnsense/openvpn/opnsense-tap-openvpn-LAN1.png)

Interface Properties for LAN and OVPN:

(http://venus.morante.net/downloads/unibia/screenshots/opnsense/openvpn/opnsense-tap-openvpn-LAN.png)
(http://venus.morante.net/downloads/unibia/screenshots/opnsense/openvpn/opnsense-tap-openvpn-OVPN.png)

Firewall Rules:

(http://venus.morante.net/downloads/unibia/screenshots/opnsense/openvpn/opnsense-tap-openvpn-OpenVPN-Rules-Firewall.png)
(http://venus.morante.net/downloads/unibia/screenshots/opnsense/openvpn/opnsense-tap-openvpn-OVPN-Rules-Firewall.png)
(http://venus.morante.net/downloads/unibia/screenshots/opnsense/openvpn/opnsense-tap-openvpn-LAN1-Rules-Firewall.png)
(http://venus.morante.net/downloads/unibia/screenshots/opnsense/openvpn/opnsense-tap-openvpn-LAN-Rules-Firewall.png)

Title: Re: How-to: OpenVPN in bridged mode - OPNsense 17.1, 17.7
Post by: epoch on November 22, 2023, 10:23:30 am

Instructions still directionally correct in OPNsense 23.7.8-amd64 :)
Not using the new "Instances" facility to create the openvpn service, though. Perhaps that new GUI changes things?

EDIT. Actually a quick glance at "Interfaces" tells me neither bridged mode nor site-to-site shared key seem to be supported for now. Hoping the new GUI will improve.