OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: FCM on April 18, 2018, 05:23:20 pm

Title: DHCP relay over VPN ?
Post by: FCM on April 18, 2018, 05:23:20 pm
Hello :)

I managed to finaly have a functionnal VPN tunnel between my main site and a distant site.

The problem I have now is with the DHCP :

my phone DHCP is on a VLAN on my network's main site, and I can't edit the address in the phone (avaya), they want to find their information through DHCP.
So to let my phones on the distant site to find the phone server I activated the dhcp relay with the phone server... And I stopped the DHCP on the OpnSense which was used for the LAN addresses...
And I put the address of my main site DHCP inside the DHCP relay so the distant computers get their addresses by the same way than the phones...

but nor computer nor phones get an IP address :(

So Is there something to do to let the DHCP relay work through the VPN ?

thanks

main site :
 - LAN on 192.168.20.0/23, DHCP on 192.168.20.170
 - Phones on 128.42.66.0/24 VLAN 66, Server on 128.42.66.7

Distant site :
 - LAN on 192.168.69.0/24
 - Phones on 128.42.80.0/24 VLAN 66

OpenVPN tunnel on 10.10.0.0/24
OPNsense server on main site interfaces :
 - LAN with 192.168.20.32
 - VOIP with 128.42.66.6
 - WAN through the DMZ
OPNSense server on distant site :
 - LAN with 192.168.69.1
 - VOIP with 128.42.80.1
 - WAN through internet box

thanks a lot
Title: Re: DHCP relay over VPN ?
Post by: FCM on April 19, 2018, 02:19:59 pm
hello again
On my firewall logs on the Opnsense from the main site I have this :

   LAN   Apr 19 14:05:14   10.10.0.2:67   192.168.20.170:67   udp   let out anything from firewall host itself

So, it seems that the DHCP request (port 67 ?) passes from the VPN tunnel point (10.10.0.2 is on the distant site side) to the LAN in the main site (DHCP server is on 192.168.20.170).

So, perhaps the problem is the way back.. I am not sure but is the DHCP able to give the address to the computer or phone ?
LAN DHCP 192.168.20.170 > OPNSense 192.168.20.32 > VPN 10.10.0.1 > VPN 10.10.0.2 > OPNsense LAN 192.168.69.1 > Computer

thanks
Title: Re: DHCP relay over VPN ?
Post by: bartjsmit on April 19, 2018, 03:33:00 pm
Does your tunnel use tun or tap devices? You need the latter for DHCP.

Bart...
Title: Re: DHCP relay over VPN ?
Post by: epoch on April 19, 2018, 03:37:07 pm
DHCP uses 67/udp and 68/udp.
If a server receives a request (on 67/udp) you should see it in its logs.
If the local firewall blocks the server response (on 68/udp) you should see it in OPNsense logs.
Perhaps that traffic is classified as bogon, enable logging on anti-bogons rules.
Title: Re: DHCP relay over VPN ?
Post by: FCM on April 19, 2018, 04:06:22 pm
Thanks for the answers :)

I am on TUN as the wiki said, il will try on TAP

I uncheked the bogon rules at the beginning of my testing to avoid complication

I just put all rules to be open on I see an answer from the DHCP server :
ovpns1   Apr 19 16:04:14   192.168.20.170:67   192.168.69.1:67   udp   let out anything from firewall host itself

this log is on the main site, nothing arrive on the distant site...
I will try TAP and see what happens :)
thanks again

EDIT : i did tap, broke my vpn tunnel.... back to tun.
Title: Re: DHCP relay over VPN ?
Post by: bartjsmit on April 20, 2018, 08:03:45 am
Quote from: FCM on April 19, 2018, 04:06:22 pm
EDIT : i did tap, broke my vpn tunnel.... back to tun.

Did you set the tap device on both ends? You may need to edit the client configuration by hand.

DHCP won't work over a tun device, since it mixes layer 2 and layer 3 traffic.

Bart...
Title: Re: DHCP relay over VPN ?
Post by: FCM on April 20, 2018, 09:44:00 am
thanks for helping.
I did tap on both side...
So i did it again...
I can't reach distant site anymore, but on the logs of the VPN I have this :
Apr 20 09:35:02    openvpn[71792]: OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.69.0
Apr 20 09:35:02    openvpn[71792]: OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options

So it seems that the routes created by the VPN tunnel on tun mode don't work anymore. What can i do ?
so I have to add a route gateway with bridge interface ?
I have to find how to make bridge interface so :)
Title: Re: DHCP relay over VPN ?
Post by: FCM on April 20, 2018, 01:41:58 pm
Ok, i tried to add routes with gateway, I tried to add gateway to vpn on interfaces... nothing works :(

Where can I put  the "gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options" ?
thanks
Title: Re: DHCP relay over VPN ?
Post by: bartjsmit on April 20, 2018, 06:12:17 pm
There is no need to route with a TAP device. The tunnel becomes an extension to the Layer-2 network. Both sides of the tunnel share a Layer-3 subnet.

Assign a static IP address to the OPNsense end of the tunnel and create a TAP client with a static IP in the same subnet. Confirm that they can ping each other and run a packet capture if they can't.

Bart...
Title: Re: DHCP relay over VPN ?
Post by: FCM on April 23, 2018, 10:31:31 am
ok
I understand the OSI theory with layer 2 or 3...
but i am lost on the opnsense side...

my tun configuration was :
Main Site addresses Distant Site addresses
Interface LAN Opnsense on 192.168.20.32 (192.168.20.0/23)Interf. LAN Opnsense on 192.168.69.1 (192.168.69.0/24)
Interface VOIP on 128.42.66.6 (128.42.66.0/24-VLAN 66) Interf. VOIP on 128.42.80.1 (128.42.80.0/24-VLAN 66)
VPN tunnel on 10.10.0.1 (10.10.0.0 /24)VPN tunnel on 10.10.0.2 (10.10.0.0 /24)
DATA DHCP on 192.168.20.170
VOIP DHCP on 128.42.66.7

So when you say "Assign a static IP address to the OPNsense end of the tunnel and create a TAP client with a static IP in the same subnet", I have to change LAN interface on the distant side from 192.168.69.1 to 192.168.20.33 ?
That's where I am lost :(
and I have to do the same for the VOIP ? 128.42.80.1 to 128.42.66.8 ??

But in that case, all computers and phones from the distant site will have the main site computers and phones range address ?

I will try to follow this https://forum.opnsense.org/index.php?topic=5716.0 and come back to say if i am still lost or not ;)

thanks again for helping