Messages

Are you using redirect-gateway?  If not this could be your problem

There is 2 ways to configure the server TAP config

Method 1 (as I've shown)
-Routing>Local Networks> nothing set
-Miscellaneous>Redirect-gateway> default
-On client IP test will show your VPN Server WAN address

Method 1 forwards all client traffic over the tunnel including internet, this is why no local routes are needed as all traffic flows through the tunnel

Method 2
-set all your Routing>Local Networks> ie 10.1.1.0/24 10.2.2.0/24 etc
-Miscellaneous>Redirect-gateway> nothing selected
-On client IP test will show your client WAN address

Method 2 will use your defined routes for local networks and leave all traffic on client outside of those networks will appear from client WAN

Keep at it you'll get it, if you're connecting and getting a local IP it may not be a routing issue, without seeing a client log/client config/vpn settings/firewall rules/interface overview I couldnt say.

This is still a problem. I also need tun-mtu and am therefore currently forced to use the legacy server, with the deprecation notice looming over it.

Are you enabling advanced settings... see screenshots
You cannot view this attachment.You cannot view this attachment.

Your screenshot is incomplete so I can't make out fully how you're configured... is your ovpns2 assigned to an optx device identifier (my example ovpns1 is opt6), I notice your ovpns1 is not assigned so Im curious

All the 'guides' I found relate to PFsense and I could never get them to work as they setup the bridge differently and differing OpenVPN config pages etc, like I said it was hours of experimenting and reading before I came up with my working config.  My feeling of the vibe around here is 'just use tun' because tap can be so troublesome

added a dhcp service on the openvpn interface etc but the best I could reach was to get the openvpn clients assigned the ips from the openvpn subnet.

When your ovpns2 is attached to bridge1 there is no need for this, all thats needed is assigning what 192.168.1.x-192.168.1.x address range on the VPN config page for the IPs you want your clients to use

Ensure the following
-ovpns2 is assigned to an interface device identifier (optx) 'Interface > Assignments'
-ovpns2 interface is a member of bridge1 with NO static IP or DHCP set, should look like attached
You cannot view this attachment.
-your bridge is configured exactly as per the guide, ie. tuneables are set for disabling/enabling filtering on interfaces/bridge 'Interfaces > Devices > Bridge'
-OpenVPN config page has your LAN (bridge1) network under 'Bridge Gateway' ie 192.168.1.1/24 and IP range is set ie. '192.168.1.98-192.168.1.99' (advised to not overlap your LAN pool)

Connect with a client, it should get either 192.168.1.98 or 99 as an IP, if it does and you still can't communicate check the live view of Firewall logs to see if something is being blocked.

And just remember your asking for help from an opnsense newb and my background is not networking ;)

Also I notice that you do not have anything in the "Local Network" under Routing. Here I have the the networks that would be accessible and should be pushed to the client(s). It is somehow counter intuitive since the way I understand it this is the way to push the actual routing to the client (or perhaps I am wrong)?

Nothing is needed here as TAPw/bridge your vpn clients are already a part of the local network

I suggest starting from scratch and setting up as I've explained earlier, your interface overview should show like below (opt1/igc1 opt6/ovpns1 have nothing set) and if your firewall rules allow to other interface networks on your device they are reachable by VPN clients as well

You cannot view this attachment.
And from my VPN client
You cannot view this attachment.

Heres a rough summary of my setup, this is just basic info and can't even be considered a pseudo 'how-to'.  I dont recall the actual sequence of steps at the moment.

Not sure how many physical interfaces you have on your hardware but to save the risk of accidentally getting locked out of your hardware I setup everything from the network that is setup on interface opt2 (port 2)(my LAN2) where port 1 is my main wired network

Interface Legend:
LAN1_eth1_MavNET - ethernet port 1 on my device
LAN1_vpn_tap_MavNET - OpenVPN server interface
LAN1_bridge_MavNET - bridge with above 2 as members

-Follow every step from the bridge creation link earlier in this thread... most importantly the bridge gets assigned to LAN and has your desired LAN network IP assigned and filtering disabled on member interfaces and enabled on the bridge (tuneables).  My LAN network is assigned to the bridge with 10.1.1.1/24. Interfaces LAN1_eth1 and LAN1_vpn_tap should not have a static IP assigned (they are members of the bridge)

-Any and all firewall rules get applied against LAN1_bridge and VPN/eth1 interfaces have no rules
-VPN settings: 'Bridge gateway' is your bridge network ie 10.1.1.1/24.  'Bridge DHCP pool' is the IPs you want clients to be assigned they must be within the subnet of the gateway (your LAN network)

Once connected from a client, the client vpn log should show pushed routes of your LAN/DNS/ifconfig with an IP from your pool

Hopefully this helps, I know I struggled for hours learning my way around Opnsense and setting this up, I came from Asuswrt-Merlin where this is how TAP servers are setup (members of the main bridge).  I can try and help answer any questions and if you get it working maybe one day Ill write up true how-to, unless of course a resident guru can show where this is not correct
You cannot view this attachment.You cannot view this attachment.You cannot view this attachment.You cannot view this attachment.

I came from another platform after the now legacy mode was destined to be removed and don't know anything about it so I setup a working config (for me) by bridging (frowned upon it seems) the TAP interface and my LAN interface to a bridge where the bridge is the host network.  Whether this is the correct way or not it works great for my needs, if you want more details of my config let me know.

The only thing I notice that propably is relevant is that under Interface-->Overview the new ovpns is not getting assigned either an "IPv4" address or any "Route" while the old one from the legacy server does. I am guessing here if it does not get assign the proper data then it will not sent them to client later correct?

This won't show a route/address as the OVPN interface should be a member of your bridge interface along with your LAN interface for a TAP config

Is your bridge correctly setup? https://docs.opnsense.org/manual/how-tos/lan_bridge.html

Hello everyone, newbie around here and looking for advice/guidance.  I understand my setup is not well supported as it is rare, but it was working when I first made the jump to opnsense.

OpenVPN Server Instance TCP/TAP - This vpn interface is bridged to LAN interface - All rules were followed and applied for setting up a bridge interface (tuneables)
Clients are android devices using VPN Client Pro (been using it for TAP for many years) and Windows clients using OpenVPN GUI

EDIT: solved... user error (of course)
I did re-setup this server at some point and incorrectly set the Bridge Gateway to the network address 10.1.1.0/24 instead of the host address 10.1.1.1/24.

Glancing at routing I overlooked this but after experimenting with manually added routes I discovered my error