Show Posts
1
General Discussion / [SOLVED] OpenVPN TAP all traffic through the tunnel
« on: June 04, 2019, 09:38:07 pm »
Hi everyone, after days of troubleshooting and trial and error I finally decided to ask your help,
bear in mind that I’m not a network engineer and I don’t have advanced knowledge of networking.
Goal
Setup a TAP OpenVPN connection between my router and my laptop, routing all the traffic (internet included) through it.
Yes, I need tap for mDNS and bonjour, and I want to route all the traffic so that one day i can add a VPN service on the server WAN side for secure internet browsing.
Problem
Boujour, mDNS and “local” networking works flawlessly and internet browsing outside the VPN also works, but if I check “Redirect Gateway” or put the command push “redirect-gateway def1” in the advanced configuration of the OpenVPN Server and ping 8.8.8.8 I get “Network is unreachable”, I tried to tcpdump on the server machine but I can’t find the icmp traffic on any of the available interfaces.
Configuration
Hardware
OPNsense 19.1.8 on a VM in ESXi with two ports:
vmx0 connected to modem (vSwitch1)
vmx1 connected to switch for LAN (vSwitch0)
Software
ESXi
both vSwitch1 and vSwitch0 have:
Promiscuous mode Accept
MAC address changes Accept
Forged transmits Accept
OPNsense
System > Gateways
WAN_PPPOE 192.168.1.100 (this is automatic from the pppoe connection)
System > Settings > General
I left blank all the DNS since i want to use Unbound as my resolver
System > Settings > Tunables
net.link.bridge.pfil_member = 0
net.link.bridge.pfil_bridge = 1
Interfaces
Interface vmx0 assigned to WAN with pppoe enabled (block private networks and block bogon networks unchecked)
Interface vmx1 assigned to LAN with static ip 10.0.1.1/24
interface ovpns1 (created by OpenVPN Server) assigned to TAP with no ip
Interface bridge0 (bridge created by combining LAN and TAP) assigned to BRIDGE with no ip
Firewall > Rules
BRIDGE: allow ipv4 any to any
LAN: default created by system (anti-lockout ecc.)
OpenVPN: allow ipv4 any to any
TAP: none
WAN: allow traffic to WAN address through port 1194 (for OpenVPN)
Firewall > NAT > Outbound
Interface Source NAT address
TAP 10.0.1.0/24 LAN address
Firewall > Settings > Advanced
Disable reply-to: checked
VPN > OpenVPN > Servers
Tunnel Settings
Bridge DHCP: checked
Bridge Interface: LAN
Client Settings
Dynamic IP: checked
Address Pool: unchecked
Advanced: push ”redirect-gateway def1”
push ”route-gateway 10.0.1.1"
push "dhcp-option DNS 10.0.1.1"
Please, I need your help, I’m going mad.
Thanks
bear in mind that I’m not a network engineer and I don’t have advanced knowledge of networking.
Goal
Setup a TAP OpenVPN connection between my router and my laptop, routing all the traffic (internet included) through it.
Yes, I need tap for mDNS and bonjour, and I want to route all the traffic so that one day i can add a VPN service on the server WAN side for secure internet browsing.
Problem
Boujour, mDNS and “local” networking works flawlessly and internet browsing outside the VPN also works, but if I check “Redirect Gateway” or put the command push “redirect-gateway def1” in the advanced configuration of the OpenVPN Server and ping 8.8.8.8 I get “Network is unreachable”, I tried to tcpdump on the server machine but I can’t find the icmp traffic on any of the available interfaces.
Configuration
Hardware
OPNsense 19.1.8 on a VM in ESXi with two ports:
vmx0 connected to modem (vSwitch1)
vmx1 connected to switch for LAN (vSwitch0)
Software
ESXi
both vSwitch1 and vSwitch0 have:
Promiscuous mode Accept
MAC address changes Accept
Forged transmits Accept
OPNsense
System > Gateways
WAN_PPPOE 192.168.1.100 (this is automatic from the pppoe connection)
System > Settings > General
I left blank all the DNS since i want to use Unbound as my resolver
System > Settings > Tunables
net.link.bridge.pfil_member = 0
net.link.bridge.pfil_bridge = 1
Interfaces
Interface vmx0 assigned to WAN with pppoe enabled (block private networks and block bogon networks unchecked)
Interface vmx1 assigned to LAN with static ip 10.0.1.1/24
interface ovpns1 (created by OpenVPN Server) assigned to TAP with no ip
Interface bridge0 (bridge created by combining LAN and TAP) assigned to BRIDGE with no ip
Firewall > Rules
BRIDGE: allow ipv4 any to any
LAN: default created by system (anti-lockout ecc.)
OpenVPN: allow ipv4 any to any
TAP: none
WAN: allow traffic to WAN address through port 1194 (for OpenVPN)
Firewall > NAT > Outbound
Interface Source NAT address
TAP 10.0.1.0/24 LAN address
Firewall > Settings > Advanced
Disable reply-to: checked
VPN > OpenVPN > Servers
Tunnel Settings
Bridge DHCP: checked
Bridge Interface: LAN
Client Settings
Dynamic IP: checked
Address Pool: unchecked
Advanced: push ”redirect-gateway def1”
push ”route-gateway 10.0.1.1"
push "dhcp-option DNS 10.0.1.1"
Please, I need your help, I’m going mad.
Thanks