OpenVPN Server - TAP creation help?

[musashi]

Does anyone have a guide, either written or video, that shows how to setup an OpenVPN server, but in TAP mode for OPNSense?  What I'm trying to do is to connect mobile client to my network over OpenVPN, but still be able to access DLNA/uPnP broadcast and access...

[bartjsmit]

Do you have a tunnel set up already? If not, set one up with the many tutorials out there and test with a mobile client. Check that internal DNS works and you can access your servers.

In OPNsense go VPN, Servers, OpenVPN, select your server. Change the tunnel device mode from tun to tap

In the client ovpn file change 'dev tun' to 'dev tap' and test again.

Note that there are many issues with tap devices in Android and IOS. Test with a Windows/Mac/Linux client before you decide that the tunnel is at fault. FWIW, I've been able to avoid a lot of DNLA problems with Emby server https://emby.media/ which streams fine to its (mobile app) clients over tun devices.

Bart...

[musashi]

Thanks Bart, I appreciate the quick response.

DO I just simply clone the server, but change the port and the "local network" address to match that of my network?  My local/private network is 192.168.255.0/24, and my TUN is set to 10.10.10.0/24.  For TAP style, do I just simply modify the port to be say, port 1195, then set the local network to match the local, 192.168.255.0/24?

Is it necessary to setup a "bridge" interface, where I bridge the LAN and OVPNS2 (OVPNS1 is my TUN, OVPNS2 is my TAP interface)?  I saw a field in the VPN server setup where there was a check box for the bridge, so doI just create the bridge and specify it for TAP?  I've attached a screenshot of this bridge option for reference.

[bartjsmit]

A TAP tunnel is a layer 2 device, so the TAP client would pick up a DHCP address from your LAN and you won't need a subnet for the tunnel.

You will need a bridge between OVPNS2 and LAN. I would advise connecting a monitor and keyboard so you can roll back the configuration change (option 13) if you lock yourself out.

The external connection details for the tunnels do need to be different between the two - either different ports or if you have the luxury, different public IP addresses.

Bart...