Unable to route traffic over TAP OpenVPN tunnel after restart

Started by Unimatrix01, February 08, 2025, 08:19:20 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 08, 2025, 08:19:20 PM
Hoping someone can help me figure out what's happening.  I'm setting up an OpenVPN server in TAP mode, so clients share the same subnet as the LAN.  If the firewall is up and running, and I restart the OpenVPN service, it works no problem; clients can connect and access the local network.  But as soon as I restart OPNSense, clients can still connect to the server, but they fail to route any traffic (ie, can't access anything on the LAN).

Running OPNsense version 25.1-amd64 (latest updates applied).

See attached for VPN configuration.  The VPN interface is bridged to the LAN interface, and LAN is configured with CARP.

Any help would be appreciated!
February 08, 2025, 08:38:20 PM #1
Bridged VPN cnnections are fundamentally problematic. Think about switching to routed/tun.

I suspect VPN clients get new MAC addresses when you reboot the firewall. All other systems on the LAN might have the old address in their caches. ARP cache lifetime can be in the order of hours for typical systems.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
February 09, 2025, 12:28:14 AM #2
I'd be willing to buy that reason if it weren't for the fact that a simple restart of the OpenVPN service 2 minutes after the firewall is restarted fixes the issue.  This reeks to me of OpenVPN starting before something it depends on being ready, but that's just an outsiders perspective.

Looking at the OpenVPN logs, I noticed 1 line in the logs that isdifferent between when it starts at startup, and when I restart the service.  When it fails, I see this additional line in the error log:
GDG: problem writting to routing socket: No such process (errno=3)

If I turn up the log level, I also see a bunch of these in the log at firewall startup:
GET INST BY VIRT: 00:00:5e:00:01:0a@0 [failed]
read from TUN/TAP returned 109
Compared to when I restart the service:
read from TUN/TAP returned 86

Also, if you have an article somewhere explaining why bridged VPN is bad, I'd like to read it, and see if the downsides are relevant for my use-case.
February 09, 2025, 06:58:39 AM #3
Hi,

We have deployed OVPN in Tap mode for very specific scenarios (L2 discovery required).

We just added the OVPN Server's interface to the LAN bridge.

Hope this helps
Print
Go Up Pages1
User actions