[SOLVED] LAN doesn't get DHCP with OpenVPN using TAP, VPN clients do

Started by noremaC1337, March 07, 2022, 10:47:19 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 07, 2022, 10:47:19 PM Last Edit: March 14, 2022, 10:46:26 PM by noremaC1337
Ultimate goal - Set up a VPN for educational purposes with a real world example of running an unreal tournament server on the LAN and allowing others to connect to this server, through the VPN essentially creating the same experience as if they were sitting in the same room connected to my LAN.

Problem - I attempted this with TUN mode. Most things (that weren't related to unreal like SMB shares, access to webUIs, etc...) appeared to work, the one exception I found was seeing the server show up in Unreal, and manual attempts to type in the server/port in unreal failed. The assumption is that Unreal is only broadcasting to the LAN an not accessible to clients outside of that.

Here is the documentation I reference to create the bridge for a proper TAP configuration:
https://docs.opnsense.org/manual/how-tos/lan_bridge.html
https://forum.opnsense.org/index.php?topic=5716.0
https://forum.opnsense.org/index.php?topic=5575.0

I am able to connect with my VPN client (VPN client gets an IP of 192.168.0.14/24 with 192.168.0.1 as it's default gateway). I can ping the gateway of OPNsense for the LAN (192.168.0.1/24) but nothing else on the 0.0/24 network. Aside from ping, I can also access the webUI for OPNsense on my VPN client. This is what the interfaces look like from an addressing stand point on the OPNsense console:

LAN (bridge0) -> v4: 192.168.0.1/24
WAN (hn0) -> v4: 192.168.1.2/30
_LAN (hn1) ->
_TAP (ovpns1) ->

My 0.0/24 LAN clients are all connected to _LAN interface, and are now not getting DHCP and are not able to communicate with each other, or the assumed gateway of 192.168.0.1.

Looking for help to understand why the _LAN clients (aside from the VPN client) aren't getting addressing from OPNsense. Thanks for your time in reading, and I hope someone can help me get to the finish line here! Let me know what else information may assist in determining a solution.
March 08, 2022, 12:19:20 PM #1
Hi there.
I think this semi-recent addition to the old how-to might be of importance (emphasis mine):
Quote from: nalah on September 02, 2020, 06:00:28 PM
still ok on 20.7.1
just add/modifiy on firewall rules (on server side) for _LAN IPv4 any to any because default rules are with : Source _LAN net, and _LAN has no address  ;)
I haven't setup a bridged VPN on OPNsense 21, so perhaps something else needs to be done?
March 08, 2022, 06:27:39 PM #2
Hey epoch! Thanks for the reply.

I did see that note, and this is a complete list of my firewall rules for _LAN

There is one auto generated rule:

  • Protocol: IPv4+6 TCP
  • Source: *
  • Port: *
  • Destination: (self)
  • Port: 80
  • Gateway: *
  • Schedule: *
  • Description: Anti-lockout rule

One rule that I added:

  • Protocol: IPv4 *
  • Source: *
  • Port: *
  • Destination: *
  • Port: *
  • Gateway: *
  • Schedule: *
  • Description: Allow All IPv4 traffic

As for the other interfaces here are how they are configured currently:
Floating - No floating rules are currently defined

LAN

  • Protocol: IPv4 *
  • Source: *
  • Port: *
  • Destination: *
  • Port: *
  • Gateway: *
  • Schedule: *
  • Description: Allow All IPv4 traffic

Loopback - No Loopback rules are currently defined

OpenVPN

  • Protocol: IPv4+6 *
  • Source: *
  • Port: *
  • Destination: *
  • Port: *
  • Gateway: *
  • Schedule: *
  • Description: OpenVPN Wizard

WAN

  • Protocol: IPv4+6 *
  • Source: *
  • Port: *
  • Destination: WAN address
  • Port: 1194 (OpenVPN)
  • Gateway: *
  • Schedule: *
  • Description: OpenVPN wizard allow client access

  • Protocol: IPv4 ICMP
  • Source: *
  • Port: *
  • Destination: *
  • Port: *
  • Gateway: *
  • Schedule: *
  • Description: Allow Ping

  • Protocol: IPv4+6 *
  • Source: *
  • Port: *
  • Destination: *
  • Port: *
  • Gateway: *
  • Schedule: *
  • Description: Allow All IPv4 traffic

_LAN detailed at start of reply

_TAP

  • Protocol: IPv4 *
  • Source: *
  • Port: *
  • Destination: *
  • Port: *
  • Gateway: *
  • Schedule: *
  • Description:

As you can see, I have made every effort to allow all traffic through to get things working so I can then go back and restrict. So I shouldn't be blocking anything from a firewall perspective from what I can tell.

To add a little more information. If I add 192.168.1.0/24 to the "IPv4 Local Network" field on the OpenVPN server configuration in OPNsense, I am able to successfully navigate around the 1.0/24 network on the VPN client. Its as if the bridge configuration isn't actually supplying my 0.0/24 LAN addressing/access appropriately, but the VPN is getting that.

Currently I have this in the "IPv4 Local Network" field on my VPN server configuration:

192.168.1.0/24,192.168.0.0/24

Thanks for your time and help. Hoping you may be able to assist me further with this information I have supplied.
March 10, 2022, 01:01:08 AM #3
Adding a bit more information to this, in case someone out there can help me out.

I am able to see firewall traffic from a _LAN device that is on the local LAN. Meaning a client that is trying to connect to the bridge adapter I created locally and not through VPN connection. The traffic, however, is IPv6 DHCPv6 attempts. They are getting blocked, cause as you can see above, I am not allowing IPv6 traffic with any of my firewall rules.

So it appears that my local clients are physically connected via the bridge, but DHCPv4 doesn't have any traffic coming through but DHCPv6 has attempts that are getting blocked...

What would cause DHCPv4 to work on this bridge connection only for VPN clients, and not for LAN clients?
March 14, 2022, 10:46:01 PM #4
Admittedly, my setup is overly complex due to me treating this as an educational experience and less of a "production" experience. Due to this, I left out certain things in my original description to try to prevent confusion when the reader was reviewing my problem.

One thing that was left out was my use of Hyper-V as the hypervisor that is hosting my OPNsense VM as well as the LAN that I described in my previous post that didn't have addressing getting set to it. I found that if you are using Hyper-V for running OPNsense, and you require a TAP VPN connection from OpenVPN, you need to make sure that you enable MAC spoofing on the OPNsense VM within the settings for that VM in Hyper-V. This allowed the "bridged" interface, that was created in the steps that epoch graciously laid out for us, to communicate out from the _LAN interface that you have your devices connected to in Hyper-V.

Thank you to those that reviewed my problem and took some time out to assist.
Print
Go Up Pages1
User actions