OpenVPN configuration for BridgeMode (Passthrough)

Started by UserSN, May 29, 2025, 01:15:13 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 29, 2025, 01:15:13 PM
I'm having difficulties getting openvpn setup on my opnsense firewall. I'm able to get to a point where my clients can connect, I see the client is assigned the correct IP as configured in opnsense but the clients constantly disconnect and I cannot ping any machine in the assigned networks nor can I access the internet. I'm not sure if it has to do with my routing or where my problem is.

My Infrastructure:
Firewall -> Switch -> Various Machines
(All machines are assigned a static IP, i'm not using NAT which is why i've setup the firewall is transparent mode or bridge mode)

Firewall Config:
- WAN has an allow everything rule setup on it, zero filters or blocks and just this 1 rule to allow everything.
- BRIDGE is where I configure all my fw rules.
- Gateway is setup to my publicly facing networks gateway address from my ISP's switch from the IP allotment they've provided me.
- All my machines on this network are assigned a static publicly facing IP, no NAT.

I've setup in OpnSense the Certificate Authority, Certificates themselves for the CA & Users.
I've configured under VPN > OpenVPN > Instances: The Static Key & OpenVPN Server Instance running on the default port UDP 1194 (Also tested with a different random UDP port & port 443 TCP)
Setup the OpenVPN Server Addresses to 10.2.4.0/24 for VPN clients, under subnet topology
Static Key, Auth & Certs have all been properly configured.
Under the "Routing" Local Network i've inputted there the correct Static IP Network I want my VPN clients to have access too.
Misc Options: client-to-client

Interfaces & F/W Rules:
- Assigned my newly created OpenVPNServer interface & enabled it!
- My WAN interface has from the get-go a allow-all traffic of any type (*) to go through, so that's taken care of.
- In my BRIDGE interface added a rule to allow all variations of ports listed above 1194, 443, random port, etc.. to my BRIDGE address (Not sure if this could be problematic but BRIDGE is where im managing everything as it's transparent mode)
- Create the FW rule to allow everything in on the OpenVPNServer FW/rules area

THEN, POST Config tests:
1) I initially setup the DNS servers to the DNS server's static IPs at my network i'm using.
2) I then tested by switching to Google & 1 IE: 8.8.8.8 & 1.1.1.1
3) I tested "Push Options" initially with (Push block-outside-dns & push-register-dns) and then tested with both those options off (No Push Options, essentially)

None of these tests changed anything in the client connection dropping behavior.

I've tested on my phone & local PC connecting by exporting the config from opnsense, etc.. and loading it onto my openvpn client software.
- I do initially connect, but after a few seconds it disconnects, then reconnects and this over and over again.
- Same symptoms both on local PC & Phone. Phone was disconnected from WIFI and is running on cell network so it's nothing related to my local router/ISP, etc... as i'm running direct from cell network connection.

The only thing I can think of is something my ISP is doing filtering UDP connections but i tested via 443 and i'm experiencing the same behavior so I don't think that's it & also the cell tower connection is a completly different ISP.

There must be a config im doing wrong somewhere?

Once connected to the VPN for those couple of sections, I run an ipconfig and can see i am assigned the correct IP within the range i've allotted in the config of openVPN server. I can ping the opnsense firewall's public IP but not any IPs of the network they should have access too (The same network, the firewall is setup on itself in terms of gateway, etc..) Cannot do any DNS lookups, checking nslookup I do see it sets the name server i've configured and tested my own DNS, 8.8.8.8 & 1.1.1.1 respective with different test attempts but all DNS lookups fail)

Hoping for any shred of advise that could point me in the right direction, happy to do zoom call and pay for anyones time if you could help me troubleshoot this.
Granted my setup is a bit different that tutorials out there on the web as all my machines have static IP configs and i'm not using NAT that must also be something in the euqation.

Weird thing is, I have a OpenVPN virtual machine server running INSIDE this same network and i'm able to connect to it fine but i'm trying to get rid of it since OPNSense does this already I can get rid of that redundant VM.

OPEN VPN config tutorial i've basically followed with minor changes due to my networks layout:
https://sysadmin102.com/2024/03/opnsense-openvpn-instance-remote-access-ssl-tls-user-auth/
May 29, 2025, 08:55:19 PM #1
I don't know if I'll be able to help but I'm curious and this use case entices me to do some research and deepen my knowledge...

Couple questions first:
1/ How do you use that VPN given all the machines are already publicly accessible?
2/ You say you have a VM running as a VPN appliance and that you can connect to it.
That in itself isn't particularly useful. I assume you can connect to other machines through it.
When connected to such machine, what is the source of the connection?
I'm trying to understand how the appliance is configured, so maybe you can answer this directly...
June 10, 2025, 10:47:42 AM #2
Hi Eric,

Thanks for the reply and sorry for the delay in coming back to you, I swore I replied but I must have never posted it.

1) I need VPN for employee's and sometimes when im traveling to access the network remotely in a secure way and I cannot always be adding IE: My hotels IP Address to enable me to RDP or SSH to my machines.

2) Yes, I've installed the OPENVPN installation that's basically a stand-alone installation from OpenVPN as a VM in my NOC that I can OpenVPN into and then have access to the network. Something in it's setup out-of-the-box makes it work compared to me trying to replicate this on OpnSense & Also i had tried on a different Firewall software that gave me the same connecting/disconnecting behavior.

I'm connecting from 1 city to my NOC in a different city, sometimes from different countries.
June 10, 2025, 10:52:39 AM #3
I also considered doing IPSEC but from my research I think that's more suitable for network-to-network tunneling IE: Microsoft Offices NY to Microsoft Offices LA, etc..

My usecase is only a select few users, should be able to connect to my NOC and access my servers and the simplest way to do this in a secure way seemed OpenVPN but i've also noticed some ISPs IE(Orange.fr) a big ISP in france does some kind of packet filtering on certain ports that may be contributing to my strange connect/disconnect issues.

Then again one of my team-members in US running on their ISP Spectrum didnt have this issue when connecting to the out-of-the-box OpenVPN installation:
https://openvpn.net/as-docs/installation.html

But I did from France, I know this because Orange.fr also blocks IE: port 25 for email.

I also tried switching from UDP to TCP 443 to avoid ISP strange issues but i'm getting the same behavior.
June 10, 2025, 10:16:14 PM #4
I had lost context on this thread and it's a long read...

I'm still confused about the topology.
Are you saying OPN was setup as a transparent filtering bridge (essentially a switch with 2 ports allowing filtering)?
The "various machines" behind the physical switch have public IPs because they are directly on the network of your ISP. Correct?

Then you add a VPN interface to the mix, with a transfer network that has a private IP range, and you expect to be able to manage the "various machines" from that transfer network.
Your VPN endpoint is accepting connection from many places, and your "various machines" should only be manageable from the VPN network.
That's the idea?
June 11, 2025, 08:15:51 PM #5
ISP -> Firewall -> Switch -> Servers

Because servers have static IP configs on NICs and i'm not NATing, OPN blocks all traffic except IE: 80, 443, 25, etc.. to www.

I connect currently via RDP/SSH to X (Servers) via a few specific locations with static IP's so that's easy enough just add a FW Rule in OPN to allow RDP/SSH traffic to ONLY those specific IPs.

To accomplish the same than above from "random" locations, it becomes more tricky hence usage of a VPN, once connected then I can RDP/SSH to any svr on the network.

That's what i'm trying to do.
June 12, 2025, 07:35:17 PM #6
OPN blocks whatever you tell it to block.
The default anti-lockout rules actually prevent redirection of 80, 443 and 22 on one interface (various ways to tweak that).
I don't recall how these rules end up looking like on a transparent bridge...

But I don't see how the VPN could work.
Even if the decapsulated traffic was "routed" to the bridge, the source address would be a 10/8. The replies would not make it back IMO.
I suspect your VPN appliance has an IP within the target network.

Are you sure you can't use OPN as a router without NAT?
Print
Go Up Pages1
User actions