OpenVPN Tap tunnel, how to ?

[FCM]

Hello
this is following my last post on DHCP through VPN (https://forum.opnsense.org/index.php?topic=7950.0)...
I understood that to make my (Avaya) phones from a distant site to work I have to activate a tap tunnel to let DHCP work.

So is there somewhere or someone who made this kind of configuration and can say how to configure the OPNSense servers on the main and distant site to let the phones on the distant site connect to the server on the main site ?

The wiki for the TUN part was great, I need something similar for TAP... For a beginner like me, at first I assumed that you only have to pass the TUN option to TAP, but there is a lot more to do (remove tunnel informations, create bridged interfaces, no need to route,... ?...)
I tried this one https://forum.opnsense.org/index.php?topic=5716.0 but it lacks details, and it doesn't work...

I need informations on the fact that you have to put "mode server" in the advanced part of the VPN server, because doing that I can't use shared keys anymore.

I am reading PF Sense forum too, and will try what they said, but I don't know if everything working on PFSense will work on OPNSense...

I am trying to make this work, but I am on it for the last 10 days, and my brain is hurting.

So please, if someone use an OpenVPN TAP tunnel to let phones or computers from a distant site connect to a local network to have DHCP lease and network, help me.
My boss doesn't understand why I take so much time to do this, we have other distant sites working with MPLS and doing fine and other TUN vpn were quickly in place... I can't say to him that I lack the knowledge to do this, he already knows that i suppose
Thanks

[namezero111111]

What part of the linked tutorial is unclear?

What exactly is your problem (aka what does "doesn't work" mean?)

It you created the tunnel in TAP, there is no need to setup routing.
In order for the tunnel to be useful, you'll have to bridge to some other interface as the linked post suggests.

That said, openvpn server can be also configured to assign an address to a connecting client in a TUN.routing setup; which is much more advisable than sending broadcast across tunnels.
TAP is for very specific problems; and connection a phone via VPN frankly isn't one of them.

[mimugmail]

Do you really need TAP? IMHO you need DHCP relay to point to a DHCP server in a different subnet.

[FCM]

hello
about the need of tap, it seems that DHCP relay requests don't work well with VPN, tap is the way if you want your dhcp broadcast to pass from the distant network to the dhcp server network. If someone has a tun vpn active with dhcp relay working, let me know, i will continue to try to make it work.
I need DHCP request for my distant sites phones network to let everyone contact everyone within the phone network (not enough static phone lines and cant put ipbx on each site)

On the "not working" for the link, if I put the "mode server" option as written, I can't use shared keys anymore, and if i use the TLS pairing with certificats, i get errors during connexion and searching internet I found I have to use other options like TLS-server or TLS client, but that part is unclear... so I wanted to know it is mandatory to put that option.
And on the bridge part, I have doubts : if I use my lan in the bridge, so I can't use it anymore for another tap vpn ? so I can only connect one distant site with that part, or I have to add one more network card for each new tunnel ?

The phones thoerically have a vpn option to connect them on ipsec, if I don't manage to have working openvpn tunnel, I will try this, but we will have to configure each phone by hand on each site, something I prefer to avoid...
thanks for you answers !

[mimugmail]

hello
about the need of tap, it seems that DHCP relay requests don't work well with VPN, tap is the way if you want your dhcp broadcast to pass from the distant network to the dhcp server network. If someone has a tun vpn active with dhcp relay working, let me know, i will continue to try to make it work.

How did you verify it? You set a DHCP relay with the IP of DHCP in remote network and this has to be tunneled via VPN. I'm not sure why this shouldn't work?

[FCM]

How did you verify it? You set a DHCP relay with the IP of DHCP in remote network and this has to be tunneled via VPN. I'm not sure why this shouldn't work?

I tried with everything open on the firewalls, the networking is good (DNS, HTTP, RDP....) but no DHCP lease came back to the VPN tunnel... then Bart on my other post said that TAP is needed for the DHCP, and searching on the internet I found that for DHCP, tap is needed...

What part of the linked tutorial is unclear?

About the post in the how-to section about tap, at the beginning it is written that "this works for peer-to-peer mode as well" So in that case, I have to do the same bridge on the distant server no ? And the mode server is useless ?

EDIT :
When i said it doesn't work, my briged interface don't ping each other, and don't ping into the network.
If I look at the packets I see the phone asking lease on the bridge of the distant site :

10:55:49.808611 IP 0.0.0.0.68 > 255.255.255.255.67: UDP, length 300
10:55:53.808592 IP 0.0.0.0.68 > 255.255.255.255.67: UDP, length 300
10:56:02.808568 IP 0.0.0.0.68 > 255.255.255.255.67: UDP, length 300
10:56:10.808539 IP 0.0.0.0.68 > 255.255.255.255.67: UDP, length 300
10:56:14.808534 IP 0.0.0.0.68 > 255.255.255.255.67: UDP, length 300

...

and the bridged interface with an IP of the local phone network cant ping the network, the distant site and the packet tracer see this :

11:28:36.391142 IP 128.42.66.111 > 224.0.0.18: VRRPv2, Advertisement, vrid 11, prio 100, authtype none, intvl 1s, length 20
11:28:37.232701 ARP, Request who-has 128.42.66.160 (ff:ff:ff:ff:ff:ff) tell 0.0.0.0, length 46
11:28:37.391080 IP 128.42.66.111 > 224.0.0.18: VRRPv2, Advertisement, vrid 11, prio 100, authtype none, intvl 1s, length 20
11:28:38.109487 ARP, Request who-has 128.42.66.1 (ff:ff:ff:ff:ff:ff) tell 128.42.66.7, length 46
11:28:38.391132 IP 128.42.66.111 > 224.0.0.18: VRRPv2, Advertisement, vrid 11, prio 100, authtype none, intvl 1s, length 20

[FCM]

Ok, I change a thing : I put the IP address on the interface connected to the network card and not on the bridged interface. The bridged interface is made with this interface and the one created by the vpn.

After that :
I still cant ping between the 2 opnsense (firewall rules are open) but the interface of the main site can be pinged from the main network... but not the distant site...

On packet tracer I see the DHCP server answering on the mainsite opnsense :

Code: [Select]

14:48:31.338352 IP (tos 0x0, ttl 64, id 46583, offset 0, flags [none], proto ICMP (1), length 80)
    128.42.66.6 > 128.42.66.7: ICMP echo request, id 19786, seq 35854, length 60
14:48:31.339646 IP (tos 0x0, ttl 99, id 46583, offset 0, flags [none], proto ICMP (1), length 80)
    128.42.66.7 > 128.42.66.6: ICMP echo reply, id 19786, seq 35854, length 60128.42.66.6 is the interface on the OPNSense, 128.42.66.7 is the DHCP server.

So, the request is passing from the distant site and on the FW :

Code: [Select]

BridgeVOIP1 Apr 25 14:49:51 128.42.66.7:67 255.255.255.255:68 udp let out anything from firewall host itself
but nothing on the distant site.... nor on live view or on packet tracer...

So what can block between the 2 Opnsense ? FW rules are open on everything....

[epoch]

What part of the linked tutorial is unclear?

About the post in the how-to section about tap, at the beginning it is written that "this works for peer-to-peer mode as well" So in that case, I have to do the same bridge on the distant server no ? And the mode server is useless ?

I suggest you stick to the how-to and then derive your own config. "server mode" is fine even for site-to-site.
EDIT: I've  added a recipe for site-to-site in the howto thread.

The other day I used a pair of 17.7 (also works on 18.1) to setup a bridged site-to-site link. This one uses a shared static key, no problem with expiry dates and time-of-day. There is a server bridged as in the howto, there is a client bridged in the same way on the other side. (in ovpn parlance this is p2p mode, "server" is the side that listens passively, "client" is the side that actively calls)
In the "Advanced" field, choosing the right options is a little bit tricky, because your GUI settings generate options/values, and what you want to add in Advanced is options that complement or override, but not clash with the generated ones. OTOH you want to have "dev tap" and "preserve-tun" in the Advanced field on both sides.

BTW If not said before: I don't see the need for a DHCP relay since with bridging you're on a single subnet... If the link is too poor for DHCP leases req/offers to reach the intended targets, filter out the eventual incoming responses from the remote server (you can't filter out outgoing queries I think) and start another authoritative server on the local router. Make sure your IP lease pool does not clash with the one on the other side. It's all the same network.

And no, bridge member interfaces do not have an IP config. Only the bridge has an IP config (or none if you want a transparent bridge.)

[FCM]

Hello
and many thanks for your answer and the expended how-to !
DHCP works now trough the tunnel !
great work

My problem now is that computers get their IP lease... the phones don't... I explain how i found that :
My phones don't get their lease, but on both interfaces (local and distant) i saw requests for the mac address of the phone...
So I suspected the phone to have a problem and connected a laptop...
and the laptop get the lease from the phone server !!
So it works
but not for the phones
Since you wrote

NB: not a VLAN it does not work AFAIK

and my phone network is on VLAN 66, I supposed that the problem comes from the fact that the interfaces can't be put in VLAN then in Bridge...

But if the VLAN was the problem, the computer would not have get its ip address wouldn't it ?...,  after all it's plugged the same way than the phone (and I switched phones in case of problem, phone works well when plugged on local site)
So I wonder why the phone is not getting a lease when computer gets one...

anyway, thanks for the help

[epoch]

I can't say much, I don't understand what's going on.
I have raised a topic on this, Franco had a look and it has gone quiet. I hope the OPNsense guys have an interest in testing such a config and will sometime confirm/infirm the bug.

What does not work:
 - assign a vlan, say igb0.66
 - assign any other interface, say tap0
 - assign a bridge with igb0.66 and tap0
What happens: machines on igb.66 get an IP address and then cannot communicate with tap0 and beyond. They can communicate with each other IIRC.

What does work:
 - Replace igb0.66 with a native interface, say igb2
What happens: machines on igb2 get an IP address and can communicate with tap0 and beyond.

If you have a leftover physical interface on the router, try to dedicate it to the telephone network.
Otherwise, let me know how to make a VLAN work in this configuration!

Cheers

[FCM]

hello
thanks for the details...
in fact i put one interface card for the LAN, another for the phones. Each has its own VPN : LAN in tun, Phones in tap... so VLAN would not be a problem...

But I am still fighting with the fact that I can't ping phone/computers through the tap...
and the phone server gives lease to computer and not to the phone... even the guy from the phone server don't know why but put the blame on my vpn configuration... I checked on the phone server : phone server saw the discovery from the distant phone, and made an IP offer, the offer never reach the distant phone... since with tap there is no routing, I don't know where the lease is lost... i am lost too