Member of VLAN - OpenVPN

[verasense]

This should be an easy one, but I can't make it work.

I am trying to connect as a client to the OpenVPN server. What I want is to connect as if I was in one of my VLANs, transparently, let's say 192.168.3.0/24, and get an IP address from there as everyone else in the network.

So I use:
IPv4 Tunnel Network = 192.168.100.0/24
IPv4 Local Network = 192.168.3.0/24
Dynamic IP   unchecked
Address Pool   checked
Topology   unchecked

However I always get a 192.168.100.0 IP address and I am not able to access the VLAN. How can I configure this?

[Greelan]

Create a firewall rule on the tunnel interface to allow hosts in the tunnel network to access the VLAN network

[verasense]

Mmm.. But this does not give me an address in the VLAN as if I was another member of the VLAN...

And this then I suppose is not relevant: IPv4 Local Network = 192.168.3.0/24

Another point that makes this solution not valid for me is that there are some devices broadcasting their service, and even though the VPN client is allowed to access the 192.168.3.0 network and ping the device, it does not get the needed broadcast packets.

[Greelan]

No, because the VPN host is not part of the VLAN network, it is part of the tunnel network

Maybe I have been missing something fundamental for years, but I have never run a VPN (OpenVPN or WireGuard) that achieved what you are asking

[Greelan]

Actually, digging in to this a little more, it seems theoretically it is possible if you implement bridging in OpenVPN: https://www.grc.com/vpn/routing.htm. As to whether this is possible in OPNsense, idk

Edit: more info: https://openvpn.net/community-resources/ethernet-bridging/

[Greelan]

Looking at the OpenVPN settings in OPNsense, it you select tap as the device mode rather than tun, you do get bridging options... I have only ever run OpenVPN as tun. TIL

[verasense]

Is there no other way than tap? I suppose many people run IoT devices on a different VLAN, and many devices don't use mDNS but only simple broadcasting... There must be a way.

I always thought VPN could make you part of the internal network, using the same DHCP and policies as if you were connecting via a LAN cable.

[Greelan]

Well, a broadcast domain is layer 2, so you need a layer 2 solution. There are other options such as gretap that could be used over OpenVPN tun, but that would be wasteful compared to just OpenVPN tap

[verasense]

I will check tap and get back here.

By the way, does it make sense that when I use as source "VPN net" the rule is not triggered at the firewall but when I use the VPN net explicity (192.168.100.0/24) it does?

PASS IPv4 VPN net   *   *   IOT net   *   *   *   --> Not triggered, so next rule blocks access
Log:
ovpns1      Apr 2 15:58:16   192.168.100.6   192.168.3.200   icmp   Block VLAN

PASS IPv4 192.168.100.0/24   *   *   IOT net   *   *   *  --> Triggered
Log:
ovpns1      Apr 2 15:58:41   192.168.100.6   192.168.3.200   icmp   

I thought "net" means every host in the VPN network

[verasense]

Unfortunately, TAP mode is not supported on Android OpenVPN.... : (  So not a solution for me.

I wonder how people do this... to check IoT devices away from home via VPN. Many of them don't use mDNS so there must be a way.

[lfirewall1243]

Unfortunately, TAP mode is not supported on Android OpenVPN.... : (  So not a solution for me.

I wonder how people do this... to check IoT devices away from home via VPN. Many of them don't use mDNS so there must be a way.

Maybe they are using a central smart home server which is accessible over L3/IP

[Greelan]

By the way, does it make sense that when I use as source "VPN net" the rule is not triggered at the firewall but when I use the VPN net explicity (192.168.100.0/24) it does?

There is a similar issue with “WireGuard net” when OPNsense has multiple WG local peers or endpoints. The “alias” does not behave as expected. Best to define your own as you have found

[Greelan]

BTW, this is probably a long shot, but have you looked into whether the udpbroadcastrelay plugin works across VPN interfaces?

[verasense]

BTW, this is probably a long shot, but have you looked into whether the udpbroadcastrelay plugin works across VPN interfaces?

I was exactly looking into this before reading your post.

I came along to this post:
https://forum.opnsense.org/index.php?topic=15721.0

And I installed the plugin. It seems to do what is expected, but the device is not answering me back...

[Greelan]

Afaik you need a fw rule back from the device to the tunnel. See the comments that the plugin author makes in that thread. Also here at the bottom: https://github.com/marjohn56/udpbroadcastrelay