Member of VLAN - OpenVPN

Started by verasense, April 02, 2021, 02:29:01 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
April 02, 2021, 02:29:01 PM
This should be an easy one, but I can't make it work.

I am trying to connect as a client to the OpenVPN server. What I want is to connect as if I was in one of my VLANs, transparently, let's say 192.168.3.0/24, and get an IP address from there as everyone else in the network.

So I use:
IPv4 Tunnel Network = 192.168.100.0/24
IPv4 Local Network = 192.168.3.0/24
Dynamic IP   unchecked
Address Pool   checked
Topology   unchecked

However I always get a 192.168.100.0 IP address and I am not able to access the VLAN. How can I configure this?
April 02, 2021, 02:38:15 PM #1
Create a firewall rule on the tunnel interface to allow hosts in the tunnel network to access the VLAN network
April 02, 2021, 02:42:51 PM #2 Last Edit: April 02, 2021, 02:47:56 PM by verasense
Mmm.. But this does not give me an address in the VLAN as if I was another member of the VLAN...

And this then I suppose is not relevant: IPv4 Local Network = 192.168.3.0/24

Another point that makes this solution not valid for me is that there are some devices broadcasting their service, and even though the VPN client is allowed to access the 192.168.3.0 network and ping the device, it does not get the needed broadcast packets.
April 02, 2021, 02:48:23 PM #3
No, because the VPN host is not part of the VLAN network, it is part of the tunnel network

Maybe I have been missing something fundamental for years, but I have never run a VPN (OpenVPN or WireGuard) that achieved what you are asking :)
April 02, 2021, 03:02:09 PM #4 Last Edit: April 02, 2021, 03:08:54 PM by Greelan
Actually, digging in to this a little more, it seems theoretically it is possible if you implement bridging in OpenVPN: https://www.grc.com/vpn/routing.htm. As to whether this is possible in OPNsense, idk

Edit: more info: https://openvpn.net/community-resources/ethernet-bridging/
April 02, 2021, 03:13:45 PM #5 Last Edit: April 02, 2021, 03:34:48 PM by Greelan
Looking at the OpenVPN settings in OPNsense, it you select tap as the device mode rather than tun, you do get bridging options... I have only ever run OpenVPN as tun. TIL
April 02, 2021, 05:09:20 PM #6
Is there no other way than tap? I suppose many people run IoT devices on a different VLAN, and many devices don't use mDNS but only simple broadcasting... There must be a way.

I always thought VPN could make you part of the internal network, using the same DHCP and policies as if you were connecting via a LAN cable.
April 02, 2021, 05:36:52 PM #7
Well, a broadcast domain is layer 2, so you need a layer 2 solution. There are other options such as gretap that could be used over OpenVPN tun, but that would be wasteful compared to just OpenVPN tap
April 02, 2021, 06:02:10 PM #8 Last Edit: April 02, 2021, 06:03:49 PM by verasense
I will check tap and get back here.

By the way, does it make sense that when I use as source "VPN net" the rule is not triggered at the firewall but when I use the VPN net explicity (192.168.100.0/24) it does?

PASS IPv4 VPN net   *   *   IOT net   *   *   *   --> Not triggered, so next rule blocks access
Log:
ovpns1      Apr 2 15:58:16   192.168.100.6   192.168.3.200   icmp   Block VLAN

PASS IPv4 192.168.100.0/24   *   *   IOT net   *   *   *  --> Triggered
Log:
ovpns1      Apr 2 15:58:41   192.168.100.6   192.168.3.200   icmp   

I thought "net" means every host in the VPN network
April 02, 2021, 06:15:58 PM #9
Unfortunately, TAP mode is not supported on Android OpenVPN.... : (  So not a solution for me.

I wonder how people do this... to check IoT devices away from home via VPN. Many of them don't use mDNS so there must be a way.
April 02, 2021, 10:26:37 PM #10
Quote from: verasense on April 02, 2021, 06:15:58 PM
Unfortunately, TAP mode is not supported on Android OpenVPN.... : (  So not a solution for me.

I wonder how people do this... to check IoT devices away from home via VPN. Many of them don't use mDNS so there must be a way.
Maybe they are using a central smart home server which is accessible over L3/IP
(Unoffial Community) OPNsense Telegram Group: https://t.me/joinchat/0o9JuLUXRFpiNmJk

PM for paid support
April 02, 2021, 11:41:30 PM #11
Quote from: verasense on April 02, 2021, 06:02:10 PM
By the way, does it make sense that when I use as source "VPN net" the rule is not triggered at the firewall but when I use the VPN net explicity (192.168.100.0/24) it does?
There is a similar issue with "WireGuard net" when OPNsense has multiple WG local peers or endpoints. The "alias" does not behave as expected. Best to define your own as you have found
April 03, 2021, 01:08:04 AM #12
BTW, this is probably a long shot, but have you looked into whether the udpbroadcastrelay plugin works across VPN interfaces?
April 03, 2021, 01:53:12 AM #13
Quote from: Greelan on April 03, 2021, 01:08:04 AM
BTW, this is probably a long shot, but have you looked into whether the udpbroadcastrelay plugin works across VPN interfaces?

I was exactly looking into this before reading your post.

I came along to this post:
https://forum.opnsense.org/index.php?topic=15721.0

And I installed the plugin. It seems to do what is expected, but the device is not answering me back...
April 03, 2021, 01:59:42 AM #14
Afaik you need a fw rule back from the device to the tunnel. See the comments that the plugin author makes in that thread. Also here at the bottom: https://github.com/marjohn56/udpbroadcastrelay
Print
Go Up Pages1 2
User actions