OpenVPN TAP Instance fails if server address not defined

[mkerost]

I see that the old client/server OpenVPN configuration is deprecated in 24.1.2_1, so I tested out migrating my existing OpenVPN servers to the new Instance configuration. I run TAP connections between sites.

When converting over my old settings, the server would not start.  It complained: "Options error: Parameter ca_file can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified."

This seems to be due to leaving the "Server (IPv4)" setting blank. When I provide a value (e.g., 10.0.47.0/24) it works.

My understanding is a Server IP is not required for TAP connections. My old configuration did not use a Server IP and worked. Perhaps my understanding is wrong here, and if so, perhaps Server IP should be a require setting so others don't get flummoxed.

On a side note, when I created the new OpenVPN instance, I went into Interface -> Assignments, and attempted to change the old OpenVPN interface to the new one, by changing the device in the drop down and pressing the save button. This gave me the following error: "You cannot set device bridge0 to interface opt5 because it cannot be a member of itself.". Is this related to the fact that in my bridge settings, I have the bridge device as a member of the bridge? Is this not a good thing to do?

[muchacha_grande]

Hi mkerost, I'm facing the same problem since yesterday.
I was trying to migrate my legacy openvpn switched vpn to the new instance definition, but it seems that something is missing on the web configuration because, in addition to needing Server (IPv4), it doen't allow you to select the bridge interface nor the DHCP range to assign IP addresses to clients, as you can configure in the legacy page.
If you complete the Server (IPv4) network, it creates a tunnel VPN as if you were using a TUN VPN. I already tested it.

[muchacha_grande]

I dig deeper into the issue and compared the configurations generated in both legacy and new definitions and I think there are a couple of miss configurations on the new instance approach. I'll open a ticket on github.

EDIT:
I opened a ticket on github and AdSchellevis is working on the issue.

[mkerost]

Thank you so much for posting this on github. You were able to dig much deeper into this than I was. I'll follow the thread there and post any feedback if the updates don't fix things.

[franco]

GitHub link for reference: https://github.com/opnsense/core/issues/7302

[muchacha_grande]

Hi @mkerost, this issue has been solved. If you would like to test it you may apply the patches "opnsense-patch 3d09a2c 59ce2706 46354f48 ac4bbb" assuming you are on OPNSense 24.1.3_1

I've tested and it worked perfect.

Cheers...

[mkerost]

I'll try it out this weekend when our traffic is low. Crossing fingers

[mkerost]

Worked perfectly. Thank you!

[muchacha_grande]

Great... it's possible that the fix is included in the next update.

[franco]

Correct, out later this week. Watch out for 24.1.4.


Cheers,
Franco

[muchacha_grande]

Just for the record... With 24.1.4 update I was able to successfully migrate the VPNs (TUN and TAP) of one of my routers.
The resulting configuration was almost identical to the legacy one and worked perfect in term of functionality.
I'm now migrating the other routers.

[franco]

yay :)

[djpuzia]

Can you put screenshot of OpenVPN TAP (bridge mode) configuration in the new configuration menu "Instance"?
I'm moving from configuration OpenVPN on OpenWRT to OPNsense and I can't understand it on GUI :(

I need to connect 2 site via VPN using "Bridge Mode" and only client certifacation authorization, so that the SiteB had DHCP and Broadcast from SiteA - devices in both sites must see as if in the same network.

Thanks.