OpenVPN configuration for BridgeMode (Passthrough)

Started by UserSN, May 29, 2025, 01:15:13 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 29, 2025, 01:15:13 PM
I'm having difficulties getting openvpn setup on my opnsense firewall. I'm able to get to a point where my clients can connect, I see the client is assigned the correct IP as configured in opnsense but the clients constantly disconnect and I cannot ping any machine in the assigned networks nor can I access the internet. I'm not sure if it has to do with my routing or where my problem is.

My Infrastructure:
Firewall -> Switch -> Various Machines
(All machines are assigned a static IP, i'm not using NAT which is why i've setup the firewall is transparent mode or bridge mode)

Firewall Config:
- WAN has an allow everything rule setup on it, zero filters or blocks and just this 1 rule to allow everything.
- BRIDGE is where I configure all my fw rules.
- Gateway is setup to my publicly facing networks gateway address from my ISP's switch from the IP allotment they've provided me.
- All my machines on this network are assigned a static publicly facing IP, no NAT.

I've setup in OpnSense the Certificate Authority, Certificates themselves for the CA & Users.
I've configured under VPN > OpenVPN > Instances: The Static Key & OpenVPN Server Instance running on the default port UDP 1194 (Also tested with a different random UDP port & port 443 TCP)
Setup the OpenVPN Server Addresses to 10.2.4.0/24 for VPN clients, under subnet topology
Static Key, Auth & Certs have all been properly configured.
Under the "Routing" Local Network i've inputted there the correct Static IP Network I want my VPN clients to have access too.
Misc Options: client-to-client

Interfaces & F/W Rules:
- Assigned my newly created OpenVPNServer interface & enabled it!
- My WAN interface has from the get-go a allow-all traffic of any type (*) to go through, so that's taken care of.
- In my BRIDGE interface added a rule to allow all variations of ports listed above 1194, 443, random port, etc.. to my BRIDGE address (Not sure if this could be problematic but BRIDGE is where im managing everything as it's transparent mode)
- Create the FW rule to allow everything in on the OpenVPNServer FW/rules area

THEN, POST Config tests:
1) I initially setup the DNS servers to the DNS server's static IPs at my network i'm using.
2) I then tested by switching to Google & 1 IE: 8.8.8.8 & 1.1.1.1
3) I tested "Push Options" initially with (Push block-outside-dns & push-register-dns) and then tested with both those options off (No Push Options, essentially)

None of these tests changed anything in the client connection dropping behavior.

I've tested on my phone & local PC connecting by exporting the config from opnsense, etc.. and loading it onto my openvpn client software.
- I do initially connect, but after a few seconds it disconnects, then reconnects and this over and over again.
- Same symptoms both on local PC & Phone. Phone was disconnected from WIFI and is running on cell network so it's nothing related to my local router/ISP, etc... as i'm running direct from cell network connection.

The only thing I can think of is something my ISP is doing filtering UDP connections but i tested via 443 and i'm experiencing the same behavior so I don't think that's it & also the cell tower connection is a completly different ISP.

There must be a config im doing wrong somewhere?

Once connected to the VPN for those couple of sections, I run an ipconfig and can see i am assigned the correct IP within the range i've allotted in the config of openVPN server. I can ping the opnsense firewall's public IP but not any IPs of the network they should have access too (The same network, the firewall is setup on itself in terms of gateway, etc..) Cannot do any DNS lookups, checking nslookup I do see it sets the name server i've configured and tested my own DNS, 8.8.8.8 & 1.1.1.1 respective with different test attempts but all DNS lookups fail)

Hoping for any shred of advise that could point me in the right direction, happy to do zoom call and pay for anyones time if you could help me troubleshoot this.
Granted my setup is a bit different that tutorials out there on the web as all my machines have static IP configs and i'm not using NAT that must also be something in the euqation.

Weird thing is, I have a OpenVPN virtual machine server running INSIDE this same network and i'm able to connect to it fine but i'm trying to get rid of it since OPNSense does this already I can get rid of that redundant VM.

OPEN VPN config tutorial i've basically followed with minor changes due to my networks layout:
https://sysadmin102.com/2024/03/opnsense-openvpn-instance-remote-access-ssl-tls-user-auth/
May 29, 2025, 08:55:19 PM #1
I don't know if I'll be able to help but I'm curious and this use case entices me to do some research and deepen my knowledge...

Couple questions first:
1/ How do you use that VPN given all the machines are already publicly accessible?
2/ You say you have a VM running as a VPN appliance and that you can connect to it.
That in itself isn't particularly useful. I assume you can connect to other machines through it.
When connected to such machine, what is the source of the connection?
I'm trying to understand how the appliance is configured, so maybe you can answer this directly...
Print
Go Up Pages1
User actions