OpenVPN migration to new Instance from legacy not working in tap mode

phanos · August 20, 2025, 02:12:12 PM

I have been running openvpn (legacy now) for the past 2+ years on opnsense with no issues to mention. I have configured it in TAP mode and had two clients connected to my home network remotely.

After noticing that the openvpn is being migrate to the new openvpn instance version I decided to try and migrate everything to the new version but unfortunately I am unable to make it to work as expected. My clients do get connected to the server but after that I can not ping anything on my home lan network. If I try traceroute on any of my lan ip(s) from a client it shows that it can not find the home lan. It would seem to me that there is not routing info being sent from openvpn server to the clients.

I believe I have copied all the settings, certificates etc correctly to the new openvpn instance and I can see the service is coming up just fine. I have setup the same firewall rules and exported the clients again from the opnsense interface to be sure everything is up to date. I tried numerous different scenarios such as to assign the new ovpns to and interface, enabling that interface and setting firewall rules on that one too, creating a bridge and adding the ovpns interface to it but still nothing.

The only thing I notice that propably is relevant is that under Interface-->Overview the new ovpns is not getting assigned either an "IPv4" address or any "Route" while the old one from the legacy server does. I am guessing here if it does not get assign the proper data then it will not sent them to client later correct?

Does anyone have any clue what it going on here and why the new OpenVPN Instance is working as expected? Did I miss a step somewhere and I should add something to the interface and/or route in order to make it work?

Thanks

maverickcdn · August 25, 2025, 06:43:33 PM

Quote from: phanos on August 20, 2025, 02:12:12 PMThe only thing I notice that propably is relevant is that under Interface-->Overview the new ovpns is not getting assigned either an "IPv4" address or any "Route" while the old one from the legacy server does. I am guessing here if it does not get assign the proper data then it will not sent them to client later correct?

This won't show a route/address as the OVPN interface should be a member of your bridge interface along with your LAN interface for a TAP config

Is your bridge correctly setup? https://docs.opnsense.org/manual/how-tos/lan_bridge.html

phanos · August 30, 2025, 12:26:24 PM

Quote from: maverickcdn on August 25, 2025, 06:43:33 PM
Quote from: phanos on August 20, 2025, 02:12:12 PMThe only thing I notice that propably is relevant is that under Interface-->Overview the new ovpns is not getting assigned either an "IPv4" address or any "Route" while the old one from the legacy server does. I am guessing here if it does not get assign the proper data then it will not sent them to client later correct?
This won't show a route/address as the OVPN interface should be a member of your bridge interface along with your LAN interface for a TAP config

Is your bridge correctly setup? https://docs.opnsense.org/manual/how-tos/lan_bridge.html

You mean add the openvpn interface as a member of the bridge LAN? No i did not do that. In the old vpn it did not have to and I never notice anywhere that in the new openvpn it needs to do that?

maverickcdn · August 31, 2025, 05:05:47 AM

I came from another platform after the now legacy mode was destined to be removed and don't know anything about it so I setup a working config (for me) by bridging (frowned upon it seems) the TAP interface and my LAN interface to a bridge where the bridge is the host network. Whether this is the correct way or not it works great for my needs, if you want more details of my config let me know.

phanos · August 31, 2025, 09:41:01 AM

Quote from: maverickcdn on August 31, 2025, 05:05:47 AMI came from another platform after the now legacy mode was destined to be removed and don't know anything about it so I setup a working config (for me) by bridging (frowned upon it seems) the TAP interface and my LAN interface to a bridge where the bridge is the host network. Whether this is the correct way or not it works great for my needs, if you want more details of my config let me know.

thanks I will try it and let you know

phanos · September 05, 2025, 01:49:54 PM

Quote from: maverickcdn on August 31, 2025, 05:05:47 AMI came from another platform after the now legacy mode was destined to be removed and don't know anything about it so I setup a working config (for me) by bridging (frowned upon it seems) the TAP interface and my LAN interface to a bridge where the bridge is the host network. Whether this is the correct way or not it works great for my needs, if you want more details of my config let me know.

Just finish testing openvpn by adding it to the bridge of my LAN. I also tried all the options that I did last time, firewall rules, TCP instead of udp, etc but the result is the same.

maverickcdn · September 06, 2025, 04:48:26 AM

Heres a rough summary of my setup, this is just basic info and can't even be considered a pseudo 'how-to'. I dont recall the actual sequence of steps at the moment.

Not sure how many physical interfaces you have on your hardware but to save the risk of accidentally getting locked out of your hardware I setup everything from the network that is setup on interface opt2 (port 2)(my LAN2) where port 1 is my main wired network

Interface Legend:
LAN1_eth1_MavNET - ethernet port 1 on my device
LAN1_vpn_tap_MavNET - OpenVPN server interface
LAN1_bridge_MavNET - bridge with above 2 as members

-Follow every step from the bridge creation link earlier in this thread... most importantly the bridge gets assigned to LAN and has your desired LAN network IP assigned and filtering disabled on member interfaces and enabled on the bridge (tuneables). My LAN network is assigned to the bridge with 10.1.1.1/24. Interfaces LAN1_eth1 and LAN1_vpn_tap should not have a static IP assigned (they are members of the bridge)

-Any and all firewall rules get applied against LAN1_bridge and VPN/eth1 interfaces have no rules
-VPN settings: 'Bridge gateway' is your bridge network ie 10.1.1.1/24. 'Bridge DHCP pool' is the IPs you want clients to be assigned they must be within the subnet of the gateway (your LAN network)

Once connected from a client, the client vpn log should show pushed routes of your LAN/DNS/ifconfig with an IP from your pool

Hopefully this helps, I know I struggled for hours learning my way around Opnsense and setting this up, I came from Asuswrt-Merlin where this is how TAP servers are setup (members of the main bridge). I can try and help answer any questions and if you get it working maybe one day Ill write up true how-to, unless of course a resident guru can show where this is not correct
You cannot view this attachment.You cannot view this attachment.You cannot view this attachment.You cannot view this attachment.

OpenVPN migration to new Instance from legacy not working in tap mode

phanos

August 20, 2025, 02:12:12 PM

maverickcdn

August 25, 2025, 06:43:33 PM #1

phanos

August 30, 2025, 12:26:24 PM #2

maverickcdn

August 31, 2025, 05:05:47 AM #3

phanos

August 31, 2025, 09:41:01 AM #4

phanos

September 05, 2025, 01:49:54 PM #5

maverickcdn

September 06, 2025, 04:48:26 AM #6 Last Edit: September 06, 2025, 06:31:19 AM by maverickcdn