Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
18.1 Legacy Series
»
DHCP relay over VPN ?
« previous
next »
Print
Pages: [
1
]
Author
Topic: DHCP relay over VPN ? (Read 9881 times)
FCM
Newbie
Posts: 40
Karma: 1
DHCP relay over VPN ?
«
on:
April 18, 2018, 05:23:20 pm »
Hello
I managed to finaly have a functionnal VPN tunnel between my main site and a distant site.
The problem I have now is with the DHCP :
my phone DHCP is on a VLAN on my network's main site, and I can't edit the address in the phone (avaya), they want to find their information through DHCP.
So to let my phones on the distant site to find the phone server I activated the dhcp relay with the phone server... And I stopped the DHCP on the OpnSense which was used for the LAN addresses...
And I put the address of my main site DHCP inside the DHCP relay so the distant computers get their addresses by the same way than the phones...
but nor computer nor phones get an IP address
So Is there something to do to let the DHCP relay work through the VPN ?
thanks
main site :
- LAN on 192.168.20.0/23, DHCP on 192.168.20.170
- Phones on 128.42.66.0/24 VLAN 66, Server on 128.42.66.7
Distant site :
- LAN on 192.168.69.0/24
- Phones on 128.42.80.0/24 VLAN 66
OpenVPN tunnel on 10.10.0.0/24
OPNsense server on main site interfaces :
- LAN with 192.168.20.32
- VOIP with 128.42.66.6
- WAN through the DMZ
OPNSense server on distant site :
- LAN with 192.168.69.1
- VOIP with 128.42.80.1
- WAN through internet box
thanks a lot
Logged
FCM
Newbie
Posts: 40
Karma: 1
Re: DHCP relay over VPN ?
«
Reply #1 on:
April 19, 2018, 02:19:59 pm »
hello again
On my firewall logs on the Opnsense from the main site I have this :
LAN Apr 19 14:05:14 10.10.0.2:67 192.168.20.170:67 udp let out anything from firewall host itself
So, it seems that the DHCP request (port 67 ?) passes from the VPN tunnel point (10.10.0.2 is on the distant site side) to the LAN in the main site (DHCP server is on 192.168.20.170).
So, perhaps the problem is the way back.. I am not sure but is the DHCP able to give the address to the computer or phone ?
LAN DHCP 192.168.20.170 > OPNSense 192.168.20.32 > VPN 10.10.0.1 > VPN 10.10.0.2 > OPNsense LAN 192.168.69.1 > Computer
thanks
Logged
bartjsmit
Hero Member
Posts: 2016
Karma: 194
Re: DHCP relay over VPN ?
«
Reply #2 on:
April 19, 2018, 03:33:00 pm »
Does your tunnel use tun or tap devices? You need the latter for DHCP.
Bart...
Logged
epoch
Newbie
Posts: 35
Karma: 3
Re: DHCP relay over VPN ?
«
Reply #3 on:
April 19, 2018, 03:37:07 pm »
DHCP uses 67/udp and 68/udp.
If a server receives a request (on 67/udp) you should see it in its logs.
If the local firewall blocks the server response (on 68/udp) you should see it in OPNsense logs.
Perhaps that traffic is classified as bogon, enable logging on anti-bogons rules.
Logged
FCM
Newbie
Posts: 40
Karma: 1
Re: DHCP relay over VPN ?
«
Reply #4 on:
April 19, 2018, 04:06:22 pm »
Thanks for the answers
I am on TUN as the wiki said, il will try on TAP
I uncheked the bogon rules at the beginning of my testing to avoid complication
I just put all rules to be open on I see an answer from the DHCP server :
ovpns1 Apr 19 16:04:14 192.168.20.170:67 192.168.69.1:67 udp let out anything from firewall host itself
this log is on the main site, nothing arrive on the distant site...
I will try TAP and see what happens
thanks again
EDIT : i did tap, broke my vpn tunnel.... back to tun.
«
Last Edit: April 19, 2018, 04:44:48 pm by FCM
»
Logged
bartjsmit
Hero Member
Posts: 2016
Karma: 194
Re: DHCP relay over VPN ?
«
Reply #5 on:
April 20, 2018, 08:03:45 am »
Quote from: FCM on April 19, 2018, 04:06:22 pm
EDIT : i did tap, broke my vpn tunnel.... back to tun.
Did you set the tap device on both ends? You may need to edit the client configuration by hand.
DHCP won't work over a tun device, since it mixes layer 2 and layer 3 traffic.
Bart...
Logged
FCM
Newbie
Posts: 40
Karma: 1
Re: DHCP relay over VPN ?
«
Reply #6 on:
April 20, 2018, 09:44:00 am »
thanks for helping.
I did tap on both side...
So i did it again...
I can't reach distant site anymore, but on the logs of the VPN I have this :
Apr 20 09:35:02 openvpn[71792]: OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.69.0
Apr 20 09:35:02 openvpn[71792]: OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
So it seems that the routes created by the VPN tunnel on tun mode don't work anymore. What can i do ?
so I have to add a route gateway with bridge interface ?
I have to find how to make bridge interface so
«
Last Edit: April 20, 2018, 10:30:45 am by FCM
»
Logged
FCM
Newbie
Posts: 40
Karma: 1
Re: DHCP relay over VPN ?
«
Reply #7 on:
April 20, 2018, 01:41:58 pm »
Ok, i tried to add routes with gateway, I tried to add gateway to vpn on interfaces... nothing works
Where can I put the "gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options" ?
thanks
Logged
bartjsmit
Hero Member
Posts: 2016
Karma: 194
Re: DHCP relay over VPN ?
«
Reply #8 on:
April 20, 2018, 06:12:17 pm »
There is no need to route with a TAP device. The tunnel becomes an extension to the Layer-2 network. Both sides of the tunnel share a Layer-3 subnet.
Assign a static IP address to the OPNsense end of the tunnel and create a TAP client with a static IP in the same subnet. Confirm that they can ping each other and run a packet capture if they can't.
Bart...
Logged
FCM
Newbie
Posts: 40
Karma: 1
Re: DHCP relay over VPN ?
«
Reply #9 on:
April 23, 2018, 10:31:31 am »
ok
I understand the OSI theory with layer 2 or 3...
but i am lost on the opnsense side...
my tun configuration was :
Main Site addresses
Distant Site addresses
Interface LAN Opnsense on 192.168.20.32 (192.168.20.0/23)
Interf. LAN Opnsense on 192.168.69.1 (192.168.69.0/24)
Interface VOIP on 128.42.66.6 (128.42.66.0/24-VLAN 66)
Interf. VOIP on 128.42.80.1 (128.42.80.0/24-VLAN 66)
VPN tunnel on 10.10.0.1 (10.10.0.0 /24)
VPN tunnel on 10.10.0.2 (10.10.0.0 /24)
DATA DHCP on 192.168.20.170
VOIP DHCP on 128.42.66.7
So when you say "Assign a static IP address to the OPNsense end of the tunnel and create a TAP client with a static IP in the same subnet", I have to change LAN interface on the distant side from 192.168.69.1 to 192.168.20.33 ?
That's where I am lost
and I have to do the same for the VOIP ? 128.42.80.1 to 128.42.66.8 ??
But in that case, all computers and phones from the distant site will have the main site computers and phones range address ?
I will try to follow this
https://forum.opnsense.org/index.php?topic=5716.0
and come back to say if i am still lost or not
thanks again for helping
«
Last Edit: April 23, 2018, 12:29:49 pm by FCM
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
18.1 Legacy Series
»
DHCP relay over VPN ?