pfSense

Can someone explain this bug fix to me? It seems like it may have been driven by a change in OpenVPN itself, but this actually prevents setting up a P2P VPN in tap/bridge mode. Consider the following simple scenario:
- tap mode on client and server
- peer-to-peer mode
- bridge interface successfully created in "Interfaces", bridging the LAN and the OpenVPN interfaces together, as required

In this case, the error requests either a "bridge interface" to be set, or an IPv4/6 tunnel network to be set, but here is the problem with that:
- I do not want to set an IPv4 tunnel network, because this is a bridged VPN, so these should theoretically be blank
- I can not select a bridge interface, because "Allow clients on the bridge to obtain DHCP" is required for the bridge interface drop down to function and it's disabled in P2P mode (which, btw, makes sense, since only 2 peers are talking)

The only workaround is to select "Client-Server" mode rather than P2P mode, which allows you to choose "Allow clients on the bridge to obtain DHCP" but this isn't even behavior that I want. I shouldn't be required to send DHCP over the bridge, what if I want to statically assign IPs on the LAN on both sides?

Conclusion: "TAP server mode requires an IPv4/IPv6 Tunnel Network or Bridge Interface to work" is in and of itself contradictory, because TAP mode should not really use IPv4/6 tunnel networks, even according to Netgate docs! So basically, the upshot of this change is that bridging two site-to-site VPNs is not possible. I recognize it is "deprecated" or not recommended, but it should be possible.

Is this not possible in OpenVPN anymore?

I shouldn't be required to send DHCP over the bridge

From what I understand, if no DHCP range is set, then there won't be DHCP. Hence, enable Bridge DHCP and leave the other options blank. The text could be clarified, though that would be a separate request.

Marcos M wrote in #note-7:

I shouldn't be required to send DHCP over the bridge

From what I understand, if no DHCP range is set, then there won't be DHCP. Hence, enable Bridge DHCP and leave the other options blank. The text could be clarified, though that would be a separate request.

Thank you for the response. That is indeed what I am going to try to do. However, the additional step that is going to be required is for me to change the VPN type from "Peer to Peer" into "Client/Server" so that the checkbox to "Allow clients on the bridge to obtain DHCP" is even selectable.

I find this to be an unnecessary step / change. After all, I don't want a client-side topology dictated by OpenVPN - I just want to bridge two LANs together. What would be the problem with allowing the previous behavior when the VPN server is set to "Peer to Peer" mode, and one wants to use bridging?

Thanks again for your attention. :)