Project

General

Profile

Actions

Bug #15151

closed

OpenVPN TAP & BRIDGE

Added by Łukasz Rojczyk 12 months ago. Updated 12 months ago.

Status:
Rejected
Priority:
Very Low
Assignee:
-
Category:
OpenVPN
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Release Notes:
Default
Affected Plus Version:
23.09.1
Affected Architecture:
All

Description

When configuring OpenVPN TAP with a static address pool, there is a problem when configuring the TAP bridge with another interface such as LAN.

Before adding the bridge:
Jan 10 17:39:43 openvpn 95161 /usr/local/sbin/ovpn-linkup ovpns3 1500 0 172.20.2.1 255.255.255.0 init
Jan 10 17:39:43 openvpn 95161 /sbin/ifconfig ovpns3 172.20.2.1/24 mtu 1500 up
Jan 10 17:39:43 openvpn 95161 do_ifconfig, ipv4=1, ipv6=0
Jan 10 17:39:43 openvpn 95161 TUN/TAP device /dev/tap3 opened

After adding the bridge:
Dec 18 10:10:00 openvpn 80880 Exiting due to fatal error
Dec 18 10:10:00 openvpn 80880 FreeBSD ifconfig failed: external program exited with error status: 1
Dec 18 10:10:00 openvpn 80880 /sbin/ifconfig ovpns3 172.20.2.1/24 mtu 1500 up

Currently, there is no way to bridge to another interface (it worked fine in version 23.05)

Actions #1

Updated by Jim Pingle 12 months ago

  • Status changed from New to Feedback
  • Priority changed from Very High to Very Low

Normally with a tap bridge you don't have an interface address / tunnel network on the member interfaces, only on the bridge interface itself. Or at least only have an address on one bridge member (e.g. LAN has the IP address, OpenVPN has no tunnel network).

https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-bridged.html

It's possible what you are attempting really shouldn't have ever worked, and may only have worked by luck in the past.

Actions #2

Updated by Łukasz Rojczyk 12 months ago

You remain in error.

Somehow it was able to work well for 6 years and I think it was used by many people who use TAP in a different way than you assume.

https://www.youtube.com/watch?v=zt3EYV9mlnQ (see 15:06)

So write how we should configure it now, especially since several devices died after the update and to this day we still have problems with restoring the configuration.

We want to add through "Client Specific Overrides" specific IP addresses for clients, manually set routing and add gateways.

Since you've already negated something that worked well several times, write what your idea is now.

Actions #3

Updated by Jim Pingle 12 months ago

  • Status changed from Feedback to Rejected

I provided a link with the "official" way to bridge OpenVPN to a LAN.

Third party guides/videos are not good references.

OpenVPN changes over time, the operating system changes over time, many of these things are outside of our control. OpenVPN in particular has been removing things that worked in the past as they clean up and remove what they consider outdated code (like all of Shared Key: https://forum.netgate.com/topic/170071/heads-up-openvpn-deprecating-shared-key-mode-requires-tls-deprecating-cipher-selection )

So it does not matter at all if this used to work in the past, it matters if it's a proper configuration. This does not appear to be a proper configuration as stated, since more than one interface on a bridge has an address, which has never been valid even if it may have worked in certain cases.

Based on how you describe you want to configure the VPN, you need to take this discussion to the forum and talk about it there in more detail to see if there is a viable alternative.

If there is a bug here, which there doesn't appear to be from what you've said so far, we can reopen this with more accurate details.

Actions #4

Updated by Łukasz Rojczyk 12 months ago

I checked what you suggested but from the client side it is also no longer possible to make a bridge with the OpenVPN TAP client with its own LAN.

That is to say, we have a TAP between pfsense that doesn't do anything because it is impossible to see the MAC on the LAN from the client side.

Previously you could link any number of networks, TAP servers and see all networks on each side.

How to assign a permanent address from the DHCP pool to a specific client in this solution ?

Can you restore the ability to do a bridge from the client side with its lan ?

Actions #5

Updated by Jim Pingle 12 months ago

A tap bridge is only useful for linking L2 which would see MAC addresses, so you reserve hosts in DHCP by MAC address as you do any other device on the LAN. OpenVPN clients themselves on a tap bridge also do not have any interface address, they link directly to the bridge at L2 so there is no routing or intermediate network. Otherwise there is no point in bridging and you can just use routed networking without bridging. There is no separate network for a bridge client/server. There is no routing across a bridge. It's all L2 so it's linked at L2 and systems use ARP to find their way to various hosts as they need to since they're all in one large shared network with the same IP addressing/subnet.

If none of that applies it sounds like maybe you don't even need a bridge, but a traditional routed VPN.

Please take the discussion to the forum.

Actions #6

Updated by Łukasz Rojczyk 12 months ago

Jim,

we don't need a forum, we need a contact to people who have real influence on the pfSense code - you don't have it, you are busy quoting the official manual.

Here's the configuration we're looking for:

https://icr.advantech.com/support/faq/detail/how-to-create-openvpn-tap-interface-bridge-mode

questions: can you restore unrestricted configuration of bridges for users ?

we use pfsense so that we do not have to write scripts, and now we are back to the situation that, to have what we want we have to write a script.

reading your statements, you are unable to respond otherwise, in our opinion you contribute to blocking the development of good software.

is there any contact with people higher up than you ?

Actions

Also available in: Atom PDF