The following guides are based on pfsense v2.1 BETA-1
OpenVPN TAP/Bridging Guide for pfsense v2.1 BETA-1
The first guide will involve an OpenVPN Server that individual PC clients will connect to:
First some considerations. What is bridging/tap mode? Tap/Bridging mode takes out the requirement of a tunnel network. When a remote client connects to the OpenVPN server it will will recieve an IP address from the local LAN. Why would you want to do this? Mostly broadcasts come to mind. I first started this guide in an effort to setup OpenVPN tap so that I could could utilize my HDHomeRun TV tuner when away. After installing the drivers it sends out a broadcast to find the tuners. I also hosted a plethora of game servers at another location. I also host LAN's at my house. In order for people to see the servers in their in-game LAN server browser OpenVPN in bridge mode is needed. Your game will send a broadcast out and the game server will reply. If you have any DLNA servers that you want to access remotely you would more than likely need tap mode as well. There are other uses; the ones I mentioned are just the reasons I needed this setup.
There are some other network considerations when you get down to the IP address settings. Keeping in mind that any remote clients will be on your local LAN you must make sure you set aside a range of IP addresses for the remote client to use. If a remote client gets assigned an ip address that is already in use on your network then it can cause quite a few problems. There are two ways to manage this. Setting aside a range of IP addresses and entering those into the OpenVPN configuration, or allowing your internal DHCP server to assign ip addresses automatically. The latter is not addressed in this guide as of right now, though I want to try it out.
First Install the OpenVPN Client Export Utility Package
1) Goto System ---> Packages
2) Choose "Available Packages Tab"
http://i.imgur.com/GZpNwDc.jpg
3) Locate the OpenVPN Client Export Utlity Package and install it by pressing the "+" on the right
http://i.imgur.com/Hk2Gdkz.jpg
Setup your Certs
1) Goto System ---> Cert Manager
http://i.imgur.com/eF7AdAa.jpg
2) Goto CA Tab and create a CA by pressing the "+" button
http://i.imgur.com/TIBRPIG.jpg
3) Fill in the boxes with the appropriate information, making sure to change method to "Create Internal Certificate Authority". Alternatively you can also import your own. (outside the scope of this guide)
http://i.imgur.com/pFQNJx2.jpg
4) Create the server certificate by clicking the "Certificates" tab and pressing the "+" button
5) Change "Method" to "Create an internal Certificate", and "Certificate Type" to "Server Certificate" Fill in the appropriate information and make sure to change the Certificate Authority to that of the CA you just created in step 3.
6) Create User Certificates in the same way but instead of choosing "Server Certificate" for Certificate type, make sure to choose "User Certificate"
*It is recommended that each individual PC that connects to the VPN have their own certificates created.
**It is also not necessary, but recommened to create a revocation list. Click the Client Revocation tab, then the "+" to add one. Choose the CA you made in step 3.
Setup the OpenVPN server
1) Goto VPN ---> OpenVPN
2) On the Server tab press the "+" button to create an OpenVPN server
3) Fill in the following settings
Disabled - Unchecked (Obviously!)
Server Mode - Remote Access (SSL/TLS)
Protocol - UDP
Device Mode - tap
Interface - WAN
Port - 1194
Description - *description of your server*
TLS Authentication - Check both boxes... this also creates your authentication key
Peer Certificate Authority - *choose the CA you created earlier*
Peer Certificate Revocation List - if you made one while setting up the certs specify it here
Server Certificate - *choose the server certificate you created earlier*
DH Parameters - 1024
Encryption algorithm: AES-128-CBC (128-bit)
Hardware Crypto - options here may differ, but choose a hardware crypto engine if you have one
Certificate Depth - One (Client+Server)
************
IP settings
************
Ipv4 Tunnel Network - Leave blank, not used in tap/bridge mode
Ipv6 Tunnel Network - Leave blank, not used in tap/bridge mode
Bridge DHCP - check
Bridge Interface - LAN
Server Bridge DHCP Start - start of your ip address range for remote clients
Server Bridge DHCP End - end of your ip address range for remote clients
*DHCP address range should be a range of IP addresses that are within the ip address range of your LAN network.
Redirect Gateway - uncheck
IPv4 Local Network - this is the address of your LAN network expressed as a CIDR range, most likely 192.168.1.0/24
IPv6 Local Network - Leave blank
Concurrent connections - 2
Compression - for bandwidth reduction check this box
Type-of-Service - uncheck
Inter-client communication - check this box if you want remote clients to be able to access each other
Duplicate Connections - allows multiple connections from the same client, not recommended but may possibly be needed
Dynamid IP - if your router's WAN IP changes you should check this
Address Pool - check
DNS Default Domain - fill this in if you have one
DNS Servers - set to your local DNS server
Press save and your OpenVPN server is created
Create your Interface and Bridge:
1) Interfaces ---> (assign)
2) add an interface by pressing the "+" button
3) in the drop down box next to the OPT1 interface that was created choose the open vpn server instance we just created
4) goto Interfaces ---> OPT1
5) Enable the interface and give it a Description
6) goto Interfaces ---> (assign)
7) choose the Bridges tab and then click the "+" button to add a bridge
8) Hold the CTRL button and highlight both your LAN interface and the renamed OPT1 interface we just created.
Create a firewall rule allowing traffic on your OpenVPN port for the WAN interface.
1) Goto Firewall ---> Rules
2) Choose the WAN tab
3) Press the "+" on near the top right to add a rule and enter the following information:
Action: Pass
Disabled: uncheck
Interface: WAN
TCP/IP Vesion: IPv4
Protocol: The protocol you chose in the OpenVPN server settings, probably UDP
Source
not: unchecked
Type: any
Address: leave blank
Destination:
not: unchecked
type: WAN address
Address: blank
Destination port range: Port your OpenVPN server runs on, probably 1194
Log: up to you
Description: optional, give the rule a description
You're done. The last thing to do is export the client configs. Luckily with v2.1 pfsense has made this stupid easy to do.
1) VPN ---> OpenVPN
2) Choose the client Export Tab
3) You should see an option to export a config for each certificate you created earlier. Hopefully you named your certs something easily identifiable.
4) Its recommended that for Windows you choose the Windows Installer. This will download and install OpenVPN and the config files.
You're done. Ping the LAN interface
OpenVPN TAP/Bridging Guide for pfsense v2.1 BETA-1
The first guide will involve an OpenVPN Server that individual PC clients will connect to:
First some considerations. What is bridging/tap mode? Tap/Bridging mode takes out the requirement of a tunnel network. When a remote client connects to the OpenVPN server it will will recieve an IP address from the local LAN. Why would you want to do this? Mostly broadcasts come to mind. I first started this guide in an effort to setup OpenVPN tap so that I could could utilize my HDHomeRun TV tuner when away. After installing the drivers it sends out a broadcast to find the tuners. I also hosted a plethora of game servers at another location. I also host LAN's at my house. In order for people to see the servers in their in-game LAN server browser OpenVPN in bridge mode is needed. Your game will send a broadcast out and the game server will reply. If you have any DLNA servers that you want to access remotely you would more than likely need tap mode as well. There are other uses; the ones I mentioned are just the reasons I needed this setup.
There are some other network considerations when you get down to the IP address settings. Keeping in mind that any remote clients will be on your local LAN you must make sure you set aside a range of IP addresses for the remote client to use. If a remote client gets assigned an ip address that is already in use on your network then it can cause quite a few problems. There are two ways to manage this. Setting aside a range of IP addresses and entering those into the OpenVPN configuration, or allowing your internal DHCP server to assign ip addresses automatically. The latter is not addressed in this guide as of right now, though I want to try it out.
First Install the OpenVPN Client Export Utility Package
1) Goto System ---> Packages
2) Choose "Available Packages Tab"
http://i.imgur.com/GZpNwDc.jpg
3) Locate the OpenVPN Client Export Utlity Package and install it by pressing the "+" on the right
http://i.imgur.com/Hk2Gdkz.jpg
Setup your Certs
1) Goto System ---> Cert Manager
http://i.imgur.com/eF7AdAa.jpg
2) Goto CA Tab and create a CA by pressing the "+" button
http://i.imgur.com/TIBRPIG.jpg
3) Fill in the boxes with the appropriate information, making sure to change method to "Create Internal Certificate Authority". Alternatively you can also import your own. (outside the scope of this guide)
http://i.imgur.com/pFQNJx2.jpg
4) Create the server certificate by clicking the "Certificates" tab and pressing the "+" button
5) Change "Method" to "Create an internal Certificate", and "Certificate Type" to "Server Certificate" Fill in the appropriate information and make sure to change the Certificate Authority to that of the CA you just created in step 3.
6) Create User Certificates in the same way but instead of choosing "Server Certificate" for Certificate type, make sure to choose "User Certificate"
*It is recommended that each individual PC that connects to the VPN have their own certificates created.
**It is also not necessary, but recommened to create a revocation list. Click the Client Revocation tab, then the "+" to add one. Choose the CA you made in step 3.
Setup the OpenVPN server
1) Goto VPN ---> OpenVPN
2) On the Server tab press the "+" button to create an OpenVPN server
3) Fill in the following settings
Disabled - Unchecked (Obviously!)
Server Mode - Remote Access (SSL/TLS)
Protocol - UDP
Device Mode - tap
Interface - WAN
Port - 1194
Description - *description of your server*
TLS Authentication - Check both boxes... this also creates your authentication key
Peer Certificate Authority - *choose the CA you created earlier*
Peer Certificate Revocation List - if you made one while setting up the certs specify it here
Server Certificate - *choose the server certificate you created earlier*
DH Parameters - 1024
Encryption algorithm: AES-128-CBC (128-bit)
Hardware Crypto - options here may differ, but choose a hardware crypto engine if you have one
Certificate Depth - One (Client+Server)
************
IP settings
************
Ipv4 Tunnel Network - Leave blank, not used in tap/bridge mode
Ipv6 Tunnel Network - Leave blank, not used in tap/bridge mode
Bridge DHCP - check
Bridge Interface - LAN
Server Bridge DHCP Start - start of your ip address range for remote clients
Server Bridge DHCP End - end of your ip address range for remote clients
*DHCP address range should be a range of IP addresses that are within the ip address range of your LAN network.
Redirect Gateway - uncheck
IPv4 Local Network - this is the address of your LAN network expressed as a CIDR range, most likely 192.168.1.0/24
IPv6 Local Network - Leave blank
Concurrent connections - 2
Compression - for bandwidth reduction check this box
Type-of-Service - uncheck
Inter-client communication - check this box if you want remote clients to be able to access each other
Duplicate Connections - allows multiple connections from the same client, not recommended but may possibly be needed
Dynamid IP - if your router's WAN IP changes you should check this
Address Pool - check
DNS Default Domain - fill this in if you have one
DNS Servers - set to your local DNS server
Press save and your OpenVPN server is created
Create your Interface and Bridge:
1) Interfaces ---> (assign)
2) add an interface by pressing the "+" button
3) in the drop down box next to the OPT1 interface that was created choose the open vpn server instance we just created
4) goto Interfaces ---> OPT1
5) Enable the interface and give it a Description
6) goto Interfaces ---> (assign)
7) choose the Bridges tab and then click the "+" button to add a bridge
8) Hold the CTRL button and highlight both your LAN interface and the renamed OPT1 interface we just created.
Create a firewall rule allowing traffic on your OpenVPN port for the WAN interface.
1) Goto Firewall ---> Rules
2) Choose the WAN tab
3) Press the "+" on near the top right to add a rule and enter the following information:
Action: Pass
Disabled: uncheck
Interface: WAN
TCP/IP Vesion: IPv4
Protocol: The protocol you chose in the OpenVPN server settings, probably UDP
Source
not: unchecked
Type: any
Address: leave blank
Destination:
not: unchecked
type: WAN address
Address: blank
Destination port range: Port your OpenVPN server runs on, probably 1194
Log: up to you
Description: optional, give the rule a description
You're done. The last thing to do is export the client configs. Luckily with v2.1 pfsense has made this stupid easy to do.
1) VPN ---> OpenVPN
2) Choose the client Export Tab
3) You should see an option to export a config for each certificate you created earlier. Hopefully you named your certs something easily identifiable.
4) Its recommended that for Windows you choose the Windows Installer. This will download and install OpenVPN and the config files.
You're done. Ping the LAN interface
Last edited: