pfsense 2.0.1 OpenVPN Configuration Guide

jadams

2[H]4U
Joined
Mar 14, 2010
Messages
4,086
The following guides are based on pfsense v2.1 BETA-1


OpenVPN TAP/Bridging Guide for pfsense v2.1 BETA-1
The first guide will involve an OpenVPN Server that individual PC clients will connect to:

First some considerations. What is bridging/tap mode? Tap/Bridging mode takes out the requirement of a tunnel network. When a remote client connects to the OpenVPN server it will will recieve an IP address from the local LAN. Why would you want to do this? Mostly broadcasts come to mind. I first started this guide in an effort to setup OpenVPN tap so that I could could utilize my HDHomeRun TV tuner when away. After installing the drivers it sends out a broadcast to find the tuners. I also hosted a plethora of game servers at another location. I also host LAN's at my house. In order for people to see the servers in their in-game LAN server browser OpenVPN in bridge mode is needed. Your game will send a broadcast out and the game server will reply. If you have any DLNA servers that you want to access remotely you would more than likely need tap mode as well. There are other uses; the ones I mentioned are just the reasons I needed this setup.

There are some other network considerations when you get down to the IP address settings. Keeping in mind that any remote clients will be on your local LAN you must make sure you set aside a range of IP addresses for the remote client to use. If a remote client gets assigned an ip address that is already in use on your network then it can cause quite a few problems. There are two ways to manage this. Setting aside a range of IP addresses and entering those into the OpenVPN configuration, or allowing your internal DHCP server to assign ip addresses automatically. The latter is not addressed in this guide as of right now, though I want to try it out.





First Install the OpenVPN Client Export Utility Package
1) Goto System ---> Packages
2) Choose "Available Packages Tab"
http://i.imgur.com/GZpNwDc.jpg

3) Locate the OpenVPN Client Export Utlity Package and install it by pressing the "+" on the right
http://i.imgur.com/Hk2Gdkz.jpg

Setup your Certs
1) Goto System ---> Cert Manager
http://i.imgur.com/eF7AdAa.jpg

2) Goto CA Tab and create a CA by pressing the "+" button
http://i.imgur.com/TIBRPIG.jpg


3) Fill in the boxes with the appropriate information, making sure to change method to "Create Internal Certificate Authority". Alternatively you can also import your own. (outside the scope of this guide)
http://i.imgur.com/pFQNJx2.jpg

4) Create the server certificate by clicking the "Certificates" tab and pressing the "+" button
5) Change "Method" to "Create an internal Certificate", and "Certificate Type" to "Server Certificate" Fill in the appropriate information and make sure to change the Certificate Authority to that of the CA you just created in step 3.
6) Create User Certificates in the same way but instead of choosing "Server Certificate" for Certificate type, make sure to choose "User Certificate"
*It is recommended that each individual PC that connects to the VPN have their own certificates created.
**It is also not necessary, but recommened to create a revocation list. Click the Client Revocation tab, then the "+" to add one. Choose the CA you made in step 3.

Setup the OpenVPN server
1) Goto VPN ---> OpenVPN
2) On the Server tab press the "+" button to create an OpenVPN server
3) Fill in the following settings
Disabled - Unchecked (Obviously!)
Server Mode - Remote Access (SSL/TLS)
Protocol - UDP
Device Mode - tap
Interface - WAN
Port - 1194
Description - *description of your server*
TLS Authentication - Check both boxes... this also creates your authentication key
Peer Certificate Authority - *choose the CA you created earlier*
Peer Certificate Revocation List - if you made one while setting up the certs specify it here
Server Certificate - *choose the server certificate you created earlier*
DH Parameters - 1024
Encryption algorithm: AES-128-CBC (128-bit)
Hardware Crypto - options here may differ, but choose a hardware crypto engine if you have one
Certificate Depth - One (Client+Server)

************
IP settings
************
Ipv4 Tunnel Network - Leave blank, not used in tap/bridge mode
Ipv6 Tunnel Network - Leave blank, not used in tap/bridge mode
Bridge DHCP - check
Bridge Interface - LAN
Server Bridge DHCP Start - start of your ip address range for remote clients
Server Bridge DHCP End - end of your ip address range for remote clients
*DHCP address range should be a range of IP addresses that are within the ip address range of your LAN network.
Redirect Gateway - uncheck
IPv4 Local Network - this is the address of your LAN network expressed as a CIDR range, most likely 192.168.1.0/24
IPv6 Local Network - Leave blank
Concurrent connections - 2
Compression - for bandwidth reduction check this box
Type-of-Service - uncheck
Inter-client communication - check this box if you want remote clients to be able to access each other
Duplicate Connections - allows multiple connections from the same client, not recommended but may possibly be needed

Dynamid IP - if your router's WAN IP changes you should check this
Address Pool - check
DNS Default Domain - fill this in if you have one
DNS Servers - set to your local DNS server

Press save and your OpenVPN server is created

Create your Interface and Bridge:
1) Interfaces ---> (assign)
2) add an interface by pressing the "+" button
3) in the drop down box next to the OPT1 interface that was created choose the open vpn server instance we just created
4) goto Interfaces ---> OPT1
5) Enable the interface and give it a Description
6) goto Interfaces ---> (assign)
7) choose the Bridges tab and then click the "+" button to add a bridge
8) Hold the CTRL button and highlight both your LAN interface and the renamed OPT1 interface we just created.

Create a firewall rule allowing traffic on your OpenVPN port for the WAN interface.
1) Goto Firewall ---> Rules
2) Choose the WAN tab
3) Press the "+" on near the top right to add a rule and enter the following information:
Action: Pass
Disabled: uncheck
Interface: WAN
TCP/IP Vesion: IPv4
Protocol: The protocol you chose in the OpenVPN server settings, probably UDP
Source
not: unchecked
Type: any
Address: leave blank
Destination:
not: unchecked
type: WAN address
Address: blank
Destination port range: Port your OpenVPN server runs on, probably 1194
Log: up to you
Description: optional, give the rule a description

You're done. The last thing to do is export the client configs. Luckily with v2.1 pfsense has made this stupid easy to do.
1) VPN ---> OpenVPN
2) Choose the client Export Tab
3) You should see an option to export a config for each certificate you created earlier. Hopefully you named your certs something easily identifiable.
4) Its recommended that for Windows you choose the Windows Installer. This will download and install OpenVPN and the config files.

You're done. Ping the LAN interface
 
Last edited:
After installing the OpenVPN tap Bridging Fix package, the openvpn setup screen is the same. However if I go through your instructions up to the point where you say to check the bridge dhcp (which I can't do because I don't have that option) and then save the server config, and go back into it, the bridge dhcp box is there, however it can't be changed. Is this something that you ran into at all, or do you have any suggestions on what I can do about it?

Thanks Much
Adam
 
awwww someone found my guide and took the time to register to ask a question. ill respond to this after work.
 
After installing the OpenVPN tap Bridging Fix package, the openvpn setup screen is the same. However if I go through your instructions up to the point where you say to check the bridge dhcp (which I can't do because I don't have that option) and then save the server config, and go back into it, the bridge dhcp box is there, however it can't be changed. Is this something that you ran into at all, or do you have any suggestions on what I can do about it?

Thanks Much
Adam

Yes it is something I ran into. What do you have selected for SERVER MODE?

Do you have REMOTE ACCESS or PEER TO PEER?
 
thank for your post it work perfectelly :)

More info : Add a rule to openvpn interface to allow traffic and it's ok.

thank you man ;)
 
Thanks. :)
I was trying to figure out why my firewall was blocking my openvpn traffic in 2.0.1. This could probably work.
 
Followed this guide and hit a brick wall.

My clients connect to the oVPN server without any problems.
I don't understand why my clients cannot communicate with my LAN network. I can successfully talk to pfSense's LAN interface but nothing else.

Funny thing on the client I can see hosts in the ARP table.

Also client routing table looks good:

192.168.3.0 255.255.255.0 192.168.3.22 192.168.3.200 30
where, 192.168.3.22 is GW (address assigned on pfSense LAN interface) and 192.168.3.200 is the address client get from OpenVPN

I've checked firewall: both OpenVPN and OPT1 interface have the following rule:
permit any any, so wide open.

From the pfSense itself I can access my LAN from LAN and OPT1 interfaces.

Any help would be appreciated.

Thanks,
Naz
 
Last edited:
hmm interesting. I'm currently working through something similar in my troubles to setup a site to site pfsense openvpn guide. I can see the client connect and it grabs an IP. I however cannot get traffic to cross.

I'll update if i find anything. Make sure to subscribe to this thread.
 
Glad to see someone picked up on the work I did back in 2006 and is getting it supportable under the latest pfSense.

http://forum.pfsense.org/index.php/topic,1990.0.html

In truth, I've put off upgrading for-freaking-ever because I saw that my way of doing it apparently no longer worked.

I'm going to attempt to build myself a new firewall this weekend. I'll give your instructions a go then.
 
Thanks for joining and letting us know. Please report back with your findings.

Also if you run across anything to answer nsnidanko's question above please share.

I'm also currently trying to get a site 2 site setup and am having a similar problem to his. The client site connects and gets an IP from the pool, but no traffic goes across. My firewall rules are wide open.

Glad people keep bumping this thread, makes me feel like i did something worth while :D
 
On the site-to-site, if you're bridged then I would think neither side should get an IP. It's like running a cross-cable between two switches at that point, isn't it?

So I understand what you're doing - bridging tapX to LAN on both sides? Basically make each side's LAN network a single layer 2 network. Only thing I can think of is to make sure client-to-client is enabled if that's applicable.

From the command line while this failure's happening, could you run an ifconfig bridge0 and paste it up here? Make sure neither is in a BLOCKING state, and make sure that STP is enabled for safety's sake, but not on the tap interface itself.
 
So I reinstalled my firewall, and more-or-less followed these instructions.

The way I'm set up is I have an allow any from LAN to world. I have allow ANY/ANY set on my bridge, on the OpenVPN interface that pfSense generates, *and* on teh interface these instructions generate. So far, traffic is flowing just fine.

About the only flaw I see is that ideally, the LAN interface shouldn't have an IP address assigned, and the bridge interface should. The LAN and pfSense interfaces should be set allow any/any, and the filter rules should be set on the bridge. Right now I'm set to where actual rules are set on the LAN interface. Doesn't appear to be hurting anything, but "real soon" I should go back and make that right.
 
thanks. i need to look into this. I just tried to setup site to site vpn again over the weekend and struggled.

Ended up going with Shared Key method instead and it was magnitudes easier. I may have to recreate this in a lab instead.
 
Great write-up! A bit of an issue on my end though... none of my boxes get a DHCP address :(

Any ideas?
 
Thank you for this great guide! I have been trying to get this to work for some days now, but when I found this guide it only took me minutes to succeed with my VPN-connection! Now at last I get it to connect and authenticate the key etc etc. It's been a learning experience for me to say the least :)

The connection is working finally but I have problems!

I want to direct ALL traffic through the VPN. I've added 'push "redirect-gateway def1";push "dhcp-option DNS 192.168.0.1"' to the advanced configuration of the OpenVPN-server and Firewall rules to allow all on all interfaces except WAN, witch have port 1194 directed to WAN.
On the cIient I get ip on the vpn-interface (192.168.0.151) but the status of DHCP is 192.168.0.0, the DNS is correct at 192.168.0.1 though. I can't ping any other machine on the real LAN.

Regards
Daniel
 
I wish i could help with that. Unfortunately that exceeds my pfsense knowledge without digging into it deeply myself.


On a side note. I just built a new pfsense and due to hardware had to use the v2.1 beta. I'll soon be testing this site to site setup to make sure its still functional.
 
I'm looking to do the same thing. I came across instructions for 1.2 here:

To use IPsec without split tunneling, you just use remote subnet 0.0.0.0/0 with local subnet of the LAN subnet at the remote end, and local subnet 0.0.0.0/0 with remote subnet of the remote end's LAN on the main end. That describes the entire solution to the initial question.

What we we spent far more time on is discussing the network in general and designing an appropriate solution to fit the company's needs, which he can't detail here nor can I. That's always specific to each individual environment, and this company is in a regulated sector where disclosure of this type is against his company's policy to comply with regulations.

I haven't had a chance to try it yet, maybe this weekend.
 
I just wanted to say thanks for this writeup. I had been trying to get OpenVPN to run in TAP mode for a couple days now. After getting close with some ifconfig-noexec options (so that the ifconfig command wouldn't fail) and a tunnel network inside of my LAN network, etc, etc, I stumbled upon this guide and got it work the 2nd time.

I noticed that you forgot to mention the Local Network field in the tunnel network section. Initially it didn't work because I was putting my local network into this field, however once I left this blank, then it worked fine.
 
Hey guys:

I have setup two pfsense firewalls from scratch using this guide for OpenVPN bridging. I am having the same issue at the end of the day as another user in this thread, namely the TAP interface is created on my test linux host and I can ping the LAN interface address however I cannot access other servers on the same subnet. I just built pfsense and carefully followed the howto guide, however only being able to see the pfsense firewall is pretty useless. I need to get this going as soon as possible, I will actually end up having 10 pfsense OpenVPN endpoints eventually but need to get the first one working. I can post configs, let me know what you need.

There is one slight deviation from the guide, my WAN IP is on a private network 10.11.105.x/24 and has a 1-TO-1 mapping to a public IP address on our main datacenter firewall. I cannot grant access to the public network on the pfsense firewall, but all any->any firewall rules have been added and "block private networks" has been turned off everywhere. Please let me know what more information you need to help troubleshoot this, I feel I am very close!

Thanks in advance.

/Chris
 
Ok, word to the wise, if you are running pfsense in VMWare you MUST change the vSwitch "Promiscuous Mode" associated with your pfsense networks from reject to accept. If you do not do this then the only host the OpenVPN bridged client will see is the pfsense server itself. My google-god coworker found this for reference:

http://www.jeremycole.com/blog/2010/03/11/openvpn-bridge-under-vmware-esxi/

This howto guide works perfectly otherwise, thanks!!!

/Chris
 
Thanks to all who have contributed to my guide. I do understand that is a slight flaw in the original guide so I'm updating the OP to direct everyone to read through the thread. Unfortuantely I've been extremely busy with moving to try to test out all the suggestions and I dont see having the time to sit down and try it any time soon. I also upgraded my main pfsense box to 2.1 beta so I'm not sure if the guide will work word for word anymore.
 
Just installed pfsense 2.1 and will be going through this guide to correct any mistakes.
 
Thank you for the thread. I look forward to trying this soon. Are you happy with 2.1 so far?

thanks,

chris
 
2.1 is ok so far. I was forced to use it because my hardware is too new for 2.0.2. I'm not overly thrilled about having to use a beta. I've never had good luck with their inplace updates for nightly builds, so I try to stick with one that seems stable.

I should be updating this guide as well as expanding on it this weekend.
 
is openvpn bridging supposed to just be the simple/easy way of using OpenVPN in pfsense? I have tried setting up OpenVPN a few times but always gave up since it seemed to get too complicated. I want a simple setup so I can use OpenVPN for laptops, tablets, and phones.
 
There are two modes, tap (bridging) and tun (tunneling).

In bridge mode both sites are on the same subnets and broadcasts are able to traverse the connection.

In tunnel mode its all routed. there is another network between both devices.

My main purpose for doing bridging was so that my HDHomerun TV tuner could stream video over it, but i've moved onto other things.

I want to change this overall to a pfsense OVPN guide that discusses many configuratons... bridge, tunnel, multi-site, etc....
 
It looks like Android only supports tunneling mode at this point. I have to try and get that set up one of these days so I can use wifi in public if needed. I may have to use your new updated guide once it's completed. ;)
 
Last edited:
It looks like Android only supports tunneling mode at this point. I have to try and get that set up one of these days so I can use wifi in public if needed. I may have to use your new updated guide once it's completed. ;)

I'm working on the guide as we speak actually. but then this broncos/ravens game got my attention.

The new guide is going to include screen shots as well as giving you information to connect to my lab pfsense for testing purposes. Of course once connected you wont be able to do anything other than ping the LAN interface. But it will be good for connection testing.
 
Followed this guide, and all seemed to go well. However trying to connect comes up with this error:

2013-01-28 00:46:35 EVENT: ASSIGN_IP
2013-01-28 00:46:35 TUN Error: tun_builder_error: one of ifconfig or
ifconfig-ipv6 must be specified
2013-01-28 00:46:35 EVENT: TUN_SETUP_FAILED tun_builder_error: one of
ifconfig or ifconfig-ipv6 must be specified [ERR]
2013-01-28 00:46:35 EVENT: DISCONNECTED
2013-01-28 00:46:35 Raw stats on disconnect:
BYTES_IN : 9895
BYTES_OUT : 4288
PACKETS_IN : 51
PACKETS_OUT : 43
TUN_SETUP_FAILED : 1
2013-01-28 00:46:35 Performance stats on disconnect:
CPU usage (microseconds): 143615
Network bytes per CPU second: 98757
Tunnel bytes per CPU second: 0
2013-01-28 00:46:35 ----- OpenVPN Stop -----
2013-01-28 00:46:35 EVENT: DISCONNECT_PENDING



Any ideas?

I should mention that I am connectiong through ios. When I change it to tun instead of tap, and fill in tunnel network as needed, it connects but I cannot see any network resources (specifically an airvideo server)
 
Last edited:
@jadams So why TAP and not TUN?

When using tap, I can think of a few downsides over tun:
1. You add extra overhead of the frame being sent down the link, wasted bandwidth
2. You suddenly have a broadcast domain over the link shared with your entire network, usually more wasted bandwidth unless you have a damn good reason to need it.
3. Static routes in pfSense do not play well with tap links
4. Quagga OSPF does not play well with tap links, if one goes down, good luck having it re-establish reliably without a complete restart of pfSense.

If there is some real advantage to using TAP that I am overlooking, I'd like to know. From all of the reading and testing I have done, TUN is preferable in 99% of situations.
 
Simply preference. I had some things that I wanted to be on the same subnet at different locations which would respond to broadcasts just as you said. My main intention was trying to stream live tv from my hdhomerun but I never did get around to testing that.

For what its worth I am currently using tun.

Eventually... Probably starting inmarch I'll turn this thrad into more of an overall openvpn pfsense guide encompassing many different configurations.
 
Back
Top