OpenVPN Bridging

From PFSenseDocs

Jump to: navigation, search
[edit]

OpenVPN Client Bridging

Caveat - There are some problems with the setup described here, this is currently being refactored.

If you want layer 2 and broadcast traffic from your clients to be bridged into your LAN (or one of your opts) so that the remote client functions as though they are on the local network, you will need to create a bridge for that traffic to pass.

First, you should follow the instructions above to get a normal OpenVPN client/server system going where your clients are on a different subnet. Once you have that working, make the following changes to your OpenVPN server page:

  1. Check off "Use Static IPs". This seems like a misnomer, but we're working around the way pfSense is currently coded. Don't worry, you'll still assign IP's from the server.
  2. If you want layer 2 traffic to be bridged, add "dev tapx" to your Custom Options, where x is a known and available tap interface that you are certain you won't use elsewhere. For the rest of these instructions, I presume you are using tap0.
  3. Add the following to Custom Options: server-bridge (LAN IP) (LAN netmask) (openvpn vpn client range start) (openvpn client range end)

So in mine, I have the following as my pfSense box's LAN IP is 172.16.11.1/24, and my clients will get .128-150. 

 server-bridge 172.16.11.1 255.255.255.0 172.16.11.128 172.16.11.150

If you wish, you can use CARP IPs. IE, duplicate this setup, and if your LAN CARP IP is 172.16.11.1, use that. If you want to make sure you connect to whatever box currently has your WAN carp, add local (WAN CARP IP) to your custom options.

Save the changes to this page, and then go edit /conf/config.xml. Add the following to your system section. I'm presuming your LAN interface is em2, use your real LAN interface: 

 <earlyshellcmd>ifconfig bridge0 create</earlyshellcmd>
 <earlyshellcmd>ifconfig bridge0 addm em2 up</earlyshellcmd>
 <shellcmd>ifconfig bridge0 addm tap0</shellcmd>

What you are doing is creating your bridge interface early in the boot process. You have to wait for OpenVPN to get launched before you can add tap0 to the bridge, so you use a normal shellcmd to bring that interface into the bridge.

Now, you'll probably want to reboot to make sure your changes take effect. After the system comes back up, you should be able to do "ifconfig bridge0" and see both em2 and tap0 status. If you go to Status -> Interfaces in the web interface, your bridge status should read "Learning" on your LAN interface.

Retrieved from "http://doc.pfsense.org/index.php/OpenVPN_Bridging"
Personal tools