Hi all,
So this has been my first time using FreeBSD and I am building a router/firewall with additional services. So far there is a ton of documentation so everything has been going well. Working with OpenVPN on FreeBSD has been the biggest challenge, especially learning certificates and building a CA and signing certificates (keyusage, argh!) for other services. Anyway, the issue I am having I have searched and I can't find a solution.
I am at the point where my client (a windows PC) can successfully connect to the OpenVPN service, so authentication, PAM, SSL, and all of that is working exactly how it should. I should mention here that the system is running FreeBSD 10.1 as a virtual machine in ESXi 5.5 (using supported e1000 network interfaces) and has one interface that is on a public IP and the other on a private network. I am doing a bridged VPN so I am using TAP interfaces on both sides. The documentation was a little unclear about whether (on the server) the tap0 interface should have the IP or if the bridge0 interface should have the IP, so I provided a unique one to each, but either way I don't think that it is related to my problem, which I think I have correctly identified as a layer2 bridging issue. I also have my client firewall disabled and the server firewall disabled (for testing). After I get this up then I was going to setup the firewall, because then I would know that the base system works as expected.
So, my client can ping 172.20.10.1 (the LAN em1 interface of the server), 172.20.10.2 (the bridge0 interface of the server), and 172.20.10.3 (the tap0 interface of the server). My client gets the 172.20.10.241 IP from the pool that OpenVPN provides, which again is all expected behavior. The problem is that I cannot ping or connect otherwise to 172.20.10.11 (the ESXi management interface) from my VPN client, however I can from the VPN server. I also added a static ARP entry in my client and still FreeBSD is either not sending it out to the device or it is not allowing the response back to me.
So my client has connectivity to the server through the VPN, but not anything beyond it. I first disabled the firewall (running PF) to ensure it wasn't that, but it doesn't seem to work. I will post (in order) OpenVPN configuration, rc.conf, and
Thank you everyone,
-GNS
-----
*I X'd out some of the IP and domain info
server openvpn.conf:
server rc.conf:
server
So this has been my first time using FreeBSD and I am building a router/firewall with additional services. So far there is a ton of documentation so everything has been going well. Working with OpenVPN on FreeBSD has been the biggest challenge, especially learning certificates and building a CA and signing certificates (keyusage, argh!) for other services. Anyway, the issue I am having I have searched and I can't find a solution.
I am at the point where my client (a windows PC) can successfully connect to the OpenVPN service, so authentication, PAM, SSL, and all of that is working exactly how it should. I should mention here that the system is running FreeBSD 10.1 as a virtual machine in ESXi 5.5 (using supported e1000 network interfaces) and has one interface that is on a public IP and the other on a private network. I am doing a bridged VPN so I am using TAP interfaces on both sides. The documentation was a little unclear about whether (on the server) the tap0 interface should have the IP or if the bridge0 interface should have the IP, so I provided a unique one to each, but either way I don't think that it is related to my problem, which I think I have correctly identified as a layer2 bridging issue. I also have my client firewall disabled and the server firewall disabled (for testing). After I get this up then I was going to setup the firewall, because then I would know that the base system works as expected.
So, my client can ping 172.20.10.1 (the LAN em1 interface of the server), 172.20.10.2 (the bridge0 interface of the server), and 172.20.10.3 (the tap0 interface of the server). My client gets the 172.20.10.241 IP from the pool that OpenVPN provides, which again is all expected behavior. The problem is that I cannot ping or connect otherwise to 172.20.10.11 (the ESXi management interface) from my VPN client, however I can from the VPN server. I also added a static ARP entry in my client and still FreeBSD is either not sending it out to the device or it is not allowing the response back to me.
So my client has connectivity to the server through the VPN, but not anything beyond it. I first disabled the firewall (running PF) to ensure it wasn't that, but it doesn't seem to work. I will post (in order) OpenVPN configuration, rc.conf, and
ifconfig. I am hoping someone can shed some light on this issue, as it has been driving me mad. My hypothesis is that either that I misconfigured the bridge interface or that there are some ESXi security settings that I need to modify, which I will be checking tomorrow.Thank you everyone,
-GNS
-----
*I X'd out some of the IP and domain info
server openvpn.conf:
Code:
# OpenVPN server configuration file - gns20150816
daemon
port 443
proto tcp
script-security 2
dev tap0
ca /rssl/vpn-ssl/cacert.pem
cert /rssl/vpn-ssl/nodes/labvpn/labvpn-cert.pem
key /rssl/vpn-ssl/nodes/labvpn/labvpn-key.pem
dh /rssl/vpn-ssl/private/dh1024.pem
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-pam.so login
client-cert-not-required
username-as-common-name
server-bridge 172.20.10.2 255.255.255.0 172.20.10.241 172.20.10.250
client-to-client
keepalive 10 120
duplicate-cn
max-clients 8
user vpn
group vpn
persist-key
persist-tun
status /var/openvpn/openvpn-status.log
log-append /var/log/openvpn.log
verb 4
crl-verify /rssl/vpn-ssl/crl.pemserver rc.conf:
Code:
hostname="hyp"
ifconfig_em0="inet XXX.XXX.XXX.243 netmask 255.255.255.224"
defaultrouter="XXX.XXX.XXX.225"
cloned_interfaces="bridge0 tap0"
ifconfig_bridge0="inet 172.20.10.2 netmask 255.255.255.0 addm tap0 addm em1 up"
ifconfig_tap0="inet 172.20.10.3 netmask 255.255.255.0 up"
ifconfig_em1="inet 172.20.10.1 netmask 255.255.255.0 up"
sshd_enable="YES"
ntpd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
# Gatway and Packet Filter - gns20150812
gateway_enable=YES
# pf_enable="YES"
# pflog_enable="YES"
# OpenVPN - gns20150812
openvpn_enable="YES"
openvpn_configfile="/etc/openvpn/openvpn.conf"
openvpn_if="tap bridge"
openvpn_dir="/usr/local/etc/rc.d"
# DHCP - gns20150812
dhcpd_enable="YES"
dhcpd_ifaces="em1"server
ifconfig:
Code:
gns@hyp:/usr/home/gns$ ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:0c:29:81:56:4d
inet XXX.XXX.XXX.243 netmask 0xffffffe0 broadcast XXX.XXX.XXX.255
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
em1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=98<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:0c:29:81:56:57
inet 172.20.10.1 netmask 0xffffff00 broadcast 172.20.10.255
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 02:8c:87:90:af:00
inet 172.20.10.2 netmask 0xffffff00 broadcast 172.20.10.255
nd6 options=9<PERFORMNUD,IFDISABLED>
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: em1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 2 priority 128 path cost 20000
member: tap0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 5 priority 128 path cost 2000000
tap0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
ether 00:bd:fa:00:00:00
inet 172.20.10.3 netmask 0xffffff00 broadcast 172.20.10.255
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect
status: active
Opened by PID 657
gns@hyp:/usr/home/gns$