Solved Bridging OpenConnect VPN server client tunnels to a central site


I've got a FreeBSD VM in a DC running net/ocserv that allows clients to access my network over SSL. It dutifully creates tunnel interfaces as each client connects, and clients route back to the central site via the VM (as it happens over an IPSEC tunnel).

Rather that normally route the client traffic via the VM I want to bridge the tunnels to a DMZ at the central site and pop the traffic out there. (Similar to mobility anchoring in Cisco's WiFi universe).

I can easily use VXLAN to set up a tunnel between the VM and the central site, and can also easily add these to a bridge interface at each end. However the tricky part is that I can't bridge the tunnel interfaces (for obvious reasons - they're not Ethernet or Etherlike).

Ignoring the why, can anyone think of how I can bridge these tunnel interfaces back to the central site? Or perhaps there's a way to stitch/force the tunnels into another tunnel at layer 3 (here I'm thinking policy routing - yuck).

If you want a why - say for example users in the central site are subjected to a transparent proxy using WCCP on a switch. I want the SSL VPN users to be dropped into the same vLAN so they too are subject to WCCP (and various other security measures).

Cool. I’m AFK at the moment: how do I configure ocserv to create tap interfaces rather than tun?

Use OpenVPN with tap interface it's a much clean solution than using encapsulation inside the tunnel.

I just re-read and saw you're suggesting I change software. At this point I'd rather stick with ocserv as it's an SSL VPN head-end and works perfectly with Cisco's AnyConnect Client (which my many clients use, often behind corporate firewalls).

If you want to use bridge then you have to switch from tun to tap. The TAP driver is not supported in Cisco's Anyconnect client. There's implementation in Openconnect GUI client for Windows TAP (OpenVPN tap driver) but you have to change all users vpn clients anyway. So it would be better to switch to OpenVPN.

In Cisco Anyconnect you can check the solution guide Architecture Scenario 4 where is explained how you can implement WCCP with the VPN. It all depend how is your WCCP configured is it only for a signle subnet or it's with GRE encapsulation. Anyway it's not related to FreeBSD and you will have much luck on Cisco forum regarding this.

Check here for Architecture Scenario 4:

Thanks for that. If FreeBSD could run as a WCCP head-end that would solve my problem but I can't find neither a port nor netgraph module. Thanks for the link to the Cisco architecture but in my scenario the my FreeBSD VM running ocserv is taking the place of the ASA, so no joy there.

I will investigate OpenVPN - which will have to support Windows/macOS/iOS all behind corporate proxies over 443/tcp which might be tricky.
FAI, I fired up OpenVPN and successfully got layer 3 VPN interfaces working (tun), but when I began testing L2 interfaces (tap) I discovered that iOS devices do not support them. Back to the drawing board...