# OpenVPN tap: redirect gateway



## driesm (Mar 30, 2017)

Hello guys,

I have been struggling quite some time to get TAP bridge working on FreeBSD. Authentication is no problem with certificates and keys. When I'm connected to the VPN I cannot reach any device behind my firewall and thus my LAN (pinging, browsing SMB shares nothing works). I have also tried to configure OpenVPN to receive a DHCP lease from my LAN's DHCP server but that didn't work either. Right now I have configured my DHCP server to assign IP adresses up to 192.168.1.199 from 192.168.1.200 the VPN takes over. But the issues remains, I can't reach any device behind my server (I can't even ping my server when connected). Although I see packets getting matched by IPFW over bridge0 and tap0 with `ipfw show`.

I test the connecting of a client through my laptop which is connected to a mobile hotspot over wifi, thus simulating external connections to my server. I'm thinking the problem is routing related however I'm not cappable enough to know what I should add to my servers routing table with this configuration. Maybe its even a natting problem? Altough I've always thought of TAP bridged setups as it were true LAN clients and everything was configured from the start without much hassle of routing tables because the vpn is passing ethernet frames and not IP packets. Also, connected to my VPN, I visit a site to pinpoint my IP adress it doesn't change to the external IP of my server.

I'll post my relevant sections of configuration and client output below. Brace yourselfs it will be a lengthy one... If you need any more information to solve my problem I'm happy to provide.

Thank you guys!

rc.conf

```
ifconfig_em0="DHCP"
ifconfig_igb0="inet 192.168.1.1 netmask 255.255.255.0"
cloned_interfaces="tap0 bridge0"
ifconfig_bridge0="addm igb0 addm tap0"
gateway_enable="YES"
firewall_enable="YES"
firewall_nat_enable="YES"
firewall_script="/usr/local/etc/firewall.rules"
openvpn_enable="YES"
```

openvpn.conf

```
port 1194
proto udp
dev tap0
ca /usr/local/share/easy-rsa/pki/ca.crt
cert /usr/local/share/easy-rsa/pki/issued/server.crt
key /usr/local/share/easy-rsa/pki/private/server.key
dh /usr/local/share/easy-rsa/pki/dh.pem
server-bridge 192.168.1.1 255.255.255.0 192.168.1.200 192.168.1.250
push "redirect-gateway def1"
client-to-client
tls-auth /usr/local/share/easy-rsa/pki/ta.key
cipher AES-256-CBC
```

output of `ifconfig`

```
igb0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=400b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO>
        ether a0:36:9f:cd:7d:e7
        inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4019b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,VLAN_HWTSO>
        ether 4c:cc:6a:28:3e:a3
        inet 94.225.134.109 netmask 0xfffff000 broadcast 94.225.143.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
tap0: flags=8942<BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        ether 00:bd:c1:0e:00:00
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect
        status: active
        Opened by PID 30864
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 02:d8:b6:58:51:00
        nd6 options=9<PERFORMNUD,IFDISABLED>
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: tap0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 4 priority 128 path cost 2000000
        member: igb0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 1 priority 128 path cost 2000000
```

client output when connecting to the VPN

```
Thu Mar 30 16:11:52 2017 OpenVPN 2.4.0 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Jan 31 2017
Thu Mar 30 16:11:52 2017 Windows version 6.2 (Windows 8 or greater) 64bit
Thu Mar 30 16:11:52 2017 library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.09
Thu Mar 30 16:11:52 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Thu Mar 30 16:11:52 2017 Need hold release from management interface, waiting...
Thu Mar 30 16:11:53 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Thu Mar 30 16:11:53 2017 MANAGEMENT: CMD 'state on'
Thu Mar 30 16:11:53 2017 MANAGEMENT: CMD 'log all on'
Thu Mar 30 16:11:53 2017 MANAGEMENT: CMD 'hold off'
Thu Mar 30 16:11:53 2017 MANAGEMENT: CMD 'hold release'
Thu Mar 30 16:11:54 2017 MANAGEMENT: CMD 'password [...]'
Thu Mar 30 16:11:54 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Mar 30 16:11:54 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Mar 30 16:11:54 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Mar 30 16:11:54 2017 MANAGEMENT: >STATE:1490883114,RESOLVE,,,,,,
Thu Mar 30 16:11:54 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]94.225.134.109:1194
Thu Mar 30 16:11:54 2017 Socket Buffers: R=[65536->65536] S=[65536->65536]
Thu Mar 30 16:11:54 2017 UDP link local: (not bound)
Thu Mar 30 16:11:54 2017 UDP link remote: [AF_INET]94.225.134.109:1194
Thu Mar 30 16:11:54 2017 MANAGEMENT: >STATE:1490883114,WAIT,,,,,,
Thu Mar 30 16:11:54 2017 MANAGEMENT: >STATE:1490883114,AUTH,,,,,,
Thu Mar 30 16:11:54 2017 TLS: Initial packet from [AF_INET]94.225.134.109:1194, sid=e2d3a383 d077326f
Thu Mar 30 16:11:55 2017 Validating certificate key usage
Thu Mar 30 16:11:55 2017 ++ Certificate has key usage  00a0, expects 00a0
Thu Mar 30 16:11:55 2017 VERIFY KU OK
Thu Mar 30 16:11:55 2017 Validating certificate extended key usage
Thu Mar 30 16:11:55 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Mar 30 16:11:55 2017 VERIFY EKU OK
Thu Mar 30 16:11:55 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Thu Mar 30 16:11:55 2017 [server] Peer Connection Initiated with [AF_INET]94.225.134.109:1194
Thu Mar 30 16:11:56 2017 MANAGEMENT: >STATE:1490883116,GET_CONFIG,,,,,,
Thu Mar 30 16:11:56 2017 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Mar 30 16:11:56 2017 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,route-gateway 192.168.1.1,ping 10,ping-restart 120,ifconfig 192.168.1.200 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Thu Mar 30 16:11:56 2017 OPTIONS IMPORT: timers and/or timeouts modified
Thu Mar 30 16:11:56 2017 OPTIONS IMPORT: --ifconfig/up options modified
Thu Mar 30 16:11:56 2017 OPTIONS IMPORT: route options modified
Thu Mar 30 16:11:56 2017 OPTIONS IMPORT: route-related options modified
Thu Mar 30 16:11:56 2017 OPTIONS IMPORT: peer-id set
Thu Mar 30 16:11:56 2017 OPTIONS IMPORT: adjusting link_mtu to 1656
Thu Mar 30 16:11:56 2017 OPTIONS IMPORT: data channel crypto options modified
Thu Mar 30 16:11:56 2017 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Mar 30 16:11:56 2017 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Mar 30 16:11:56 2017 interactive service msg_channel=0
Thu Mar 30 16:11:56 2017 ROUTE_GATEWAY 172.20.10.1/255.255.255.240 I=14 HWADDR=4c:80:93:07:46:9e
Thu Mar 30 16:11:56 2017 open_tun
Thu Mar 30 16:11:56 2017 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{E725A71C-E003-4560-8A45-AD9E555D322A}.tap
Thu Mar 30 16:11:56 2017 TAP-Windows Driver Version 9.21
Thu Mar 30 16:11:56 2017 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.1.200/255.255.255.0 on interface {E725A71C-E003-4560-8A45-AD9E555D322A} [DHCP-serv: 192.168.1.0, lease-time: 31536000]
Thu Mar 30 16:11:56 2017 Successful ARP Flush on interface [19] {E725A71C-E003-4560-8A45-AD9E555D322A}
Thu Mar 30 16:11:56 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Mar 30 16:11:56 2017 MANAGEMENT: >STATE:1490883116,ASSIGN_IP,,192.168.1.200,,,,
Thu Mar 30 16:12:01 2017 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
Thu Mar 30 16:12:01 2017 C:\WINDOWS\system32\route.exe ADD 94.225.134.109 MASK 255.255.255.255 172.20.10.1
Thu Mar 30 16:12:01 2017 ROUTE: route addition failed using CreateIpForwardEntry: The object already exists.   [status=5010 if_index=14]
Thu Mar 30 16:12:01 2017 Route addition via IPAPI failed [adaptive]
Thu Mar 30 16:12:01 2017 Route addition fallback to route.exe
Thu Mar 30 16:12:01 2017 env_block: add PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Thu Mar 30 16:12:01 2017 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 192.168.1.1
Thu Mar 30 16:12:01 2017 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=35 and dwForwardType=4
Thu Mar 30 16:12:01 2017 Route addition via IPAPI succeeded [adaptive]
Thu Mar 30 16:12:01 2017 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 192.168.1.1
Thu Mar 30 16:12:01 2017 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=35 and dwForwardType=4
Thu Mar 30 16:12:01 2017 Route addition via IPAPI succeeded [adaptive]
Thu Mar 30 16:12:01 2017 Initialization Sequence Completed
Thu Mar 30 16:12:01 2017 MANAGEMENT: >STATE:1490883121,CONNECTED,SUCCESS,192.168.1.200,94.225.134.109,1194,,
```


----------



## SirDice (Mar 30, 2017)

Try reloading the firewall _after_ the tunnel has been brought up. If that works you need to reload the firewall when the connection comes up. The "problem" is that the firewall ignores rules for a non-existing tap(4) interface. This interface only exists when the VPN is up.


----------



## driesm (Mar 30, 2017)

I restarted my firewall when a client connection is established, issue remains. Any other thoughts?


----------



## SirDice (Mar 30, 2017)

I would suggest using routed VPN instead of bridged. But if you must use bridged VPN try moving the IP address of igb0 to the bridge0 interface.


----------



## driesm (Mar 30, 2017)

Although I do admit I don't need bridged VPN for my purposes, I would be just a tiny bit more happy when someone could figure out this problem !


----------



## SirDice (Mar 30, 2017)

If I read this correctly you don't need to set an IP address on igb0 or bridge0: http://www.mired.org/writing/bridged-openvpn-on-freebsd

So, remove the address from igb0 and let OpenVPN do it automatically.


----------

