In search of VPN server with specific requirements

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › In search of VPN server with specific requirements

pomtom44

128 posts

Master Geek

#255598 20-Aug-2019 09:19

Hi all

Im having issues with finding a solution which ticks all my boxes.

Im looking for a VPN server I can install on a linux box, which does bridging mode rather than routing mode.
(Get a proper internal IP address on my network, not routed though the servers internal IP. as I have filtering and such based in IP and it doesn't work if all traffic is coming from the VPN servers IP)

But also works on andriod phones.

Iv tried OpenVPN and WireGuard but neither seem to support bridge & Andriod
Iv also tried SoftEther, but setting it up properly has me a little confused so not to keen on that one.

Id also like it if I can run it on UDP 443 to bypass some public WiFi restrictions, but thats not a requirement rather a nice to have.

1 | 2 | 3

474 posts

Ultimate Geek

#2302445 20-Aug-2019 17:14

OpenVPN supports bridge mode using a TAP interface.

Sharesies kids

Free kids accounts - trade shares and funds (NZ, US) with Sharesies (affiliate link).

rscole86

4968 posts

Uber Geek

Moderator

Trusted

Lifetime subscriber

#2302446 20-Aug-2019 17:20

I run pivpn on a pihole, which is just openvpn. Works fine. I use the openvpn for android app to connect to it.

fe31nz

1207 posts

Uber Geek

#2302651 20-Aug-2019 22:33

I run OpenVPN in bridging mode on my MythTV box (Ubuntu 18.04). I have also in the past had to have it on port 22 so I could connect to it from work. PM me if you would like help configuring it. I have yet to change my setup from IP addresses assigned by OpenVPN to using DHCP to get the addresses directly from my router, but that should be possible. When you use bridging, you can also get IPv6 to work without having to actually set up OpenVPN to support IPv6 as all the broadcast packets needed are automatically transferred in bridging mode.

pomtom44

128 posts

Master Geek

#2302696 21-Aug-2019 07:34

Everyone here says OpenVPN
But when I run the android app it says "Tap mode is not supported"

So if someone could explain how to get around that?

Resnick

238 posts

Master Geek

Lifetime subscriber

#2302752 21-Aug-2019 09:43

pomtom44:

Everyone here says OpenVPN
But when I run the android app it says "Tap mode is not supported"

So if someone could explain how to get around that?

This app supports openvpn TAP on Android without root. It's not open source if that's important to you.

pomtom44

128 posts

Master Geek

#2302756 21-Aug-2019 09:50

Resnick:

pomtom44:

Everyone here says OpenVPN
But when I run the android app it says "Tap mode is not supported"

So if someone could explain how to get around that?

This app supports openvpn TAP on Android without root. It's not open source if that's important to you.

I found that app, and if need be ill use it
Just not a fan of the subscription model thats attached to it, as Ill be setting it up on a few family members phones, and dont want to have to say "Hey, pay for this thing for something that im offering for free"

Resnick

238 posts

Master Geek

Lifetime subscriber

#2302772 21-Aug-2019 09:54

Fair enough. As @rscole86 suggested, pivpn is easy to setup and will achieve what you want without any problems. I also use it, no problems with android clients.

pomtom44

128 posts

Master Geek

#2302785 21-Aug-2019 10:07

Resnick:

Fair enough. As @rscole86 suggested, pivpn is easy to setup and will achieve what you want without any problems. I also use it, no problems with android clients.

Doesnt that still run into the OpenVPN TAP Andriod issue though?

Im now thinking I may just have to do my firewalling on the VPN server rather than my main firewall

BarTender

3602 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2302789 21-Aug-2019 10:16

I'm not sure why TUN isn't an option, as I find issues with bridging over VPN and broadcast traffic.

I run OpenVPN at home and hand out DHCP addresses for the mobile clients.

It's routed traffic and each IP is unique and unless you need broadcast / Bonjour / mDNS then you use the Avahi in relay mode.

http://chrisreinking.com/need-bonjour-across-vlans-set-up-an-avahi-gateway/

Or the myriad of other articles talking about how to route Bonjour / mDNS traffic between two networks.

Resnick

238 posts

Master Geek

Lifetime subscriber

#2302792 21-Aug-2019 10:20

I'm using an exported pivpn ovpn profile on openvpn connect (android) client and it works. I can access home network shares, rdp etc without issue on my android phone and chromebook. I set it up some time ago but I don't recall any issues with bridging configurations.

pomtom44

128 posts

Master Geek

#2302808 21-Aug-2019 10:23

Resnick:

I'm using an exported pivpn ovpn profile on openvpn connect (android) client and it works. I can access home network shares, rdp etc without issue on my android phone and chromebook. I set it up some time ago but I don't recall any issues with bridging configurations.

Its less about access network services, as that would work though either bridge or routed mode (as far as im aware)
Its more about the traffic on the network having the clients IP or the servers IP

If you run in TUN mode / routing, then any traffic on the LAN side uses the LAN ip of the VPN server.
Where if you run in TAP mode / bridge, then it uses the cleints IP

And I can't do my firewalling based on client IP if all traffic is using the VPN servers IP

BarTender

3602 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2302811 21-Aug-2019 10:29

pomtom44:

Resnick:

I'm using an exported pivpn ovpn profile on openvpn connect (android) client and it works. I can access home network shares, rdp etc without issue on my android phone and chromebook. I set it up some time ago but I don't recall any issues with bridging configurations.

Its less about access network services, as that would work though either bridge or routed mode (as far as im aware)
Its more about the traffic on the network having the clients IP or the servers IP

If you run in TUN mode / routing, then any traffic on the LAN side uses the LAN ip of the VPN server.
Where if you run in TAP mode / bridge, then it uses the cleints IP

And I can't do my firewalling based on client IP if all traffic is using the VPN servers IP

This isn't correct.

In TUN mode then there is a separate "OpenVPN" network on the internal side that all clients get a unique IP address and traffic is routed between the OpenVPN network and your internet LAN. Unless you put in a iptables firewall then there isn't anything blocking traffic in either direction when you are on the OpenVPN.

In TAP mode you get an IP address on the LAN network as your OpenVPN client is Layer 2 (L2) bridged to the LAN network so you get an IP Address from your LAN. This requires a lot of routing / L2 bridge trickery to work and thus typically requires more access on the client device.

The only thing that TUN mode has issues with is if you are using Broadcast / Multicast services such as Bonjour / mDNS for service discovery as they are in different subnets. That's where services like Avahi get around the issue. As this is no different to running two subnets on your internal LAN.

pomtom44

128 posts

Master Geek

#2302818 21-Aug-2019 10:35

BarTender:

pomtom44:

Resnick:

I'm using an exported pivpn ovpn profile on openvpn connect (android) client and it works. I can access home network shares, rdp etc without issue on my android phone and chromebook. I set it up some time ago but I don't recall any issues with bridging configurations.

Its less about access network services, as that would work though either bridge or routed mode (as far as im aware)
Its more about the traffic on the network having the clients IP or the servers IP

If you run in TUN mode / routing, then any traffic on the LAN side uses the LAN ip of the VPN server.
Where if you run in TAP mode / bridge, then it uses the cleints IP

And I can't do my firewalling based on client IP if all traffic is using the VPN servers IP

This isn't correct.

In TUN mode then there is a separate "OpenVPN" network on the internal side that all clients get a unique IP address and traffic is routed between the OpenVPN network and your internet LAN. Unless you put in a iptables firewall then there isn't anything blocking traffic in either direction when you are on the OpenVPN.

In TAP mode you get an IP address on the LAN network as your OpenVPN client is Layer 2 (L2) bridged to the LAN network so you get an IP Address from your LAN. This requires a lot of routing / L2 bridge trickery to work and thus typically requires more access on the client device.

The only thing that TUN mode has issues with is if you are using Broadcast / Multicast services such as Bonjour / mDNS for service discovery as they are in different subnets. That's where services like Avahi get around the issue. As this is no different to running two subnets on your internal LAN.

Thats exactly what I said isnt it?

I want to run in TAP mode so the traffic on the LAN uses the Clients IP, so then I can use my current firewall to do my traffic management
Like I do for my current vlans and devices.

I can't do that on TUN mode as my firewall only sees the internal IP of my VPN server and not the client IP thats connecting.

Spyware

3729 posts

Uber Geek

Lifetime subscriber

#2302820 21-Aug-2019 10:39

Nope.

BarTender

3602 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2302823 21-Aug-2019 10:45

pomtom44: Thats exactly what I said isnt it?

I want to run in TAP mode so the traffic on the LAN uses the Clients IP, so then I can use my current firewall to do my traffic management
Like I do for my current vlans and devices.

I can't do that on TUN mode as my firewall only sees the internal IP of my VPN server and not the client IP thats connecting.

The firewall will see the IP addresses allocated in TUN mode so you can apply traffic management. It is just that the traffic will come from a different subnet rather than your current LAN subnet.

So in TAP mode you would have

Firewall 192.168.1.1 + Subnet 192.168.1.0/24 + OpenVPN Server on 192.168.1.2 and LAN IP addresses of 192.168.1.10-50 and VPN IP addresses 192.168.1.200-192.168.1.210

Or something like that. The issue is the client to dish out the IPs is a lot more complicated

In TUN mode you would have:

Firewall 192.168.1.1 + Subnet 192.168.1.0/24 + OpenVPN Server on 192.168.1.2 and LAN IP addresses of 192.168.1.10-50

Then you would also have a network route on the Firewall for 192.168.2.0/24 via 192.168.1.2

OpenVPN would have the TUN interface on 192.168.2.1 and hand out IP Addresses on 192.168.2.10-50 or whatever and you would run Avahi on the OpenVPN Server as it would be a router.

Then the firewall would need to apply policy to 192.168.1.0/24 and 192.168.2.0/24 based on the traffic management you require.

1 | 2 | 3