OpenVPN Support Forum

So I have an OpenVPN remote access server setup and the clients connect just fine. The only problem is that Upnp does not work because the client -> server multicast traffic is not being received by the server. On the other hand, the server -> client multicast traffic is received by the client perfectly. I've been reading and realized that multicast traffic is not sent through the tunnel network natively. If that's the case, what do I do to make this work? I don't believe I need an IGMP proxy because I'm not trying to make multicast traffic in between networks. I only need it within the OpenVPN tunnel network. I'm currently using tun instead of tap.

As for the packet capture files, here you go:

1. Without OpenVPN:

Packet capture from pfsense LAN interface: https://www.dropbox.com/s/f92vxyd6muuec ... .pcap?dl=0
Packet capture from client LAN interface: https://www.dropbox.com/s/cxl4esvxr1kzf ... capng?dl=0

* Server (192.168.10.1) sends multicast packet (NOTIFY method) to 239.255.255.250 and client receives it
* Client (192.168.10.13) sends multicast packet (M-SEARCH method) to 239.255.255.250 and server receives it

2. With OpenVPN:

Packet capture from pfsense OpenVPN interface: https://www.dropbox.com/s/u8mh6vg24hw77 ... .pcap?dl=0
Packet capture from client OpenVPN interface: https://www.dropbox.com/s/025ctzhr2ghll ... capng?dl=0

* Server (10.0.1.1) sends multicast packet (NOTIFY method) to 239.255.255.250 and client receives it
* Client (10.0.1.101) sends multicast packet (M-SEARCH method) to 239.255.255.250 and server DOES NOT RECEIVE it

If it helps, my OpenVPN remote access server settings are posted here: https://forum.netgate.com/post/911141

You may have to experiment with --dev-type tap

Can you do tap without any bridging?

kevindd992002 wrote: ↑

Wed May 13, 2020 12:20 am

Can you do tap without any bridging?

Inside the tunnel only possibly, I have never tried..

multicast is nonrouting protocol so forget working over vpn or over difference ip subnet , if you want you can make it tap connection . tap connection will send full of broadcast so the more device the more traffic . it will slow down everything . if you want play game or stream over vpn that is you need tap connection .

Yeah but that's the thing, I'm not routing multicast packets. I just need multicast to work on the same subnet (the VPN tunnel network). I don't need the openvpn server to route it to another subnet. The openvpn client has IP addresses in the 10.0.1.0/24 subnet and the openvpn server has an interface IP of 10.0.1.1.

SSDP packets from the server to client -> successfully received by the client
SSDP packets from the client to the server -> generated by client on the openvpn interface but not received by the server interface

Which part is the routing happening there? I'm confused.

kevindd992002 wrote: ↑

Wed May 20, 2020 2:32 am

SSDP packets from the server to client -> successfully received by the client
SSDP packets from the client to the server -> generated by client on the openvpn interface but not received by the server interface

tcpdump those packets and log them here.

TinCanTech wrote: ↑

Wed May 20, 2020 11:57 am

kevindd992002 wrote: ↑

Wed May 20, 2020 2:32 am

SSDP packets from the server to client -> successfully received by the client
SSDP packets from the client to the server -> generated by client on the openvpn interface but not received by the server interface

tcpdump those packets and log them here.

I already have packet capture logs in my first post. What difference does a tcpdump (also a packet capture CLI tool) result do for this case? I'm not sure I understand.

@TinCanTech, did you anything else to get this going?

TinCanTech wrote: ↑

Tue May 12, 2020 5:08 pm

You may have to experiment with --dev-type tap

As for your packet captures, I don't use dropbox ...

Are you saying that you don't trust dropbox so you won't download the files from those links? If so, which file sharing site do you want me to upload the files to?

Also, before I try the tap device, I would really want to understand first why I'm having this issue with the tun device because basic networking principles indicate that there shouldn't be any issues with tun for my use case.

kevindd992002 wrote: ↑

Sat May 23, 2020 12:50 pm

basic networking principles indicate that there shouldn't be any issues with tun for my use case

Openvpn in server mode with multiple clients is not basic networking.

On top of that, you are using pfSense which I don't support for free.

And as I said before,
I have never tried to configure openvpn the way you are
and I do not know if it will work as you expect, if at all.

I don't even have multiple clients. I only have two clients. By basic networking, I specifically mean that the packets I'm trying to analyze don't even need to traverse through different subnets. I'm only talking about a single subnet, the openvpn tunnel network.

What would be the purpose of asking for the packet capture logs then? Sorry, but I'm still confused.

kevindd992002 wrote: ↑

Sat May 23, 2020 3:32 pm

What would be the purpose of asking for the packet capture logs then?

Because we cannot see them on dropbox.

Anyway, I have given you all the help I can, now you must try it for yourself.

If you want me to do this for you then you will need to financially incentivise me.

Ok, so the packet capture files are in this post here:

https://forum.netgate.com/post/911438

I wouldn't mind paying you a fee if this was for work or something but since, like I said, this is for merely two clients I'd rather post in forums and ask for free advice.

Did you manage to get it working ?