• 10 Votes
    23 Posts
    31k Views
    GertjanG
    @Bambos said in HEADS UP: OpenVPN deprecating shared key mode, requires TLS, deprecating cipher selection: for the remote access VPN, if is SSL/TLS + User auth, does this working with freeradius as well ? I'm using FreeRadius myself for the captive portal. Never tried to do this ... You probably want also see this one also : FreeRadius on pfSense software for Two Factor Authentication although I presume that article was written for those who wanted to "why do things the easy way if much harder is so much better ?" @Bambos said in HEADS UP: OpenVPN deprecating shared key mode, requires TLS, deprecating cipher selection: i have many 2.6 versions clients to upgrade Keep in mind that 2.6.0 uses the "old" (now completly ditched because of security) OpenVPN (and now also old OpenSSL !!) libaries. The recent pfSense uses the more modern OpenVPN and OpenSSL. All this means that some options won't work anymore. Some more options will work, but will be depreciated soon (as usual). I Use OpenVPN myself, so I always have a look at the "source" : web pages like this and the classic openvpn support forum. The OpenVPN client also changed to support the newer OpenVPN server. And yes, I agree, syncing the entire openvpn user fleet can be a hassle.
  • Scaling OpenVPN (and VPNs in general)

    Pinned
    12
    6 Votes
    12 Posts
    19k Views
    M
    I have discovered that OpenVPN implementation in PFsense is slow even without ciphering data, look at my post: link text
  • OpenVPN Documentation

    Pinned Locked
    1
    0 Votes
    1 Posts
    38k Views
    No one has replied
  • Always-on VPN not working with Protectli and Slate AP

    7
    0 Votes
    7 Posts
    44 Views
    H
    @Gertjan I have allowed pfSense's DHCP to dole out the IP for the AP. I tried assigning an IP as you recommend but it didn't help. I've also ordered another AP to see if there is something about the software there that's causing the issue.
  • Portforword through a VPN client

    4
    6
    0 Votes
    4 Posts
    66 Views
    V
    Well, if this is correct as far, you should be close to get it working. @Udbytossen said in Portforword through a VPN client: And under the firewall rule advanced setting I'm changing the gateway to Torguard instead of default But already mentioned, that this makes no sense at all. So edit the rule and set the gateway to default. Then go to the OpenVPN rule tab and remove or disable each pass rule. Done.
  • Cannot connect to OpenVPN Server via ipv6 endpoint

    4
    0 Votes
    4 Posts
    58 Views
    JKnottJ
    Is your pfSense configured to work over both IPv4 and IPv6? I assume you have IPv6 on your WAN. 4G & 5G phones are IPv6 and Android phones use 464XLAT to access IPv4 sites. This is effectively double NAT, which can mess things up. I don't know what iPhones use, but they'd have something similar. By sticking with IPv4, you are already breaking things. IPv6 is the future, so you'd better get used to it.
  • 0 Votes
    9 Posts
    108 Views
    T
    Certificates for authentication are fine being self-signed with whatever validity you assess is good for you. The VPN-endpoint (the public address) should have a real public certificate. The CA-chain for this ertificate is part of the profile, so there is a caveat that you must check the CA-chain for changes when you renew the public endpoint cert. This however can be considered a rare event in a sense, and usually you get heads up when roots (very rare) and/or intermediates (more likely but still rare) change. If the chain changes, you must provide new profiles to all users, which can be a PITA of not prepared.
  • 0 Votes
    4 Posts
    950 Views
    M
    Hello, I have the same problem on a pfsense box. I performed a fresh install on a VM on the same site with exactly the same configuration, and... no errors at all For your information, the log line refers to a return from a "write" call. write is the name of a function; it's a system call. https://man.freebsd.org/cgi/man.cgi?write(2) " The write() system call attempts to write nbytes of data to the object referenced by the descriptor fd from the buffer pointed to by buf. " https://man.freebsd.org/cgi/man.cgi?write(2) So, for the following, fd=6 is the file descriptor where we're trying to write, and code=13 is the error code retrieved just after the write call, which returned -1. " Upon successful completion, the number of bytes which were written is returned. Otherwise, a -1 is returned, and the global variable errno is Set to indicate the error. We learn that code 13 matches the description EACCES 13 Permission denied Either the process is not authorized to write to the file not helfull but : It's a permission issue; we're not supposed to be able to touch that from the web interface, I presume. Either it's a bug, or a third-party package is putting the problem in, etc. Contrary to what Google says, this has nothing to do with firewall rules.
  • Activating IPsec-MB Crypto

    10
    2
    0 Votes
    10 Posts
    907 Views
    Z
    @McMurphy Do you have an external BSD compatible cryptodev accelerator card or device outside of your AES-NI CPU? (These devices are extremely hard to find) If not why are you telling pfSense that you do? If you don't you should only use AES-NI CPU-based Acceleration only.
  • Discrepancy Between OpenVPN routing table and genaral routing table

    2
    2
    0 Votes
    2 Posts
    42 Views
    V
    @ThaBozz No. OpenVPN just adds a route for the first client IP in the tunnel network to the system routing table. This just routes the traffic to the OpenVPN insctance. But the correct routing to the respective client IP is done inside OpenVPN. pfSense doesn't know at all, what happens there.
  • Dual-WAN access configuration

    9
    3
    0 Votes
    9 Posts
    1k Views
    P
    @chitchat Assuming the two VPN servers use all the same certs then it should be ok. In my case the single VPN server listens on Localhost. Then there's two port-forwards (one for each WAN) to the same VPN server. [image: 1759479867156-eed1a7f9-d88e-4da3-bb46-e723e73ed01e-image.png] [image: 1759479896297-6d8d4837-2ea9-43eb-95c0-08358cd644b3-image.png]
  • OpenVPN(pureVPN) on version 2.7.2

    4
    0 Votes
    4 Posts
    1k Views
    R
    I figured it out...Used PureVPN pfSense 2.5.2 instructions and loosely https://vpnalert.com/guides/nordvpn-pfsense/ I changed the PureVPN pfSense 2.5.2 instructions in this manner: '17. Client Certificate: None' to 'Client Certificate: webConfigurator default (XXXXXXXX) (Server: Yes, In Use) Added after '23. Under Advanced Configuration:' Custom options: (from ovpn file downloaded from PureVPN) dev tun auth-user-pass persist-key persist-tun nobind compress With these changes it connected after 2 retries and has been connected for the last couple hours...Now to make rules to sent traffic to my newly added pfSense based always connected VPN. Hooyah!!!! Rudder2
  • Get OpenVPN clients to recognize hardcoded hostnames in DHCP server

    1
    2
    0 Votes
    1 Posts
    431 Views
    No one has replied
  • remote printing while connected to vpn

    3
    0 Votes
    3 Posts
    1k Views
    GertjanG
    @adrianp918 If your VPN client (on the remote device) uses the pfSense resolver as its DNS source, you could create a host name on pfSense for this printer. from then on you can use (example) : "printer.your-pfsense-domain.tld" as that will resolve to the LAN IP of the printer.
  • Windows 11 connectivity issue with OpenVPN in pfSense 2.8.1

    2
    0 Votes
    2 Posts
    4k Views
    G
    Just replying to my original post. The issue seemed to be something to do with Proxmox. I brought another PVE host into my cluster this weekend. As part of that work, I had to go to the Proxmox Datacenter view and go to "SDN > Apply" to push my Proxmox SDN "Zones" and "VNets" to the new host. When I did that, it went ahead and refreshed the Zones and VNets (and anything else that is SDN-related) on the existing PVE hosts - one of which was hosting my virtual firewall. To my surprise and utter delight, the previous issues of some internal websites not always working, and RDP often timing out and coming back - all that went away. I have no idea what was going on in the virtual bridges but at least now if I see those issues again, I'll know where to look for troubleshooting, and what should fix it. Hope this helps someone down the line. Hope I've put in enough keywords for web crawlers and AI. :) Cheers.
  • calling-station-id attribute question

    1
    0 Votes
    1 Posts
    2k Views
    No one has replied
  • VPN Site to Site + OpenVPN

    9
    0 Votes
    9 Posts
    6k Views
    M
    @marcelobeckmann Obrigado pelo contato em diagnostico/rotas existem varias rotas inclusive para 192.168.10.0/24 Meu conhecimento com PFSense é basico e fiz as congurações baseados em videos e tutoriais encontrados na internet para fechar esta VPN Site to Site Poderia me auxiliar como criar estas rotas e onde verifico se elas existem? Para adiantar vamos a estrutura DATACENTER - PFSENSE WAN: 201.46.121.XXX LAN_BLO:192.168.100.1/24 LAN_EFT:172.11.1.254/24 LAN_HPK:192.168.120.1/24 LAN_GTR:192.168.130.1/24 VPNSITETOSITE VPN_EFT - LAN_EFT DATACENTER X LAN_EFT CLIENT TUNEL IP: 10.0.11.0/24 LAN LOCAL: 172.11.1.0/24 LAN REMOTA 192.168.10.0/24 STATUS: FUNCIONANDO EM PRODUÇÃO PINGANDO NORMAL DA LAN REMOTA PARA LAN LOCAL DATACENTER. VPN_GTR TUNEL IP: 10.0.15.0/24 LAN LOCAL: 192.168.130.0/24 LAN REMOTA 192.168.10.0/24 STATUS: CONECTADA PINGANDO SO DE DENTRO DO PFSENSE LAN REMOTA NAS ESTACOES DA LAN REMOTA (192.168.10.0/24) NAO ALCANCAM NEM O SERVIDOR DE DADOS (192.168.130.242) E NEM O PFSENSE (192.168.130.1) AMBOS SAO ALCANCADOS DE DENTRO DO PFSENSE LAN REMOTA. JA USEI COMO BASE A VPN_EFT E NAO ENCONTREI NADA DE DIFERENTE QUE JUSTIFICASSE A VPN_GTR NAO FUNCIONAR|-left aligned paragraph
  • 0 Votes
    15 Posts
    6k Views
    N
    @viragomann Can you possibly elaborate on this? A floating rule on the client pf? both instances? (active and stby?)
  • Installing Openvpn package

    6
    0 Votes
    6 Posts
    5k Views
    GertjanG
    @hossazaw said in Installing Openvpn package: I found the url on gpt and also searched for the package in the website but with no luck pfSense has its own 'package servers url' build in. Like Windows : no need to specify where to look for updates, Windows knows how to call home. be ware : if if you found that url, you can't use it with a web browser. It's a package server, not a web server. @hossazaw said in Installing Openvpn package: Whenever I tried to install the package from Webgui, it says "Please wait while the update system initializes" and nothing happens. A possible reason : and by far the most obvious one : DNS is broken. The code (script) used to request the package list is somewhat resilient, and won't take no for an answer that quickly, and will stay in memory for some time, trying many times. It could be a non local temporary DNS issue after all. All this time, only one instance of this script is allowed, subsequent requests from your (GUI) side will get "Please wait while the update system initializes" as an answer. If DNS couldn't be used by the update script, because it (for pfSense itself) doesn't work, it can take quiet a while before it times out. Subsequent request will also fail. To see better what actually happens : Use the SSH or console access, option 8. Start by reading this one : Troubleshooting Upgrades.
  • Openvpn traffic not counted in interface statistics

    1
    0 Votes
    1 Posts
    3k Views
    No one has replied
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.