OK, so deep diving, this does not function as expected in pfSense if you try and chain CA certificates. It just doesn't and hard-fails.

The only way to do this is to use a single-tier OpenVPN Certificate Authority and then things just work. Unfortunate, but this is a solution we can work with (everything's stored in a X.509 cert management utility so nothing is lost and everything is equally secure).

Just annoying I can't use the intermediate chains...

@bartkowski Try removing WireGuard and then going again.

@wspence
Yeah, it's not expected to see any route for an IPSec P2P with traditional phase 2.
The IPSec Status page shows if the connection is established properly. And if you can reach the other site everything should be fine.

To give the OpenVPN users access to the remote sites you have to add two P2 to each site:

On location 1:
P2-2:
local network: 10.10.10.0/24
remote: 192.168.11.0/24 (I guess)
P2-3:
local network: 192.168.1.0/24
remote: 10.10.50.0/24

loc 2:
P2-2:
local network: 192.168.11.0/24
remote: 10.10.10.0/24
P2-3:
local network: 10.10.50.0/24
remote: 192.168.1.0/24

Also to the OpenVPN access Servers you have to add the remote network to the "IPv4 Local Network/s" on both sites:

loc 1 / 2:
IPv4 Local Network/s: 192.168.1.0/24,192.168.11.0/24

Found the problem, sort of, and it's not with pfSense (never really thought it was to be honest).
In the GUI version of NetworkManager it shows the VPN connection as down every time I connect, but if I connect manually in the terminal with the exact same credentials the connection is up, and I think I know the reason why.
I use an external dongle to get ethernet on my utrabook. NetworkManager does not see the card, not in the GUI or in "nmtui". Still it has a driver and is working obviously. So because the Ethernet interface is not present in NetworkManager, then it seems it cannot use that interface to establish the connection, which seem logical.
Before I set up pfSense I always used the Wireless interface to connect to NordVPN, and that is present both in the GUI and in nmtui.
The strange thing is that it is NetworkManager that manages my network connections, and when NetworkManager stars in boot up and the dongle is connected the interface works and gets a name if you look it up in the terminal with "ip a", yet the interface does not show up in "nmtui" or the GUI version of NetworkManager. Oh well, as long as it works.

I’m no longer receiving the route from the server, log output above. I can mainly add the route manually on the client side and get it to work. Also - Radius logins is broken in this release.

Jul 11 19:53:39 openvpn 55807 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options

Jul 11 19:53:39 openvpn 55807 OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.20.0

ok i got it working i did have that the "SSL/TLS + User Auth"
what i noticed i didnt notice before

for both site to site and remote access

the description is "openvpn remote access" i had for both..

i did not know that under Client Export under "Remote Access Server" it goes by description

and when i read it saying "openvpn remote access" thought i was fine.. when i clicked it i had 2 "openvpn remote access" i never knew that was "Description" and not name of the certificate...

i know if i used openvpn alot i wouldnt make mistakes like that....

too bad for newbs they didnt offer a little note under Client Export
under Remote Access Server.. Server name is from Description Name from Server Tab... or under the Servers.. when you write Description.. like it say "This will be Remote Access Server Name"

i never clued in at all till i found i had both desc same and that made the difference... didnt even know

@blasterspike Thank you for updating the bug. Since Jim Pingle took ownership and rejected it, I'm hoping he'll get update notifications, review it, and consider reopening it. If not, I'll look for other ways to reach out. I suppose you could open a bug of your own, too, if you thought that was a good idea. You could just refer to 13327 and report you're having the same experience on the current release. I'm not sure which approach will be the most effective. We know it's a real bug - it's just that the developers don't.

@heper Thank you

@ddbnj

If I packet capture on the remote side, I can see ping packets coming over after I turned off the cloud NAT (SNAT) function.

However, when using BGP, if I capture packets on the cloud interface on the local side, BGP is not sending any requests out.

BGP is sending out requests on my other openvpn client interfaces as appropriate.
localBGP-working.JPG

closter neighbors.JPG

But not on the openvpn client connected to OpenVPN cloud.

@gertjan

Will do so. @gertjan, thank you very much for all your help.
Take care.

@johnpoz I found somewhere on the web that it is useful to install the 'openresolv' package. This helped :)

Thank you for your activity on the forum and quick support on any issue :)

The way I see it I have two choices. I can get a second external IP address and link the client IP address as a second policy condition, although I doubt my ISP will want to hand out IPv4 hens teeth and I am not keen on trail blazing IPv6. My other option is to set up a second RADIUS server which is a bit clunky as well. Fortunately at this stage I only need two different types of VPN's
I forgot to mention this is Windows Server RADIUS (NPS). Maybe I need to set up FreeRADIUS and use the rules from the man pages, or use LDAP?

@vbianconi88 I'm not following what you're saying in number 1 so I'll skip that. Number 2, select "other" then enter your DDNS in the box it gives you.

@m229m
Either set up the OpenVPN server on the router (default gateway) or set up a transit network on the router and move the VPN server into it.

Your setup ends up in asymmetric routing issues.

@jimp Sorry, you were right, it was my config error, now it works correctly (pear to pear SSL / TLS) no bugs.

Thanks

@nogbadthebad said in Problem with Virtual Address:

I'm at a loss why Surfshark said talk to Netgate ...

Because that’s an easy way for the first level support to get rid of an onerous customer.

Attributed this to Windows Update KB5013887. Once removed, OpenVPN performance is back to normal.

@rolster said in Multi-Hop OpenVPN:

I have an OpenVPN installation running between my head office for Business "A" and the Head Office for Business "B".
It works really well and does what I want it to do.

In both businesses, I have multiple sites that also need to connect across the OVPN tunnel, but we don't the necessay L3 routing in place to get their traffic to each of the head offices.

In my head, I believe that this should be possible, by installing a PFS OVPN client at each site.
The local traffic can be forwarded into the LAN interface without issue.
I want the traffic to travel via the WAN interface to the LAN interface of the successfully connected installation, then travel through the working inter-site tunnel to the partner business.

I think it should be "do-able", but haven't got it working yet.

Any tips or advice?

So you have a site to site tunnel between A and B?
How are the "multiple sites" connected? Just to A, just to B, between both?
I don't know what PFS is, do you mean pfSense? If so, yes, that would work, but not necessary. Any OpenVPN client would work.

What JKnott means is you just need the correct static routes between sites. The OpenVPN config will add them if done right.