@emtechsg

The trick to route the packets correctly is on the pfSense at at the web servers site (83.82.88.1).
If it is on version 2.5.1 update it to 2.5.2.

If you didn't already, assign an interface to the OpenVPN instance and activate it.
This gives you a new tab in the firewall rules. Add a rule to this allowing the incoming traffic from the remote site.

Ensure that there is no rule on the OpenVPN tab matching to this traffic. If possible remove all rules if you don't need them for other OpenVPN instances.
Also ensure that no floating rule is matching that traffic.

On the other side simply port forward the traffic to the web server.

I've found that if I redirect all traffic through the VPN, traffic works normally across the VPN.

I used the following in the server config.
push "redirect-gateway def1"

So is this a client issue?

Route print on the client shows the local networks correctly in the clients routing table when I push "route x.x.x.x x.x.x.x"

But no traffic will traverse when when I push route. It only works when I push "redirect-gateway def1"

@shetu said in How to split openvpn config file:

When Grand stream connect openvpn, I can not browse GS web gui.

I have seen many GrandStream devices, for example my ATA stuff is GS HT802.
(I don't know yours specifically, but I guess the philosophy is the same)

There is a separate MGMT interface configuration option, maybe to use when OVPN is configured.

c606c79c-bfa1-497c-ab67-2c0bda60dabb-image.png

@viragomann Yup, that was it! Thanks! Now everything seems to work as it should. :D

@chrisjmuk

I get the impression you're heading in the wrong direction. With IPv6, most ISPs provide multiple /64s. I get /56, which contains 256 /64s from mine. I then assign a /64 to wherever I have a network. For example, I have 1 each for my main LAN, guest WiFi, test LAN, Cisco router and OpenVPN. I suspect you're still thinking in terms of IPv4, where is was necessary to use a hack, NAT, to make up for the address shortage. No need for that nonsense on IPv6.

@mmarco
If you set up a site2site OpenVPN select "peer to peer" server mode and use a /30 tunnel subnet.
So there is no need for a CSO.

I changed the option "Certificate Depth" from
"One (Client+Server)"
to
"Do not check"
and now I do not experience the issue anymore.

My question stays the same though:
Why is this happening on the SG-2100 and not on a virtual pfSense?

@issuehaver
Thanks for the feedback. Glad that you get it working at last.

@apara

From the url above , it seems that your vendor needs to sign with SHA instead of MD5
Getting new updated certificates would be the correct solution.

But with some vendors ... "Good luck w that" 👎

/Bingo

Can anyone offer any help debugging this please - I am not making any progress.

@viragomann
@viragomann
Thank you so much for your reply. I have managed to do some magic by following this forum discussion:

www.truenas.com/community/threads/truenas-12-openvpn-service-testing.85461/page-2

@hardikpfsense said in pfsense openvpn tunnelling issue:

Now from documentation we read that to do what we want to do we tried to set IPV4 to : 192.168.1.0/24 and foced
Redirect IPv4 Gateway using checkbox in tunnel settings.

Where did you read this?

It is sufficient to add the subnets where your internal services resides to the "Local networks" in the OpenVPN server settings.

"Redirect gateway" forces the whole clients upstream traffic over the VPN. Is that what you really wan?
Can the clients access your services with that option?

@viragomann said in OpenVPN client computer names:

So you will have to request the responsible admin to do this.
Can't think of any you can do on the OpenVPN server, since the clients use equal user accounts on the terminal server.

Maybe you got me wrong. Both our employees and subcontractors have their own individual OpenVPN accounts. However, they have one user account for the customer's system (another company). We connect to this client's network (another company) through the IPsec tunnel. When our employee tries to log into this system and the subcontractor is already logged in, a message appears that this user is already logged in to the computer (and the computer name appears here). If I could link an OpenVPN account with an unknown computer name of the subcontractor, I would know who to turn to, e.g. to log out.
Currently, subcontractors get static IP addresses from OpenVPN. So I am able to bind the user - ip account, but I am not able to bind the ip address - computer name.

@viragomann Makes sense - I put that into the Local Networks box and now it's all set. I kept the CSO setup because it makes for easier export of the installers or config files with the certificates embedded for the specific 'user' or cert - but since this was my use case - it's working perfectly now.

Thank you for all your help today - I learned a lot.

@viragomann Thanks this was very helpful. I looked again at the certs and found that the Peer Certificate Authority for the one in Question was actually a server cert instead. Changed it back to the Intermediate CA it should have been and the list is populating.

That is more of a question for OpenVPN than pfSense. If OpenVPN supported it, pfSense could use it.

IIRC it had something to do with the HMAC being a part of the shared key in that mode, and AEAD ciphers like AES-GCM and CHACHA20-POLY1305 want to do hashing themselves. I could be misremembering that, though.

I'm not sure what will change here but something is going to have to change in OpenVPN since 3.0 hardcodes the ciphers and only uses AES-GCM and CHACHA20-POLY1305. Maybe they find a way to make it work, or maybe they drop shared key mode.