@stellir said in OpenVPN is setup and connecting but no access to local shares.:

@viragomann said in OpenVPN is setup and connecting but no access to local shares.:

add a pass rule to the Windows firewall for the VPN tunnel network

Any direction to accomplish this would be appreciated. The wizard created a Pass rule for the OpenVPN on port 1194 so what else is needed.

You need to do the on your Windows 10. This one:

Ok I disabled the firewall on the Windows 10 computer hosting the files

That's not the topic of this forum and I'm not sitting on a Windows currently. But there is an option to add firewall rules to it, something like "firewall advanced settings". Add an allow rule for the source of the VPN tunnel network, maybe you want restrict ports or simply allow any.

@viragomann Thanks for your help, sir! I really appreciate it. I am unsure as to how or why, but changing the connection to UDP seems to have fixed it. I don't know why or whether this alone was the issue, but the rules are the same and it now just works. It has also been re-booted a few times.

All the best, Richard.

@heliocoeur said in PfSense (2.3.3) Hangs on boot with invalid OpenVPN password:

vpn > openvpn > client

and put a password to the user.

if needed put a password to the same user in system > user manager

that is the solution ..many thanks to heliocoeur

@bob-dig said in Port forwarding on OpenVPN interfaces is broken on 2.5.1:

Probably this: https://redmine.pfsense.org/issues/11805

Yeah that's probably the same bug :)

@shamsali222

When you use DHCP to provide an address, you can go into Status / DHCP Leases to find the assigned address. You can then convert that MAC address to a static lease with whatever address you choose, provided it is not within the DHCP pool.

@ddbnj
Basically it doesn't matter, where you add the rules, however if you have already assigned an interface, I'd prefere the interface tab. It's quite simpler.
For instance, if you add a block rule you can use any at source without affecting the other VPN instances.

Furthermore if there is an incoming traffic from a public source on an OpenVPN interface (forwarded from the remote site) you have to care, that there is no rule on the OpenVPN tab mathing it. Otherwise responses are not routed back properly.

@viragomann the 192 address is my local LAN making the requests.

"So again, my assumption is that the remote site is missing the route back to this LAN IP and so its not possible to direct its packets correctly into the VPN, instead it will send them out to its default gateway."

I agree that if the server side was missing the route back, it wouldn't know what to do with the traffic and how to send it back, but the key bit I'm not getting is that shouldn't I see that traffic emerging from the tunnel on the VPN side, the bottom tcpdump on the second screenshot. I fully get why I don't see any traffic coming back into pfSense from the VPN side, because no traffic is sent back, but I don't get why I don't see the ICMP requests that go in on the top of the screenshot come out on the bottom. Where does that traffic go?

I'm sure you are right with what you are saying, I just want to know where the packets go missing. I thought that if they went into a tunnel they would come out the other side, even if they then got lost and the next hop sent them the wrong direction and out the wrong gateway.

The router from my ISP is setup in 'modem only' mode, it does not perform any routing or wi-fi functions, its only connection is t othe WAN port of my pfSense unit.

I run Unifi switches and access points all of which sit behind the pfSense unit.

I am guessing that since I only have the one WAN IP, once the VPN tunnel is opened from the pfSense firewall, the VPN IP is now perceived by all clients to be their external IP, whereas previously when I ran a VPN on an individual device, the VPN IP only applied to that single device.

In effect running a PIA VPN tunnel from the pfsense firewall can only act as a 'whole house' VPN, regardless of what firewall rules I may use.

I have also noticed a severe drop in bandwidth when using the PIA OpenVPN tunnel on the pfSense firewall.

All tests were performed from my iMac desktop:

Test Case down/up No VPN 386/20.8 pfSense + London 152/19.8 pfSense + Southampton 205/19.4 VPN app + London 303/19.5 VPN app + Southampton 293/19.6

The PIA app based firewall is using wireguard, although until recently it was using OpenVPN, the results using the app are usually within 50-60Mb/s of the figures with no VPN (they are a bit down today), but never as bad as those shown for OpenVPN on pfSense.

Looks like I may be sticking with local VPNs for now.

For comparison, I ran a speedtest from my media server using a wireguard based PIA tunnel to the same London server and recorded speeds of 317/19.6 with the VPN tunnel and 322/21.1 without. The media server is connected to the same switch as my iMac, both with 1m cables.

@tunge2

According to the above referenced post , and the redmine inside that post.
It seems that the issue was introduced in 2.5

/Bingo

Show as the outbound NAT rules and check, that every client got a different private IP address from your VPN provider. If they share an address, it will not work.

@viragomann Thanks I'll try this tomorrow and post the screenshots.

I just wanted to follow up on this, in case anyone else runs into the same problem.

The way I was doing it is for a 1:1 VPN. I solved it by following these instructions: https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-tls.html

A bit more complicated setup, but it's now working.

@jagradang
Hi, I am not at my machine at the moment, but I found out what this issue was.
In the 'General DNS Resolver Options' , Outgoing Network Interfaces
is set to nordVPN (as per the instructions). However if you set this to WAN, it appears to work.
To be honest I am not sure what the 'real' exposure is.

Also a more advanced question, is it possible to enable UPNP at Site A such that they're applied at Site B?

I fixed it! Sort of...

There was a OpenVPN client override. The address wasn't complete, I guess I must've missed it. I don't remember setting it at all though, maybe somebody else did.

Upon restoring some areas from the old firewall the outbound NAT was restored without matching the gateway, so that was another problem.

The finally the gateways were correct, the routes were correct but pings would only work one way.. I kept resetting things until neither could ping. I have frequent backups for both firewalls going back for almost a year, I always took them at the same time so settings would match but none seem to work.

Even after adding allow-everything rules on the tunnel I cannot get it to ping, it just stopped. Installed FRR, didn't help.

wrong-openvpn-gateway11.png

wrong-openvpn-gateway12.png

Then I tried playing with the ciphers with some interesting effects, like tanking all connectivity despite the tunnel is no set as the default gateway in either side to the one sided thing.

However, it was when I switched to shared key that I got connectivity back. It had always been as a TLS tunnel, I don't know what's different now.

wrong-openvpn-gateway14.png

wrong-openvpn-gateway13.png

But the tunnel is merely a conduit to have a static public IP disposable at any moment; it's considered as a WAN interfaced and policed as so thus I could care less about encryption security or anything else, I'm just soo grateful it works again. :D

Now I have to close it up 'cause it's still wide-open-firewall as I speak.

I tried IPsec BTW, but it had mismatching numbers, then I tried to "play its game" so to speak so I duplicated one of the P1s so the interface numbers would match. They did, but it still never connected. Since this is heavily dependent on encryption as well as the TLS OpenVPN, I think there might be something wrong with OpenSSL or whatever's behind the scenes there--that's just my highly uneducated guess though. Anyway, maybe this helps somebody else.

@griffo said in Help diagnosing 2.5x OpenVPN Issues:

@griffo A new day, a bigger cup of coffee and I worked it out.

Two issues

a) the NordVPN guides say to add the option tls-client to the custom config. With this option left in, it will connect but not pass traffic. There's obviously a TLS mismatch going on but it works without it.

b) with the option "Don't pull routes" NOT selected in the client, the pfsense box does not seem to give the gateway the addresses correctly. Bizarrely when I was doing a packet trace I could see the ICMP packets for the gateway monitor flying around, but in the system -> routing -> gateway screen no gateway or monitor IP was listed.

Changed those two settings and it works. Not sure if either are bugs or just a change in behavior of the new OpenVPN client version?

@Griffo Thank you sooooooooo much for writing back the solution here !
I was experiencing the exact same problem after upgrading from 2.4 to 2.5 and a tunnel interface to NordVPN.
Removing tls-client; in custom config is working fine for me too.
Wow ! Merci beaucoup !