@sepp_huber said in OpenVPN 2.4.4: Cannot connect with external CRL: default_crl_days One pitfall for me was, that "default_crl_days" must be set in the environment where the CRL is generated and NOT on the pfSense instance. Which is just logical ;-)

It has no concept of "prioritization". It will keep trying the next server in the list if it gets disconnected or times out. Assuming it respects multiple duplicate entries, that may help, but ultimately it means that it will try the first one twice and then the second if the first two tries timeout.

@calvinsteel said in OpenVPN can't connect on Windows 8: I have read too many guides. https://www.vpngate.net/en/howto_l2tp.aspx https://www.expressvpn.com/what-is-vpn/protocols/l2tp https://www.purevpn.com/what-is-vpn/protocols/l2tp But still nothing. All wrong. The sites you mentioned are companies that offer VPN services. They have a VPN server that you can access with a "client", like your Windows 8 PC. I advise you to start with https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/openvpn-remote-access-server.html Then, stop reading, and look at these https://www.youtube.com/channel/UC3Cq2kjCWM8odzoIzftS04A/videos - take the 2, 3 VPN "server" videos. Btw : install this package : [image: 1562157156171-599a7906-c802-49af-a0af-27aa8ba0a649-image.png] When you finished setup your OpenVPN? server, and added at least one "client" (the visitor), you go to " OpenVPNClient Export Utility" and select : [image: 1562157249903-939d1fa5-8058-4e0e-ac41-b489c424730e-image.png] Take that zip file, bring it to you Windows 8 PC, install and go.

thx

@Rico Clients connected to the WAN_VPN get directed to Site B as desired but the other clients lose WAN. If I disable interface, WAN returns. I worked around it by setting applicable firewall rules on LAN to use the Advanced->Gateway->WAN but there must be a different solution. Why would the default gateway WAN not be used?

Hi @jimp I have the same issue and updated the redmine: https://redmine.pfsense.org/issues/8142 As you can see I have full control over the VPN server (and options) so I can do whatever test/log is needed in order to sort out the issue.

On the client, are the needed 'cert' file present and found and loaded by the OpenVPN client ? From what I make of it, it can't find the needed cert info. Also : use the Netgate official videos (Youtube) to check you config with what you see in the videos.

Well, finally I could manage to do what I want. Due to a missing gateway entry in /etc/network/interfaces (Ubuntu) I was not able to connect properly.

No, that's not the case. They are bound to the individual WAN gateways. I've attached a few pictures. You can see in the OpenVPN clients list that they are each bound to separate WAN interfaces. The gateway list shows that one of the WANs is down but both VPN tunnels are up. The VPN status page shows that both are up but doesn't show the local IP address for the one with the gateway that is down. (I can see on the server end that both connections come from the same IP) EDIT to add: Each connection has a separate client cert so when I look on the server status I can also tell both are connected because both common names are used. [image: Pw6a9ah.jpg] [image: F2TZLBd.png] [image: 3Fc6jIC.png]

@Derelict I've looked in the firewall, but see no denied connections. If i had to create such a rule, how would you do that? Edit: You've got to be kidding me, all these headaches for this. All you have to do is add the vpn subnet to "smb-in". I'm so dumb.

So you want so use pfSense just as OpenVPN server behind the comcast and nothing else? That would be a waste. ;-) And you have to mess around with manual adding routes to the comcast and so on. Why not use pfSense as full Firewall/Router? -Rico

No idea about this old howto, better follow the latest official documentation: https://docs.netgate.com/pfsense/en/latest/book/openvpn/bridged-openvpn-connections.html -Rico

So what I discovered is that the no protocols are being set (checked) for the TAP-Windows Adapter during installation of the OpenVPN client. Why would that all of a sudden change when nothing else changed from the OpenVPN end? Still using same process. Still using same version of client, etc.

At the moment all you can do is make new ones. Since the old ones have expired and are invalid, you can safely delete them.

Maybe this one gives the basic setup (use FRR instead) or ? https://help.pureport.com/support/solutions/articles/43000485827-vpn-config-guide-pfsense-route-based-vpn-with-bgp On further thought (& reading) , i think i'll skip VTI for now. It seems to be quite a new feature, and i'll get trouble if i loose a site halfway around the world. Maybe i should just stick with OpenVPN & Static routes. I have an L2L openvpn @home -> Summerhouse , using Certificates & the full monty. Would there be any significant disadvantage in using a Loooong shared key for this setup ?? Or should i go for a CA on the central site & distribute the certs from there. /Bingo

@jogofus said in Issues with OpenVPN: @JKnott first subnet is in 192.168.5.0/24 and the second in the 192.168.0.0/24 Look at both sides of either router: Router 1 - 192.168.5.57 (WAN) pfSense (LAN) 192.168.5.200 - Client computers Router 2 - 192.168.0.200 (WAN) pfSense (LAN 192.168.0.2 - Client Devices. Router 1, both WAN & LAN are in the same subnet. Same with router 2, assuming the LAN subnet mask is /24. It may work if the mask is /25 or longer. Please post the subnet mask for all interfaces.