@johnsheridan Thanks for the info and testing. That makes sense. I’ll have a look at those files and patch. This will be probably fixed in one of the next releases then.

@viragomann Thank you very much for your suggestions. I prefer to use the proposed structure as I do not have many users, low amounts of traffic and I do not need to administrate multiple pfSense servers. Regarding the CA, I use self-signed certificates. The routing issue with overlapping local subnets is something I am now aware of. I will 10.x.x.x networks for the LANs of the routers. In this case, it is unlikely that a connecting user is in an identical subnet. I found this explanation regarding OpenVPN routing: https://community.openvpn.net/openvpn/wiki/RoutedLans This seems to be exactly what I would like to do. I will try it tomorrow. Thanks!

@viragomann Thanks a lot! For the IPSec tunnel i configured the opvenvpn tunnel network address and not the local network of the site (192.168.44.1). Thanks a lot!

@viragomann Thank you! I kept searching for the setting to keep dead routes up. I had no idea it was in the miscellaneous settings area. With that change, I am having all traffic route properly only on the VPN interface now. When the VPN link goes down, internet stops as desired for clients connected to this pfsense gateway. I did have to tweak DNS Resolver settings for Outgoing Network Interfaces to only use the VPN interface for DNS queries. By default external DNS lookups were going through the WAN port even though there were no traffic rules set for the LAN to WAN. With your hints I am up and finally running this VM on a newer version of pfSense. Thank you again! Have a great day.

Still following the thread I mentioned above, I saw that the eval previously was right before RESULT=. I have tried to comment the if statement block and move eval, so this way # eval serial="\$tls_serial_${check_depth}" # if [ -n "$serial" ]; then eval serial="\$tls_serial_${check_depth}" RESULT=$(/usr/local/bin/php-cgi -q /etc/inc/openvpn.tls-verify.php "servercn=$2&depth=$3&certdepth=$4&certsubject=$5&serial=$serial&co nfig=$config") if [ "${RESULT}" = "FAILED" ]; then exit 1 fi # fi and I don't get anymore the error on the certificate! I don't know if I need to open an issue about this. However, now I get the error about the user authentication SENT CONTROL [spike]: 'AUTH_FAILED' (status=1) like I was getting when I set "Certificate Depth = Do Not Check". I looks like I'm not the only one having this issue.

Heyho, after a lot of digging in my states I found the solution. Just a update: The VPN Transfernetwork is 192.168.2.0/24 and the virtual NIC on the server got 192.168.10.2/24. After letting a ping happen I saw the state: 192.168.2.1 -> 192.168.0.1 and then it clicked! In this cases it sees teh connection from the transfer net, not the virtual IP. Buildung the correct Floating rules made everything happen like I want it. But thanks again for the hint with RFC1918! I was soo deep in the subnetting, that I overlooked that :(

@viragomann Hello, I finally found the error. The NAT of the local interface on the VPN interface was missing!

@frog Just rename the ovpn file you have at the clients There is no "central" way of doing this

Still an issue in 22.01 (pfSense+). The same workaround applies i.e. turning off "Extended Query" in LDAP authentication. Still not ideal since it doesn't allow fine grain control over which AD users are allowed to use OpenVPN service. Has anybody come up with a better workaround? Would it make sense to use Client Specific Overrides option for access restriction?

@viragomann ypu are absolutely correct. I'm an idiot. I accidentally configured pfsense to only use 127.0.0.1 as DNS resolver and not as first with fallback to the ISP DNS

@stephenw10 Orz

Dear @viragomann I checked the two connection while "Duplicate Connection" checked. But I can not connect still with the second user unfortunately. Regards, Mucip:)

@thenarc said in pfsense constantly losing connectivity to NordVPN: So it's not something that would be transparent for sure, but you're saying it just doesn't happen at all no matter how long you wait? Yes, at least whne it happened yesterday I waited about 5 minutes or so but the status of the gateways stayed the same, and the connection was still down. After I force restarted the Openvpn service, the gateways went back up (albeit 2 of them still screwed up as per screenshot I posted above). @thenarc said in pfsense constantly losing connectivity to NordVPN: making them reestablish as well. But maybe worth trying to see if it improves your observed behavior. I agree with you, that makes sense, it has pretty much the same effect as issuing a force restart on the underlying services (without of course restarting them for real)... But I wonder, can it cause data corruption or other issues with services that are actively communicating, etc? I have in mind, for example, if I am on a VOIP call, will my call be dropped or will I only see a small "hiccup" and nothing else? This is more of a general networking question than a VPN question..... EDIT: I just realised that my VOIP ATA has been offline for many hours, if not for more than a day hence causing me to miss several phone calls... The ATA couldnt, for some esoteric reasons, establish a connection to the VOIP server even if the FW rules are all in order (and worked for many years before implementing this disaster of vpn). Rebooting pfsense solved it but I dont trust this for long. Will give myself a few days then I'm reverting everything and cancelling nordvpn.

@gertjan said in Access my home server through my phone hotpot.: @viragomann said in Access my home server through my phone hotpot.: I started an OpenVPN connection on the iPhone and connected my laptop with the its hotspot. But I was not able to connect to a remote resource with this. So obviously that's not possible with a recent iOS as well. I tried just that several days ago. I use the OpenVPN OpenConnect app on my iPhone When you use it, and check log files on both sides, you'll see that your iPhone gets one IPv4 - and one IPv6 if you asked for it / set up IPv6. That"s one IP for one device, the iPhone. If the hotspot would use the OpenVPN connection, would it use the same attributed IP for the hotspot connected device ? No, of course not, that would be an error. If the phone behaves as a NAT home router and successfully masquerades hotspot connected devices over the WAN based VPN tunnel, then I believe you would still only see one VPN client on the pfsense side. Is this not what many higher end home routers (pfsense included) do? They masquerade LAN connected devices via an VPN client connection. The limitation seems imposed by android's design rather than the underlying Linux kernel/network stack. It appears neither Android or IOS permit NAT of hotspot network over the vpn client 'interface'. The project I linked to above appears to offer a UI to manipulate iptables to achieve this but requires root. This means that the iPhone VPN App should behave as a router ? Can't be, as the app (my words) has been created to connect 'a device' to a OpenVPN server, not multiple devices. I'm pretty sure that what you want, exist. It will be a dedicated small box, a router, with an AP build in, a 3/4/5G connections, thus a SIM card, and it should have a special case of OpenVPN Client usage so every device connected to the AP will get tunneled to the OpenVPN server. Yes, and I bet it's quite expensive.

@viragomann perfect now with your directions it works great I THANK YOU

@viragomann To be honest, you lost me at BTW. I will try to understand your invaluable advice. Thank you so much.

@netblues Thank you.