@sam721 said in OpenVPN between pfSense and Ubiquiti EdgeRouter X: the Ubiquiti? Are you familiar with firewall rules on the EdgeRouter? I don't know which rule is needed. I'm not familiar with how to set firewall rules on an ubiquiti edge router. The rule youre going to need though is to allow the pfsense lan subnet to talk to the ubiquiti subnet. I'd also ensure NAT is NOT enabled for either side, so you can see the subnet IP's. This isnt a need as much as its a nice to have in case you ever need to figure out which specific client on one of those is misbehaving.

Glad you have it working now. -Rico

Yes this could be the problem. Years ago we had some SHDSL line as spare with cisco router from the ISP. The cisco was totally managed by the ISP with no access for us. For any changes like port forwadings we need to open a ticket... -Rico

Best practices here would recommend implementing as strict a rule as is necessary. Perhaps a deny all to those vpn networks, and place rules above this for the protocols/services/destinations you need?

well i see that, but i set it up according to the settings. I will look into it sorry.

@johnpoz said in remote OpenVPN-client LAN not reachable: @sgw said in remote OpenVPN-client LAN not reachable: redirect-gateway def1 Why are you redirecting gateway? That is normally not done in a site to site setup. A leftover from my desparate debugging. Thanks for spotting, disabled it now (was in the CSO).

On closer inspection, it appears that the problem is certain assets dropping any request coming from outside their assigned address range. This appears to be a crude and problematic security "feature" and has been brought up with the manufacturer. If I can verify, I'll mark this is solved. it may be necessary to configure as peer-peer and put each connecting client in the address range of the LAN, which, given we're using a class A as a classification system, there's plenty of class C ranges not internally assigned. Will update with any progress.

UDP should be better yeah - unless you can not get to it, then is useless ;) Takes nothing more than some simple setup to run both. And if you configure the client settings correctly - it will first try your UDP connection, and if can not connect it will then try TCP.

https://www.netgate.com/resources/videos/openvpn-as-a-wan-on-pfsense.html -Rico

@emammadov thanks

Share your OpenVPN Client settings (screenshots). -Rico

In Diagnostics -> DNS Lookup you can resolve this express vpn host or not? -Rico

@abadonna your link is down can you send me your tutorial. I'm trying to setup Secuirtykiss

i had it on authentication only in the open vpn server, now users are showing up for export, you nailed it thank you so much!

@jimp Ok, Thanks Rico and Jimp ! / br, pete

SOLVED Do NOT use the character "¤" &curren; in the password field. This makes pfsense create a config.xml.bad and revert to a previous version of the config. OpenVPN files under /var/etc/OpenVPN are created and active until reboot of pfsense. Newly created entry not shown in Services or Status, but still connecting in the background. My config.xml.bad, Under OpenVPN client section: <auth_pass>zYdfrJn&curren;bE</auth_pass> Using a password not containing "¤" does work, entry is created and functional. Anywhere said that password shouldn't contain strange characters? If not, this looks like a bug to me. Brgs,

@yash said in OpenVpn:TLS Error: TLS handshake failed: read UDP: Unknown error (code=10054) You need to validate that port is open from your client to the server.. It could be blocked at your client side, etc.. Or sure you could be blocking it on pfsense, or some nat router between. Is that IP your public IP that you xxxxx out? Lets see your firewall rules on your wan to validate 1199 is open.. Also your pfsense is not behind a nat right? And has public IP on its wan? Simple sniff on the wan for UDP traffic 1199 and then try to connect with your client will tell you for sure if the traffic is getting to pfsense or not.