@viragomann it's just for me and about 3 other people i think the long term plan (this is replacing a cisco vpn), will be to add an IP on the other firewall, (or a secondary IP at least) since it is still bridged on that vlan. then i can just add it to the firewall as a secondary ip, and add that subnet to the same policies and address book entries allowed to get to everything. depending on how many static routes there are elsewhere however, the masq/nat option works easier at least for now.

@darrenh I figured it out, it wasn't related to tun or tap mode at all, nor the VMware. I found one other person had done it, buried in another forum from 5 years ago. you have to setup a nat outbound rule by changing to hybrid mode, and setup the LAN interface, network being your vpn user subnet, and set the destination to either just the local lan, or in my case I set it to any, and use the fw interface as the masquerade. that way the traffic from the vpn users gets masq'd as the local lan and not the 192.168.55.1 it auto assigned for the tunnel subnet. as soon as I did that, I can get to everything fine :)

seems to be all working. think i got confused on what the "OpenVPN clients" are. kept seeing the services being stopped, so thought it was a error. am i correct in saying its... for either connecting to another vpn server elsewhere (aka p2p router connection) and generally for exporting the config files for win/linux clients, instead of doing it manually. the client isntance doesnt actually get used for imcoming openvpn conenctions from say a windows client

bad news, after i set up a new phone system one of the changes i made must have fixed it, the issue stopped right then and there! sorry no solution here!

@Derelict Alright, fair enough. Thanks for looking into this. In this case we will just keep the VPNs on the old Edgerouter for now and migrate them to pfSense whenever a remote office router needs to be replaced. Migrating everything else to pfSense worked like a charm and even though I might not have sounded like it, I really like pfSense and the netgate products.

i got a new problem VPN can connect no matter what even if i revocate a user cert vpn server is set to SSL/TLS + User auth edit: forget that fixed. didnt have revocation list selected in server. just clients. think im good now. thanks for the help

Once I logged into the Aircard I found that VPN Passthrough was already enabled. I disabled it and enabled the DMZ option. Now works. Been using it for a few days now for a mobile IP phone, and it works fairly well. Unfortunately, it is a bit cumbersome. I'm going to see if I can find an old laptop with a 4g card that I can run pfSense on. This will put everything in one package and will have battery on board.

Hmm. All I can think of at this point is to try it with a different client just to rule that out.

@Gertjan said in OpenVPN client frequently change tunnel IP address: Normally, the internal DHCP server build into the VPN server will give the same IP to the same device when it comes back. If the client tries to reconnect within the default --keepalive 10 60 setting, then the server gives a different tunnel IP. This is because the server doesn't know the client has lost it's connection. It can take up to 120 seconds before the server realizes/assumes that the client is gone. Even if the client is assigned a static tunnel IP based on it's certificate CommonName through Client Specific Overides. It is no guarantee the client gets the same IP. Even not with --ifconfig-pool-persist ips.txt The following is the only way to assure the client gets the same IP: server 10.0.8.0 255.255.255.0 'nopool' ifconfig-pool 10.0.8.101 10.0.8.253 In this example 10.0.8.2 till 10.0.8.100 can be used for static assignment, 10.0.8.101 till 10.0.8.253 for dynamic assignment. https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

OK, he's fixed up. Let's call it a day.

https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/authenticating-openvpn-users-with-radius-via-active-directory.html

Set up syslog and view the logs there.

@tronix said in Pid openvpn client: client description Those would be dependent on either using the ovpns/ovpnc interface - which wouldn't be any more specific than using the PID like now - or showing the description the user enters while configuring the client or server setup. So if nothing is entered as description, what should be shown? You see, it's not that hard showing something but hard to show the right thing ;) Also having to dig out the ovpn interface and description belonging to the specific PID (the log that is shown is the system log from OpenVPN itself) would require multiple calls to parse config.xml or ovpn config files to read the informations so would probably slow down log parsing/showing, too.

@chorong761 This post is from 2017 and the last time this user was online was May 2018. Start a new thread.

key-direction 1; Needed to be in custom options under advanced configuration; thanks @Pippin !!!

I had a case once where nothing worked until you changed the compression on both sides from No compression to Adaptive LZO. That makes no sense to me whatsoever, but it worked one way but not the other.

Is either bridge assigned itself as an interface? Any other difference between them? This is certainly odd.... Steve