Thanks alot for all of the answers. I'll try out the portforwarding thing, aswell as tls-crypt and stunnel. @rico said in How to use VIP's for OpenVPN: Well you don't have unlimited VIPs to cycle them over and over again right? No, but in the past the banned ip's have been unbanned after a month or so. Best Regards Esben

@derelict I got it working. Idd the Interface needed to have the traffic defined on which the gateway was defined. Thx for the response.

Then pcap a hop at a time until you see where the traffic is stopping I guess.

@peter808 said in unsupported certificate purpose: When did that change? Although I usually try to read the changelogs completely, I do not remember having read about that. That would be a change in OpenVPN itself, not pfSense. Most likely when that changed to OpenVPN 2.4 (which by coincidence was new in pfSense 2.4.0 and later)

@alivdel said in kill openvpn_client after n seconds: for my Information can you tell me please whats the problem to put a file in rc.d directory? None If you know how to write startup (stop) scripts for FreeBSD (pfSense), then it should work just fine.

Thanks you very much you save my day ;) I worked on it for few hours now and the solution was in fact very simple

Note from the pfSense Book: Not all clients support tap mode, using tun is more stable and more widely supported. Specifically, clients such as those found on Android and iOS only support tun mode in the Apps most people can use. Some Android and iOS OpenVPN apps that require rooting or jailbreaking a device do support tap, but the consequences of doing so can be a bit too high for most users. Can you see any activity in your Firewall Logs when trying to access the pfSense via WebIF or SSH? I would follow the guide again and try exactly as described with a very basic setup: https://www.netgate.com/docs/pfsense/book/openvpn/bridged-openvpn-connections.html e.g. don't push any routes, don't use redirect gateway and so on, just basic. Disable the Rule in your OpenVPN tab to make your Interface Rule active (which should not make any difference for this problem tho). -Rico

@thenarc Ok, I will try that. Thanks!

@gareigle said in OpenVPN Client can not traverse site 2 site vpn: I'v tried different fw rules, and the redirect options on the vpn and no changes. I don't think it's a rules issue. I'd say routing. Since this is site to site, the firewall has to route the traffic from it's local network to the other end. Devices connected to the network should have a default route pointing to the pfSense router/firewall. Each pfSense router needs to know a route to the local network at the other end. Do you have that configured. Please note, I've only configured pfSense for a "road warrier" mode, where it runs on a computer to connect back to my home network, not site to site, so I can't advise based on my config.

I found the issue, it turns out that the OpenVPN server didn't know where to reply to the LAN traffic coming in so I had to add the LAN's route to the OpenVPN server.

yes, they have a guide there online but they also told to me that is tested on 2.3.3 version

Hey. I don't understand the problem, why he won't go out with the ping over the vpn tunnel. My settings for OvpnServer: [image: 1540368232065-2018-10-24_095723-resized.png] [image: 1540368266943-2018-10-24_095758-resized.png] [image: 1540368275037-2018-10-24_095816-resized.png] My Firewallrules: [image: 1540368289820-2018-10-24_095837-resized.png] My Interfaces: [image: 1540368310210-2018-10-24_095911-resized.png] My Interface setting OPT6: [image: 1540368336437-2018-10-24_095928-resized.png] My Gateway OPT6: [image: 1540368371948-2018-10-24_095959-resized.png] My static route: [image: 1540368404891-2018-10-24_100028-resized.png] I take a traceroute to destination 192.168.3.32 over my local LAN Interface: [image: 1540368588241-2018-10-24_100905-resized.png] I've only see this: 1 10.2.28.1 0.240 ms 3.165 ms 0.200 ms 2 10.2.28.1 3.687 ms 3.664 ms 0.228 ms 3 10.2.28.1 3.593 ms 3.703 ms 0.244 ms 4 10.2.28.1 3.639 ms 3.698 ms 0.241 ms 5 10.2.28.1 3.650 ms 3.765 ms 0.254 ms 6 10.2.28.1 0.260 ms 0.238 ms 3.648 ms 7 10.2.28.1 3.676 ms 0.257 ms 3.640 ms 8 10.2.28.1 3.711 ms 0.270 ms 0.270 ms 9 10.2.28.1 0.286 ms 0.277 ms 0.286 ms 10 10.2.28.1 0.288 ms 0.248 ms 3.631 ms 11 10.2.28.1 3.826 ms 0.283 ms 3.729 ms 12 10.2.28.1 3.736 ms 0.289 ms 3.544 ms 13 10.2.28.1 3.830 ms 0.314 ms 0.297 ms 14 10.2.28.1 0.309 ms 0.365 ms 0.311 ms 15 10.2.28.1 0.318 ms 0.315 ms 0.316 ms 16 10.2.28.1 0.328 ms 0.323 ms 0.321 ms 17 10.2.28.1 0.319 ms 0.325 ms 0.339 ms 18 10.2.28.1 0.326 ms 0.331 ms 0.333 ms But, i can ping the virtual ip 10.2.28.1 (pfsense) to my zeroshell (foo 10.2.28.2) looks like good: PING 10.2.28.2 (10.2.28.2) from 10.2.28.1: 56 data bytes 64 bytes from 10.2.28.2: icmp_seq=0 ttl=64 time=26.396 ms 64 bytes from 10.2.28.2: icmp_seq=1 ttl=64 time=26.548 ms 64 bytes from 10.2.28.2: icmp_seq=2 ttl=64 time=26.466 ms --- 10.2.28.2 ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 26.396/26.470/26.548/0.062 ms Does anyone have any idea what I missed? BR

Huh?? What? Your wan will be connnected to isp router... Your lan will be connected to your lan side switches.. pfsense is now the new gateway for all your lan devices. Yeah your tunnel network can not overlap with your lan networks on either site.

Yes TLS is configured. I disabled it and created a new profile, and the issue replicates. But here is something I am still having trouble figuring it out. There is only one local account in the pFsense. In my team, I am the only one able to authenticate and ping/or connect to internal resources. Everyone else can only authenticate, but can't ping anything or access any internal resources. We all are using LDAP authentication.

Sorry for the delayed response, I've been away. We have a LAN behind a Netgate SG-1000. We access this LAN remotely via OpenVPN which has been set up using the OpenVPN wizard. I believe this is a pretty simple, straight forward implementation. The OpenVPN interface has no restrictions placed on it, there are no firewall rules other than the default open to all. The LAN interface has the following firewall rules: IPv4 Default allow LAN to any rule IPv6 Default allow LAN to any rule allow Ping I am required by PCI to restrict the LAN access to only select IP addresses. As soon as I disable IPv4 allow LAN to any, I am unable to ssh into the LAN via OpenVPN. I can ping the LAN IP, and if I am already connected I do not lose my connection. Any guidance is appreciated.