Hi, You tried option 12 ? You'll be dealing with some sort of PHP shell scripting. See the GUI (source) how CA's and certs are generated, and then use these PHP functions to do it 'manually'. It's just an idea. Plan B : use the usual "openssl" commands as usual, and then just use PHP (see option 12) examples how to stiore them into the config.xml file so they waill be aviable to the GUI => show up over there and can get sued elsewhere in the GUI).

@viragomann and @JKnott , thanks for the repply, but I already solved the issue. The problem was wrong firewall rules in the other side of the ipsec tunel.

@Gertjan I am running OpenSSL on my Windows development machine, not using the version on pfSense. I set up my CA long before I owned a NetGate box. I have OpenSSL 1.1.1g 21 Apr 2020, though I've been running my private CA since OpenSSL 1.01. Lots of fixes since 1.0.2. I am using my Root CA cert to sign an Intermediate CA Cert. It is the Intermediate CA Cert that signed the pfSense cert/key. Attributes from my pfSense cert: Version V3 Signature algorithm SHA512 RSA Issuer : (me - I don't think you need these details... but if you do let me know) Valid from:‎ Saturday, ‎June ‎6, ‎2020 5:21:31 PM Valid to: ‎Sunday, ‎August ‎20, ‎2023 5:21:31 PM Subject: E = (obscured), CN = (the DNS name of my pfSense), O = (me), S = WA, C = US Public key: RSA (2048 bits) Subject & Authority Key identifier: (let me know if you need these) Public key params: 05 00 Basic Constraints:Subject Type=End Entity, Path Length Constraint=None CRL Distribution Points: lists 1 URL on my website EKU: Server Authentication (1.3.6.1.5.5.7.3.1), IP security IKE intermediate (1.3.6.1.5.5.8.2.2) Netscape Comment: OpenSSL Generated Server Certificate Netscape Cert Type: SSL Server Authentication (40) Subject Alternative Name: (my external DNS for VPN), (repeat of CN from subject), and 2 IP addresses for the Netgate on my internal network Key Usage: Digital Signature, Key Encipherment, Key Agreement (a8) Thumbprint: (not clear you need this) That should be all you need to try to duplicate. Start with a CA key and a self-signed Cert. Then use that to sign an Intermediate cert (these are what I called CA #2 in my post). Then create a key/cert and sign it with the above attributes. Before installing on pfSense, use the GUI to generate a self-signed CA pair (CA #1 in my post).. Then create a VPN key and sign with the pfSense CA pair. Use this signed cert + key for VPN. Export client, and the router Cert should contain the CA#1 cert. Next install the CA #2 onto pfSense. I did that as a chained certificate as per pfSense docs (see: link text). Here is the relevant text from that doc page: Importing a Chained or Nested Certificate Authority If the CA has been signed by an intermediary and not directly by a root CA, it may be necessary to import both the root and the intermediate CA together in one entry, such as: -----BEGIN CERTIFICATE----- [Subordinate/Intermediate CA certificate text] -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- [Root CA certificate text] -----END CERTIFICATE----- If you would like to save yourself the trouble of creating a CA, post a CSR in PEM format as: -----BEGIN CERTIFICATE REQUEST----- ... encoded data here ... -----END CERTIFICATE REQUEST----- ... and I'll sign the key, valid for 30 days, for you to test with. Let me know if you need anymore information to try to repro.

And why didn't you put all the suggestions into practice or ask how to do before? You're going to waste our time here, dude! Don't know what's difficult here? Add the access servers tunnel network to the "Remote Networks". As you stated, the access servers tunnel network: 10.0.3.0/24 So the networks given as you stated above: @yashiharu said in How to connect to one of the VPN site then access to its other VPN sites?: mainSiteA: 192.168.1.0/24 (3 OpenVPN server) SiteB: 192.168.0.0/24 (1 OVPN client) SiteC: 192.168.2.0/24 (1 OVPN client) on site B the "IPv4 Remote Networks" box should contain 192.168.1.0/24,192.168.2.0/24,10.0.3.0/24 on site C the "IPv4 Remote Networks" box should contain 192.168.1.0/24,192.168.0.0/24,10.0.3.0/24 That's the magic.

I was mistaken on the log, I assigned a static ip adress through DHCP server but I must have made a mistake. I have now set up the correct ip adress for my phone and it's now connecting through vpn. Thanks a lot for your help!

yes using the same pfsense as a client peer to peer shared key with tls you told me what needs to be created but i am lost, is there a tutorial on how to do what you mentioned? thank you

@ReneMG said in [SOLVED] OpenVPN do not connect when Authentication + Encryption mode is set: and then, finally, checking the parameters on the client side and setting the AES-CBC Cipher Or use the pfSense openvpn-client-export package so you can export the config based on the current server setup.

Hi yes i know it a project that i m working on it with the API fauxapi and how to creat a VPN, users and filter by the API

Tried a web search? The first hit brings the solution: https://docs.netgate.com/pfsense/en/latest/highavailability/troubleshooting-vpn-connectivity-to-a-high-availability-secondary-node.html

@JKnott I don't know why but I couldn't get the router without an internet connection to work. After starting from scratch creating a pfsense server and pfsense client tethered with the iphone everything works. BTW I can ping in both direction with the iphone on a pvt network. Thanks for your help I learned alot.

@grateful Thanks for reply. Glad to hear that it works now as it should do.

Make sure to run the latest pfSense and openvpn-client-export package version. -Rico

Hi Rico, Tried anything without look. Within openvpn i can access my lan resources (connected to pfsense gateway) but i was not able to access resources inside a remote LAN (LAN part of another department not under my administration), and they are not blocking me. I pushed the route and i can see it inside my routing table, but there is no ping o DNS response Any other idea? Thanks

@Brow98n In what scenario am I attempting to set 2 default routes? I am thinking an assumption was made here, probably due to my bad explanation of the problem. When I log in twice with the same user it is from different machines as I would not be able to easily determine which tunnel was broken. I do not have OpenVPN overwrite the default route on the client, I just advertise routes to specific endpoints inside my networks. I do not believe that OpenVPN easily supports a per user route advertisement, AFAIK, it is a function of the OpenVPN instance. In the end, if I can give routes to device list A to user list A and device list B to user list B, that would accomplish my goal of 2 instances, and work around my issues I have on the second instance.

Hi, All the trick resides on Phase2 entries and Openvpn Remote networks setup. Let's start on OPENVPN config. You should configure OPENVPN Server Tunnel Settings like this [image: 1591261195124-openvpn.png] And now let's go for IPSec I will assume Phase1 is connecting properly You should add a new Phase 2 entry for injecting OPENVPN traffic from clients to IPSec remote network The final picture will be something like this [image: 1591261660195-ipsec-general.png] Just add a new P2 for IPSec traffic [image: 1591262586504-ipsec-p2.png] And finally check Rules on OpenVPN and IPSec interfaces to let traffic flow Here we have an example of what we have in a customer. There are restrictions of traffic getting through the tunnel to the IPSec remote network [image: 1591262858763-ipsec-rules.png] And we have full acces from OpenVPN clients [image: 1591262936917-openvpn-rules.png] We have all NAT outbound set as default [image: 1591263112624-nat-outbound.png] When connected, in Status - IPSEC - Overview you should see something like this [image: 1591263455748-status-ipsec.png] When testing connection, just send a ping from OPNVPN Subnet (you can use your pfsense OpenVPN box IP as source IP) and check on status if packets-out increases. If they do, you are injecting OpenVPN traffic through IPSec tunnel. If there's no response, check other side firewall and settings. We had a strong headache with a provider that did not set rules properly on their side. But if there is increasing Packets-out count, you're sending the traffic properly. Also note that when doing traceroute from OpenVPN client subnet you will have a "strange" response. It will be something like this in your case, assuming remote IPSec gateway public IP address is 203.0.113.10 Traza a 192.168.0.15 sobre caminos de 30 saltos como máximo. 1 7 ms 6 ms 7 ms 172.26.200.1 {pfsense OpenVPN IP address) 2 79 ms 77 ms 77 ms 203.0.113.10 {IPSec remote gateway public IP)} 3 78 ms 78 ms 77 ms 192.168.0.15 {remote ip} That's correct and traffic is tunnelled inside IPSec. Hope this helps.

@paulparisi said in Accessing OpenVPN Connected Devices: Is there a better way to do this? Probably not. You could hand out addresses via RADIUS but either way it's manually managed. Is there a way to have a full DHCP server on the OpenVPN private network? Not in any meaningful way. You could bridge the VPN to a local interface with a DHCP/DNS structure, but that has other drawbacks.

Well, it appears to be that the pfSense GUI is simply hiding the IPv4 Remote Networks option that I need to set on the main page, since I've selected a "Remote Access" mode. This is somewhat disappointing since that isn't even an OpenVPN "thing", just a pfSense "thing" to determine what GUI options to show and what options to hide. Guess I'm off to file a bug report / feature request to ask that we get a 5th "type" option for OpenVPN servers called "I know what I'm doing, don't hide any options from me." In the meantime for anyone running into this, I think the only way to address it without having to create a separate server on another port so you can get run it as "peer to peer" is to assign an interface to the OpenVPN instance which you can then use to assign a gateway and a static route in the main pfSense routing configuration. Ugh.

@Rico said in OVPN export to iOS fails: Yeah NM, I see Gertjan is also using udp4 in the config like TO. You bet it is ! I'm actually VPN-into-work just to get my iPhone 'multistacked' ^^ All this over an UDP IPV4 link of course.

I ended up resolving the issue. Only used the local Windows DNS server for the OpenVPN configuration. Viscosity setups up this loopback to internally handle the DNS itself.