Already done this on the SITE2 (VPN Client) but still no working [image: 1595282143051-capture1.png]

Addendum: you could try running your script with the up, up-restart etc hooks. Perhaps that also needs script-security 2 to be enabled, I'm a bit vague on that :) But if it does, it will say so in the logs. The up trigger keyword in your client config should run your script with info like <scriptname> OpenVPN 1 1500 1553 <IP> <mask> init You don't have the same sort of variables at your disposal as on the server side though. Check https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4 for the exact ones :) (search for bytes_received for examples)

Got it, thanks for all the help!

@JKnott @netblues - thank you so much for jumping in The issue I had was basically that I was able to connect from the internet over the vpn to my home network but I was not able to reach any LAN devices by using their hostname, only IP. I basically removed the entire OpenVPN setup and started from scratch (also since I in the meantime moved to a dual WAN setup). I also updated the firmware of my SG-3100. Now everything works as expected - perhaps something was wrong in my config (I reconfigured using the Wizard) or perhaps the reboot of the pfSense box did the trick... I truly don’t know... But I’m happy it works now!

@JeGr yes my goal was if PIA goes down no traffic leaves my network. I used the settings pia gave me and it works, I have tested it a few times. Also I have added it port 1194 not to be block so pia can reconnect and I blocked any rougue DNS service from running.

@ThreeEyedFish said in Can't connect Ipad Pro to OpenVPN. How do I troubleshoot?: Hi, your iPad (actually, the VPN App) is telling you that XXX.XXX.XXX:1396 doesn't reply. Your OpenVPN server on pfSense tells you : no one is connecting right now. Do you have a firewall rule on your WAN that permits incoming connections "from everywhere" to port 1139, using protocol UDP ? Do you have a router in front of your pfSense ? In that case, the same firewall rule (NAT rule this time) should be placed on this router. Btw : the OpenVPN server log lines you showed are traces of the GUI questioning the OpenVPN server for connections every 60 seconds.

@robpur There is no reason for the one export method not to work versus the other. Most probably some typo.. Anyway if it works...

https://www.netgate.com/resources/videos/openvpn-as-a-wan-on-pfsense.html -Rico

Thank you, johnpoz. I screwed up with the OpenVPN IP address. I will replace the Untangle router with the pfsense SG-3100. Thanks for your help.

I always use AES-256-GCM. You don‘t need to export Certs again, but the client Config need to match the cipher. -Rico

@arndtw said in Connect Snom Phone with openVPN: Openvpn Log shows TLS Error: TLS key negotiation failed to occur within 60 seconds Mostly when you get this, the client can't basically access the server on the given port and protocol. So ensure that the clients packets are arriving on the servers public side interface. You can use Diagnostic > Packet capture for investigation.

Also that's on OpenVPNs roadmap: We are moving to MSI installers in OpenVPN 2.5, but OpenVPN 2.4.x will remain NSIS-only. https://openvpn.net/community-downloads/ Also I'd handle rollout of OpenVPN client on clients separate from client configuration, at it's easier to automate the client config and so no one needs nested-exe-installations to install the client and config afterwards. Client config IMHO can be automated pretty good and you can more easily roll out newer versions/updates of OVPN client that way, too.

I'd use the official documentation, there is a lot of really good stuff around for Remote Access VPNs. https://docs.netgate.com/pfsense/en/latest/book/openvpn/using-the-openvpn-server-wizard-for-remote-access.html https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/openvpn-remote-access-server.html https://www.netgate.com/resources/videos/remote-access-vpns-on-pfsense.html https://www.netgate.com/resources/videos/remote-access-vpns-on-pfsense-part-2.html -Rico

@JeGr Thanks. I have a user access vpn on the "server" side now and was thinking of putting the same on the "client" side as well for traveling didn't have to connect to A to get to B. I will be traveling to the other site tomorrow to finish the setup. Thanks all for the info

@yanafig You welcome

@Strive2Learn said in OpenVPN Credentials Manual Console Input During PFSense Bootup?: creating a rule for Amazon to not go through the VPN! GLWT

@JeGr Thanks a lot! I'll be trying.