@jimp said in Best method to update pfSense OpenVPN Clients: that's up to the remote client system administrator, not the firewall. Could not agree more! What software, and upgrades to said software of users systems would and should be managed by that system.. If your trying to pull that info from your firewall - your doing it wrong ;) How are you making sure their antivirus is up to date? What about their os and patches? Software xyz they use to do their jobs, etc. Same system you use to manage that would also be used to manage their vpn client software. If your a small shop, maybe your the only IT guy - I would look how to best monitor your remote devices software and settings, and then leverage that to manage the version of vpn software on the box. Are you a MS shop? If so this is very common https://en.wikipedia.org/wiki/Microsoft_System_Center_Configuration_Manager

Packet capture the pfSense WAN Interface to check if the OpenVPN traffic even hit pfSense or not. Your problem could be completely upstream (ISP related), you should check this first. -Rico

B Configuration for an automatic cascade start. Original configuration can be found here: https://github.com/ddowse/pf-tunnelactive 1 Interface Configuration (OpenVPN Client) Select "any" as interface in the OpenVPN client. Only at the last hop "wan" interface remains. Activate "Don't add/remove routes" everywhere except in the OpenVPN client that goes online. Add the following line to "Custom options" and change the IP for "NEXT_VPNSERVER_IP": route-up "/root/pf-tunnelactive/addroute.sh NEXT_VPNSERVER_IP" Example configuration: VPN1: "Don't add/remove routes" Custom options: route-up command not necessary VPN2: "Don't add/remove routes" Custom options: route-up "/root/pf-tunnelactive/addroute.sh 85.17.28.145" VPN3: "Don't add/remove routes" Custom options: route-up "/root/pf-tunnelactive/addroute.sh 82.199.134.162" [image: 1606059799401-screenshot_2020-11-21-pfsense-localdomain-vpn-openvpn-clients.png] Make sure that first all OpenVPN clients are running correctly (Status/OpenVPN). Please note that Firewall Rules are strictly optional but of course NAT Rules are mandatory. 2 Firewall Floating Rules Create a rule in “Firewall/Rules/Floating“ o Action: Block o Interface: WAN o Address Family: IPv4 o Protocol: Any o Source: LAN net (For example: Local Network) [image: 1606059891181-screenshot_2020-11-21-pfsense-localdomain-firewall-rules-floating.png] 3 Firewall LAN Rules Important: Gateway configuration for LAN rules not necessary! [image: 1606059934109-screenshot_2020-11-21-pfsense-localdomain-firewall-rules-lan.png] 4 NAT configuration (Firewall/NAT/Outbound) Create a rule for each OpenVPN interface. Last 2 rules are also important [image: 1606059982060-screenshot_2020-11-21-pfsense-localdomain-firewall-nat-outbound.png] 5 Script configuration Follow the steps under "Installation" and "Usage": https://github.com/ddowse/pf-tunnelactive All other steps like restarting OpenVPN clients and monitoring are done by the script. 6 Optional: Shellcmd Package If the script works, you can add this command to Shellscript Package: nohup php /root/pf-tunnelactive/tunnelactive.php 10 3 >> /var/log/tunnelactive.log & After that the script will be loaded on every restart.

Just tried it with one client connecting to my home LAN through my neighbor’s WiFi network and this laptop connecting to it through a public xfinitywifi hotspot. Same issue. I wonder, what the interaction between two clients is.

Thanks johnpoz. I appreciate it.

@Gertjan I figured out the php logging to syslog.

@eduardon said in Pfsense Openvpn com cliente Slackware: Pessoal alguém pode dar uma ajuda, estou começando a atuar no ramos de varejo e o meu contratante, usa PDV com o Slackware, temos um Pfsense com o openvpn tap e eu preciso fazer os pd's da loja 2 falarem com a loja 1, antes de eu entrar na empresa tudo era feito com redir de porta e tudo aberto na internt, só falta isso para acabar com os redirecionamentos. From Google Translate Guys, can someone help me, I'm starting to work in the retail business and my contractor uses POS with Slackware, we have a Pfsense with openvpn tap and I need to make the pd's of store 2 talk to store 1, before I entered the company, everything was done with a port redirect and everything was open at the internt, all that is needed is to end the redirects. What do you mean by "pd"? By port redirect, I assume you mean NAT (Network Address Translation). O que você quer dizer com "pd"? Por redirecionamento de porta, suponho que você quer dizer NAT (Network Address Translation).

@viragomann Thanks, that's the nudge I needed. I was able to figure the rest out and I'm good to go!

Thank you, Old 2.3.5 are Alix boxes leftovers from the past, but I would like to give them to WFH employees for site-to-site connections. I would like to know if there is a major incompatibility between 2.4.5 and 2.3.5 for site to site (either OpenVPN or IPSec). best regards

@M0L50N I suggested above to set the tunnel for A to 192.168.130.32/30 and for B to 192.168.130.36/30. Additional I would use a net /30 topology in the server settings. So each client gets its own /30 subnet with an IP for the server and one for the client.

Another way would be to just copy and paste it out of your ssh client after viewing it with cat. [image: 1605793271002-cat.png] Or you can just sftp to pfsense and download it that way if your having issues with the scp commands. Filezilla supports sftp [image: 1605794549085-sftp.png]

I was at an event where I ran into NineStar’s CEO and asked him, whether there was someone who could help me, because I had increased suspicion that it was an ISP issue. The following day I got a call from NineStar’s CTO who almost immediately knew what was up. He directed his staff to provide a solution, which is working great. See also my related post. Thank you very much to all of you for helping troubleshoot!

I'd be quite interested to hear if you got this working. I just purchased a dedicated IP through VPNArea and am trying to setup an OpenVPN client for it. Having some trouble. I am waiting to hear back from their tech support on my latest set of questions.

status can be acquired by changing 'restart' to 'status' [root@pfsense.lan]/root: pfSsh.php playback svc status openvpn client 1