@stephenw10 I feel dumb, I should've thought of only opening it during an upgrade procedure. Good idea. 👍

@troubleshooting74

865e91ae-2931-4faf-a302-c24e1724e58a-image.png

User : auser
Password (twice) auser
I made this user member of the OpenVPN group
Checked : Certicate, gave it a description 'auser'

And save.

This user called 'auser' is now usable on the VPN Client Export page.

If not, it's time to explain your setup.

@gwaitsi said in Express VPN Received control message: AUTH_FAILED:

unable to get certificate CR

CRL missing, or not accessible, isn't a big deal in this case.
See for example unable to get certificate crl

If something happens to the certificate emitted by expressvpn, they would remove it message or warning, and force you to update your connection settings.
There is no such thing as : expressvpn let you use their generated certs, but starts to list them on a revocation list. That not needed in this usage case.
I've these same two warnings.

@stationeleven

You've shown the "WAN" and "OpenVPN" firewall rules.
Both WAN and OpenVPN show that there is/was incoming traffic. That's a good sign.

@stationeleven said in RDP to Local LAN desktop - Unable to find:

(I've confirmed on my regular wifi network, I can RDP)

No further info, so I presume from now on : from your regular wifi you have the same network, both for the laptop and the PC tower where you 'RDP' to.

The info you're probably missing is this :
The RDP server process on Tower PC only accepts connections from it's own (= pfSense LAN) network.
So, if your PC Tower has 192.168.1.x, it will only accept, by default, connection from the 192.168.1.x/24 range. That's a security "better safe then sorry" default setting.
When you connect from VPN, your laptop will have, as said : 192.168.11.2
So your power PC will refuse that.
Remember : that device has also a firewall !

Solution : modify the firewall on the Tower PC so it also accepts connections from 192.168.11.0/24 also (clean solution) - or do what most do : have it accept connection from 'everybody' (dirty solution).

@pfchangs77

Thats exactly what it was. The routes. IPv4 Settings >> Routes >> ADD - 192.168.1.xxx (address of item) , netmask 192.xxx.etc, gateway 192.xxx.etc, metric XX then select "Use this connection only for resources in network" and it works fine. I'm posting this for others. Hopefully it will help.

Can mark this post solved.

@gizmobrat said in OpenVPN Remote users are able to access Router but not hosts on local network:

@viragomann
When pinging from the OpenVPN Interface I get 100% packet loss. So will this be a firewall or a routing error?

I suspect, it is. But on the server side. Either the destination device blocks the ping or it routes responses to anywhere else than back to pfSense.
Are you sure it has pfSense set as default gateway?

Secondly under Interfaces/Interface Groups I am seeing no groups.

You can see custom groups only there. OpenVPN is implicitly added by pfSense.
But that shouldn't matter so far.
You wouldn't need to assign an interface to the server for your purposes. It's only needed for policy routing or alike.

@viragomann Awesome Solution :), thanks

This is a follow-up:

Earlier on I did remove 10.0.0.0/24 from the IPv4 Local Networks but I was still getting the error so I thought that did not fix it. I had in the Custom options the following command

push "redirect-gateway def1 block-local"

I removed this and now I am not getting the message so I cannot send you the log now because it is fixed, but it turns out your were right. So the 3 things that can cause this error

when Redirect IPv4 Gateway is enabled there is an entry in the hidden field IPv4 Local network(s) you have enabled Redirect IPv6 Gateway but do not have IPv6 enabled overriding the redirect-gateway in Custom Options

This is an old log:

Sat Mar 18 18:08:16 2023 OpenVPN 2.5.8 [git:none/0357ceb877687faa] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Dec 2 2022 Sat Mar 18 18:08:16 2023 Windows version 10.0 (Windows 10 or greater) 64bit Sat Mar 18 18:08:16 2023 library versions: OpenSSL 1.1.1s 1 Nov 2022, LZO 2.10 Sat Mar 18 18:08:18 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]123.123.123.123:2727 Sat Mar 18 18:08:18 2023 UDPv4 link local: (not bound) Sat Mar 18 18:08:18 2023 UDPv4 link remote: [AF_INET]123.123.123.123:2727 Sat Mar 18 18:08:18 2023 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Sat Mar 18 18:08:19 2023 [pfSense Server Certificate] Peer Connection Initiated with [AF_INET]123.123.123.123:2727 Sat Mar 18 18:08:19 2023 WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results Sat Mar 18 18:08:19 2023 WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results Sat Mar 18 18:08:19 2023 open_tun Sat Mar 18 18:08:19 2023 tap-windows6 device [OpenVPN TAP-Windows6] opened Sat Mar 18 18:08:19 2023 Set TAP-Windows TUN subnet mode network/local/netmask = 10.217.1.0/10.217.1.2/255.255.255.0 [SUCCEEDED] Sat Mar 18 18:08:19 2023 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.217.1.2/255.255.255.0 on interface {39A232AE-AE2D-4EFC-9BCD-7159D7CFE9B1} [DHCP-serv: 10.217.1.0, lease-time: 31536000] Sat Mar 18 18:08:19 2023 Successful ARP Flush on interface [7] {39A232AE-AE2D-4EFC-9BCD-7159D7CFE9B1} Sat Mar 18 18:08:19 2023 IPv4 MTU set to 1500 on interface 7 using service Sat Mar 18 18:08:20 2023 Blocking outside dns using service succeeded. Sat Mar 18 18:08:25 2023 WARNING: OpenVPN was configured to add an IPv6 route. However, no IPv6 has been configured for OpenVPN TAP-Windows6, therefore the route installation may fail or may not work as expected. Sat Mar 18 18:08:25 2023 add_route_ipv6(::/3 -> :: metric -1) dev OpenVPN TAP-Windows6 Sat Mar 18 18:08:25 2023 add_route_ipv6(2000::/4 -> :: metric -1) dev OpenVPN TAP-Windows6 Sat Mar 18 18:08:25 2023 add_route_ipv6(2727::/4 -> :: metric -1) dev OpenVPN TAP-Windows6 Sat Mar 18 18:08:25 2023 add_route_ipv6(fc00::/7 -> :: metric -1) dev OpenVPN TAP-Windows6 Sat Mar 18 18:08:25 2023 Initialization Sequence Completed Sat Mar 18 18:08:25 2023 Register_dns request sent to the service

@viragomann I have fixed it!

I reconfigured the tunnel to be /30 (the error I was getting before was that 'allow duplicate connections' was enabled, and it failed to start due to this). I can now communicate between Site A and Site B.

Thank you for your patience whilst I troubleshooted this.

@edigest2 said in OpenVPN client to remote machine through pfSense, with reverse traffic/routing allowed when connected:

Should I configure the PFSENSE in peer to peer SSL/TLS mode? What parameters should I configure?

Yes, if you only need this one client to connect to the OpenVPN server, the easiest way is to set the tunnel mask to /30. This ensures, that the client get a static IP, which you can use to access it.

Then enter the main servers IP into the "Local Networks" field in CIDR notation (172.19.2.10/32). This pushes to route to the client.

Since the tunnel and the routes are pushed by the server, there is no need for special settings in the client config.
If the tunnel network is, say 10.0.8.0/30, the client gets 10.0.8.2. You can use this IP on the main server to access it.
Ensure that the clients Windows firewall allows access from the remote network.

@viragomann 3bb08830-9c77-47da-8bff-64b381fe225c-image.png

Not enabled ;(

@tbaror Just to add to this post that i configured client from another system to connect to the same server used it on CE ver 2.6 and works flawlessly
so i start to assume there is issue with current 23.01 or i missed extra step on this version
Please advice
Thanks

@viragomann

Please see firewall rules below from site B:

OpenVPN:
0e6387dd-1d86-458f-af8a-be16d6461f65-image.png

Tunnel Interface:
300f4805-9271-46a7-8ede-1601f50246e7-image.png

LAN:
044a0fd5-029b-48ac-af81-7eb97f75b868-image.png

Thanks
Dan

@viragomann
Now I'm there. Thank you so much. I followed the wizard and the guide on the Netgate website to configure this. From this I determined that the 'Redirect gateway' (Force all client-generated IPv4 traffic through the tunnel) was a requirement to ensure that the OpenVPN remote clients would present the internet IP address of the main site. Now I've unchecked that box, it all makes perfect sense.
Thank you very much for your patience and sticking with me. I knew it was likely something small that I had wrongly configured. Turns out it was a checkbox and as a result, I never actually saw the IPv4 Local network(s) option.
It all makes sense now. I should of led with the pictures.

Thank you kindly for all your help,

I.T._Lee

@i-t-_lee Thanks. I actually switched to pfSense around 3 years ago because of his channel. I also switched to Unifi switches and AP's because of him. I did follow the nguvu guide because I'd rather be reading than pause-playing a video on YT, but you're right, his channel is a great resource.

@viragomann
Yep, that did it. Thank you!

@viragomann your idea worked. So this is the steps that I took for anyone else trying to do a similar setup.

Disabled DHCP Server on LAN network Set LAN Interface to DHCP (Save but not applied) Whet to interface assignment and set WAN to a VLAN on parent Interface (10 in my example) Set LAN to parent interface LAN rules were configured for any any but make sure yours are too Made sure all outbound NAT rules were configured for LAN and Not WAN (That way upstream router in unaware of pfSense network) In Open VPN server I checked the box for Provide a DNS Server list to Clients. Force all Client-generated IPv4/IPv6 was already checked but make sure yours is checked to force all traffic through VPN.

That's it. Other than that, OpenVPN is setup like normal. Now I will configure Wiregaurd as a VPN option too for speed.
Thanks to @Gertjan @viragomann for your help. Glad to see that this can be done. Makes it easy to add Remote connections to send to folks.

@sami-mkaddem How do I mark this post as solved?

@viragomann

Both endpoints are running on Verizon Fios. I'll see if can get put in a ticket with Verizon.

@jimp I did also find this but it appears dead. https://redmine.pfsense.org/issues/9970

Thanks btw.

Yup. Changing it to "shared key" seems to have worked. That's bananas! All the systems I was comparing to were also 23.01 and were using peer to peer (SSL/TLS). These are all 7100 1U appliances in HA configuration. Anyway, it's now working and I met my deadline so I'm going to take a break. If anyone has any ideas why share key worked but ssl/tls didn't, I'd love to hear it.

@viragomann
I thought it might create an instance in Firewall Rules when I was connected via the VPN, but when I connect via my home network there are still 2 Open VPN interfaces In the Firewall Rules. When I look at the Status Interface page, as well as my Interface Assignments page, I have only one Open VPN interface.

@dweimer

When you change OpenVPN server settings, you have to re export the OpenVPN client file.
You've done that, right ?

@dbass A public IP can only be used once. If you use NAT then LAN gets a private IP range, and you need NAT port forwarding rules to connect to the server on LAN.

If the server actually needs a public IP then you need to get another IP range from the ISP so they can route the public IP to you.
https://docs.netgate.com/pfsense/en/latest/recipes/route-public-ip-addresses.html

@viragomann Thanks so much for your help, I've just done this and its now all working as it should.

@gertjan
The administrator of the server decided to change something based on my log dumps, and now the connection just works at the first attempt.

Thank you everyone for your help. The only thing I had to change was the syntax of the remote line as mentioned by @viragomann, then the import worked just fine.

@rubens-fontes for dns use 172.16.0.2 , x.x.x.2 is amazons DNS. I usually attach a send Network interface (on the private subnet) to the pfsense and then add that as LAN

Regarding the time difference, it's strange because I've compared both times and they are equal 😲

@viragomann said in How to route LAN traffic thru OVPN:

@ispasoiumircea
In the outbound NAT rule the source has to be your LAN, so 192.168.15.0/24 presumably.

Consider that the policy routing rule on LAN directs all matching packets to the OpenVPN server. Hence it doesn't allow access to any internal destinations like DNS from this device.
This can be done, but you need to use a DNS server on the concerned machine, which is accessible over the VPN. If there is any, you can simply forward DNS requests with a port forwarding rule on pfSense and need nothing to change on the device itself.
Otherwise add an additional rule to pass internal traffic above of the policy routing rule.

The rule on the OpenVPN is only needed for inbound traffic. But I guess, you don't want any, so you can remove it.

Hello,

Thank you. Its worked just adding outbound NAT rule from LAN to VPN.

Good day,