@mucip said in Site to Site and Server-Client VPN in same Pfsense?:

very helpfull drawing

Your more than welcome - yeah if more people would post up drawings right off the bat, stuff would go some much quicker in figuring out the issues..

I always like to have a drawing - even if just for reference on what trying to accomplish.. It helps to make sure everyone on the same page if you will ;)

@bob-dig said in unable to access surfshark via openvpn:

@vjer2021 First it is SHA512 not SHA-3 512.

low and behold, that solved. it. thank you Bob. You're a gentleman and a scholar. and curse my eyesight.

@fairy Examining how your computer connects to your VPN can help you determine why and where the connection is slowing down.

@daddygo Here some graphs/data from both 2.5.2 and 2.4.5. When comparing the graphs/data, I get the impression that 2.4.5 is having more packet loss than 2.5.2. Though I am experiencing the issues with 2.5.2...

2.5.2
5ef6e721-7a8e-42f7-bbb7-20a3878c42bb-image.png
a930d908-f554-48fd-a85e-9edf174a5b75-image.png
804c04a6-13ea-4ffd-beac-644d9f8e40bc-image.png

2.4.5
422b2049-92e1-47d0-8c79-6286c3d6fd2a-image.png
1bb10ef0-2592-49fe-bf90-c9e34e00848c-image.png
d889a390-04dc-4397-a94b-dc5c1e3a852a-image.png

So these graphs/data do not point me into a direction as where the cause could be. Or am I overlooking something?

@jamantus Thanks agree - I have added on server and client side, and re-exported.
Can confirm config ovpn now shows "reneg-sec 0"
See how it goes now! Cheers mate.

@chrischambers
Yes, if you want to policy route the traffic from certain devices through the vpn, you should have this option checked on both.

You can also start / stop the client services on the OpenVPN status page when you have both enabled.

@stewart said in Email Notification - OpenVPN Client Connect (Common Name):

@psp

Have you had a chance to test out the scripts? Any feedback?

Sure! I only changed the timestamp to use H24 notation. No issues so far:

2021-10-12_225319.png

@johnpoz yes, I have it there. Just curious if I'm the only one with this (little) problem.

@droidus
Check the system and OpenVPN log for hints.

@marvosa here are my screenshots.
Firewall Rules - NAT - Port Forward.png

Firewall Rules - Floating.png

Firewall Rules - WAN.png

Firewall Rules - LAN.png

Firewall Rules - WLAN.png

Firewall Rules - OpenVPN.png

Update: it seems that when PPPOE goes down, OpenVPN service start listening on an ip alias of my WAN interface and not on the main address.
After the service restart, it correctly goes listening on the main ip address.

Any tips how to avoid this?

All is working now, I had to add a firewall rule to allow ICMP, and then obviously TCP/UDP traffic too.

I was confused because the VPN subnet said 172.16.100.0/28 but I was getting an IP of .18 for some reason, but none the less it still works.

Thanks anyway all sorted now.

I don't know what changed (aside from me opening this topic), but suddenly it is working now...

@johnpoz Many Thanks.

@viragomann I tried disabling the port-forward rule but the connection didn't drop at all. Maybe I need to kill the states on the firewall but can't do that during production hours without disruption. I haven't actually disconnected the primary WAN either. I suppose I could try that after hours for a real test. I'm adding 2FA to our VPN connections so this is the perfect time to make the connections more robust with failover as well.

@jfassad Thanks a lot for the info. I'll give it a shot!

@thisisbenwoo

Do you have a Firewall -> NAT -> Outbound rule for your VPN Network?

Mine looks like this:

Screen Shot 2021-10-05 at 9.21.56 AM.png

@gremblin Hi, I'm sorry I can't help. But I don't have this setup in pfSense any longer.

@jarlel adding a me too

@petr I am having the same issue. I also have an OpenVPN client that is using the failover WAN interface. My failover WAN is a 4G modem that I pay for the data I use on, so I want to limit the devices that can use this interface. All the rules seem to work fine except that the VPN connects and devices that use that VPN can still access the internet and tank my data plan. Did you ever find a solution to this?

@gwizzle What solved the problem? there is still no checkbox for nopool ?

@viragomann said in TLS ERROR with pfsense 2.5.2:

@hardousse
Looks like the client are not able to access the pfSense WAN.

Do you have a public WAN IP? Not a CGN.

Do you have WAN firewall in place allowing the VPN packets?

Ensure that the packets arrive on your WAN. Use the packet capture tool from the Diagnostic menu to investigate.

thank you for help yes its public ip and my firewall blocked the traffic i reinstall all and now everything working.
Best reagrds

@viragomann , first, thanks again for your help and support on this.
for all and benefit of the forum :

Took me a long time to figure out , as there was several issues ,
I bypass all tests done going to outcome
1 - my hardware was not strong enough : changes where not applied properly all the time - > this is why I had non consistent behaviors ( I set manually the "Firewall Maximum Table Entries", so apparently no error, but all changes were not applied)
Solution to this 1st point : ordered a new box ( that's why it took some time to get it from china ... )

2 - I had duplicate ranges in my IP's ( the one assigned by VPN was another one as well on another link of my FW )

Having solved these 2, I have the VPN connection created, stable with a GW defined.
In the meantime, I have in the new box a wifi connection, that I 'm gonna use as fail-over solution. I will be able to make tests unlink from the VPN, and see if now I encounter the same problems

Thanks

@ralienpp said in Communication between clients from different OpenVPN networks:

Is such a setup supposed to work, in principle? What troubleshooting methods can I use to understand the root cause of the problem?

Your issue is strictly routing. The fact that VPNs are used is relevant, as when up, they simply provide an IP connection.

So, check your routes and make sure the various devices can find a route, either via default route or specific routes.

@knothing said in How to use multiple WANs to make fater peer-to-peer connection?:

LAGG

Suppos I have created LAGG interface. What next?

@graeme-thomas said in Telnet to host via VPN not working:

It seems like the vpn is not allowing icmp or telnet to route.

Use Packet Capture or Wireshark to see how far the packets are getting and whether you're getting a response. For example, you could run Packet Capture on the pfsense end of the VPN to see if the packets get that far. However, I can assure you that OpenVPN passes pings as I have done that many times. If your pings aren't getting through, then you likely have some rule issue.

BTW: That Package Manager message is a general footnote/explanation:

package_manager.png

-Rico

Ok, Then this is as clear as it gets :

@gertjan said in OpenVPN will not connect:

TLS Error: TLS handshake failed

means : This :

cc3c65c4-515a-4d7b-942a-70bce8617643-image.png

or, more specific : one or more items in this list (marked with a red cross ) :

3492f3a5-889b-4025-8f9f-5d95e8e77358-image.png

doesn't correspond with the OPVN client file (OpenVPN client settings).

The server disagrees with the client.
The servers throws out an 'error' : TLS Error: TLS handshake failed.

edit : and before you think : "why does this happen to me ?"
The answer is a solid : "go talk with the admin".
We all see this error ones in a while. Rarely, it works 'right away'.
( at least, it never did for me ;) )

What I normally do :
I compare the config file of the server and the client. These are small text files. Easy to read.
This is the old fashioned way of making to devices talk to each other : compare their settings on both sides - using a paper and pencil.

Btw : also compare your OpenVPN server version number - and the OpenVPN client version number. If they differ, you also have to read the OpenVPN doc of both version, that is, the details of all the settings used. You're good for a visit at openvpn.org - the section 'manual'.

Just you know an OpenVPN setup can be activated in less then 8 minutes : do this https://www.youtube.com/watch?v=jQHqPq7ftz4 ;)

@viragomann That fixed the problem, thank you very much!
It looks like only VPNUnlimited has this issue, PureVPN and VPNSecure do not require to select "Don't pull routes"

@lesquestionsdetoto Hi, any idea ?

@stephenw10 said in I need to restart the OVPN tunnels after a pfSense reboot:

Does the client get the correct routes?
Do you see blocked traffic?

@jimp I will try, thanks you!