• 10 Votes
    23 Posts
    26k Views
    GertjanG
    @Bambos said in HEADS UP: OpenVPN deprecating shared key mode, requires TLS, deprecating cipher selection: for the remote access VPN, if is SSL/TLS + User auth, does this working with freeradius as well ? I'm using FreeRadius myself for the captive portal. Never tried to do this ... You probably want also see this one also : FreeRadius on pfSense software for Two Factor Authentication although I presume that article was written for those who wanted to "why do things the easy way if much harder is so much better ?" @Bambos said in HEADS UP: OpenVPN deprecating shared key mode, requires TLS, deprecating cipher selection: i have many 2.6 versions clients to upgrade Keep in mind that 2.6.0 uses the "old" (now completly ditched because of security) OpenVPN (and now also old OpenSSL !!) libaries. The recent pfSense uses the more modern OpenVPN and OpenSSL. All this means that some options won't work anymore. Some more options will work, but will be depreciated soon (as usual). I Use OpenVPN myself, so I always have a look at the "source" : web pages like this and the classic openvpn support forum. The OpenVPN client also changed to support the newer OpenVPN server. And yes, I agree, syncing the entire openvpn user fleet can be a hassle.
  • Scaling OpenVPN (and VPNs in general)

    Pinned
    12
    6 Votes
    12 Posts
    14k Views
    M
    I have discovered that OpenVPN implementation in PFsense is slow even without ciphering data, look at my post: link text
  • OpenVPN Documentation

    Pinned Locked
    1
    0 Votes
    1 Posts
    36k Views
    No one has replied
  • 0 Votes
    15 Posts
    1k Views
    N
    @viragomann Can you possibly elaborate on this? A floating rule on the client pf? both instances? (active and stby?)
  • Installing Openvpn package

    6
    0 Votes
    6 Posts
    94 Views
    GertjanG
    @hossazaw said in Installing Openvpn package: I found the url on gpt and also searched for the package in the website but with no luck pfSense has its own 'package servers url' build in. Like Windows : no need to specify where to look for updates, Windows knows how to call home. be ware : if if you found that url, you can't use it with a web browser. It's a package server, not a web server. @hossazaw said in Installing Openvpn package: Whenever I tried to install the package from Webgui, it says "Please wait while the update system initializes" and nothing happens. A possible reason : and by far the most obvious one : DNS is broken. The code (script) used to request the package list is somewhat resilient, and won't take no for an answer that quickly, and will stay in memory for some time, trying many times. It could be a non local temporary DNS issue after all. All this time, only one instance of this script is allowed, subsequent requests from your (GUI) side will get "Please wait while the update system initializes" as an answer. If DNS couldn't be used by the update script, because it (for pfSense itself) doesn't work, it can take quiet a while before it times out. Subsequent request will also fail. To see better what actually happens : Use the SSH or console access, option 8. Start by reading this one : Troubleshooting Upgrades.
  • Openvpn traffic not counted in interface statistics

    1
    0 Votes
    1 Posts
    28 Views
    No one has replied
  • pfSense OpenVPN Site-to-Site

    3
    0 Votes
    3 Posts
    186 Views
    B
    Problem has been solved. I rented a virtual server, with static public IP and everything is working as it should be. as far as I undaerstan, ISP is blocking certain traffic, despite forwarding openvpn ports in their modem.
  • Looking for guide to route LAN traffic through VPN by port

    4
    0 Votes
    4 Posts
    337 Views
    Bob.DigB
    @david283 You just change the rule to source any and set the corresponding destination ports to your liking. It is very simple if you ask me. Maybe show your rule if you still need help.
  • 0 Votes
    1 Posts
    117 Views
    No one has replied
  • OPENVPN DCO pfsense 25.07.1

    10
    0 Votes
    10 Posts
    665 Views
    yon 0Y
    @Antibiotic said in OPENVPN DCO pfsense 25.07.1: @yon-0 f you ever connect to older OpenVPN servers (e.g., 2.4.0–2.4.4), you’ll need to disable DCO on your client to fall back to DATA_V1: The DATA_V2 format in OpenVPN is a streamlined, secure packet structure designed for use with AEAD ciphers (like AES-GCM or ChaCha20-Poly1305) and Data Channel Offload (DCO). It replaces the older DATA_V1 format and is required for kernel-level acceleration and modern encryption. When OpenVPN prepares a DATA_V2 packet: It selects an AEAD cipher Generates a Packet ID (used as part of the nonce) Encrypts the payload and attaches the Auth Tag Sends the packet with Opcode, Peer-ID, and encrypted content No IV or HMAC is needed — AEAD handles it all internally. Generates a Packet ID (used as part of the nonce) Sends the packet with Opcode, Peer-ID, and encrypted content how do it?
  • Update Tunnel Connected

    6
    0 Votes
    6 Posts
    493 Views
    GertjanG
    @DenverDesktopsSupport said in Update Tunnel Connected: 99281-pfSense-2-5-Setup-with-NordVPN Using pfSense 2.5 today is already a huge security issue, and probably impossible as the OpenVPN client from back then will not connect to the Nord OpenVPN server anyway. The pfSense OpenVPN Client GUI page also changed ... The documentation does mention the creation of a policy routing so all outgoing traffic goes over the NordVPN connection. After all, when a VPN connection is created, pfSense suddenly has two outgoing network interfaces so it might be necessary to inform pfSense what traffic needs to use what interface : WAN or VPN ....
  • 0 Votes
    1 Posts
    201 Views
    No one has replied
  • OpenVPN - Nord/SurfShark/Proton

    8
    0 Votes
    8 Posts
    561 Views
    DenverDesktopsSupportD
    I am following the Nord's instructions on this step which shows the webconfigurator. https://support.nordvpn.com/hc/en-us/articles/20382523899281-pfSense-2-5-Setup-with-NordVPN
  • VPN Site to Site + OpenVPN

    6
    0 Votes
    6 Posts
    562 Views
    chpalmerC
    @marcos.voliveiraj said in VPN Site to Site + OpenVPN: Segue Rotas da Matriz Very sorry.. I have been away for a couple of weeks. Did you get this figured out?
  • I need BF-CBC

    4
    0 Votes
    4 Posts
    521 Views
    GertjanG
    @ipguy said in I need BF-CBC: https://forums.openvpn.net/viewtopic.php?t=35809#p111709 These openvpn options : providers legacy default data-ciphers-fallback BF-CBC compat-mode 2.3.18 check if they still exist in the version used by pfSense. First : check the Openvpn version used by pfSense. Then, with that version number, look them up in the openvpn user manual. If it's the case, then use them here : [image: 1754303064757-c6da93cf-9502-4171-b791-b119919f5e6f-image.png] for example, I use the option status /var/log/openvpn.status; status-version 1; for my own needs. When yous aved tehse option, check how OpenVPN sarts up (the logs) and see if it doesn't scream with errors. Also check the openvpn config file (the one created with the GUI parameters) for consistency. You can find the file here : /var/etc/openvpn/server1/ and look for the file "config.ovpn". It's an ordinary text file. Don't (bother) edit(ing) this file as it is auto generated by the GUI.
  • I'm just missing a bit, can you help?

    3
    0 Votes
    3 Posts
    117 Views
    A
    Thanks but I'mafraid to say I've had a conversation with chatgpt about it and it didn't take long to find the solution, firstly as you suggested I binded to any interface, then created a dedicated firewall rule in the LAN interface. Then got Connection Attempt write UDPv4: No route to host (fd=6,code=65) in OpenVPN logs Which again chatgpt advised creating a default gateway route back to the UDM in System/Routing Hope this helps someone else in the future.
  • Streaming through VPN and randomly stops

    1
    0 Votes
    1 Posts
    233 Views
    No one has replied
  • 0 Votes
    2 Posts
    434 Views
    J
    I made a mistake in my config, for the local network in the VPN config I enter 192.168.0.1/24 and should have been 192.168.0.0/24
  • OVPN & Google search results showing wrong location

    1
    0 Votes
    1 Posts
    93 Views
    No one has replied
  • How to NAT a WAN port to a SIteToSite Lan Address

    2
    0 Votes
    2 Posts
    442 Views
    V
    @labu73 The sentence in bold letters is still the essential message to get this work.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.