• 10 Votes
    23 Posts
    24k Views
    GertjanG

    @Bambos said in HEADS UP: OpenVPN deprecating shared key mode, requires TLS, deprecating cipher selection:

    for the remote access VPN, if is SSL/TLS + User auth, does this working with freeradius as well ?

    I'm using FreeRadius myself for the captive portal.
    Never tried to do this ... 😊

    You probably want also see this one also : FreeRadius on pfSense software for Two Factor Authentication although I presume that article was written for those who wanted to "why do things the easy way if much harder is so much better ?"

    @Bambos said in HEADS UP: OpenVPN deprecating shared key mode, requires TLS, deprecating cipher selection:

    i have many 2.6 versions clients to upgrade

    Keep in mind that 2.6.0 uses the "old" (now completly ditched because of security) OpenVPN (and now also old OpenSSL !!) libaries.
    The recent pfSense uses the more modern OpenVPN and OpenSSL.

    All this means that some options won't work anymore.
    Some more options will work, but will be depreciated soon (as usual).
    I Use OpenVPN myself, so I always have a look at the "source" : web pages like this and the classic openvpn support forum.

    The OpenVPN client also changed to support the newer OpenVPN server.

    And yes, I agree, syncing the entire openvpn user fleet can be a hassle.

  • Scaling OpenVPN (and VPNs in general)

    Pinned
    12
    6 Votes
    12 Posts
    13k Views
    M

    I have discovered that OpenVPN implementation in PFsense is slow even without ciphering data, look at my post:
    link text

  • OpenVPN Documentation

    Pinned Locked
    1
    0 Votes
    1 Posts
    36k Views
    No one has replied
  • best way to access home network from anywhere ?

    9
    0 Votes
    9 Posts
    125 Views
    N

    @johnpoz ...good point on the lease time, I would have not thought of that, and wondered why things were not working... Cheers!!

  • NAS use have you tried push "route ????

    1
    0 Votes
    1 Posts
    28 Views
    No one has replied
  • Intermittent packet loss - pfsense 2.8

    2
    0 Votes
    2 Posts
    35 Views
    F

    Well Comcast was the fault - WAN_DCHP gateway ping automatically set to ip address but no response gateway down - only it wasn’t and the straight to isp was working
    Reset to 8.8.8.8 VPN vlan came back

  • 0 Votes
    2 Posts
    379 Views
    V

    @Aadrem said in 🔒 OpenVPN: Allow Internet via WAN IP but Block LAN Access (Hybrid Split/Full Tunnel):

    push "route 0.0.0.0 128.0.0.0";
    push "route 128.0.0.0 128.0.0.0";

    This is the same as checking "redirect gateway".

    This setup behaves like a split tunnel, so the client continues using its local internet connection.

    No, it adds routes to the client for the whole IPv4 range. This is not split tunneling.
    The client will only be able to access devices within his local subnet, but any other traffic will be routed over the VPN, and this is what you need in fact.

    I already have other VPNs configured as full tunnel, so I cannot apply restrictive firewall rules globally, as that might affect those existing VPNs.

    You can restrict the rule for pass traffic to WAN / block local subnets to the clients source IP.

    You can also assign an interface the the respective OpenVPN server. Then you get a firewall rule tab, where you can add rules for this instance only.

    If you only want to allow internet access it's a good advice to create an alias, which includes all private network ranges like this:
    d4dab693-0eb8-4b58-99da-109081f6e881-grafik.png

    Then you can use it as destination in firewall rules, either in a pass rule with "invert match" checked to restrict the rule to non-private networks only, or in a block rule followed by an allow-any rule.

  • Unable to run two instances of OpenVPN

    3
    0 Votes
    3 Posts
    84 Views
    C

    Yes, both are configured to to listen to the wan gateway group, but different ports.

  • Portforword through a VPN client

    5
    0 Votes
    5 Posts
    152 Views
    U

    I've tried doing this a NAT:

    044467cb-9aba-43cd-9478-da27475ebcfe-image.png
    Resolving in no port open and no trafik towards my host, as a simple nginx page.
    This is what I would Normally do NAT a port to a service.
    I'm testing with https://ismyportopen.com/ - or directly onb the IP:PORT

    With my VPN-CLient created as a Interface - without any rules for that Interface:
    4f35e0a9-d1fa-42c2-93a0-5cb8d1a679aa-image.png
    Since my VPN-client are created as an Interface - I would like to think there should be the rules under this interface for incomming rules.
    Where I should believe (as the torguard as a Interface) should look like this instead:
    498a8fdc-11a4-41ff-990f-983764915838-image.png.

    But I'm not getting through in any of the 2 ways to my nginx. No issue with internal IP and port - which showing nginx testpage

  • openvpn point to point one remote site of 3 connects won't route traffic

    6
    0 Votes
    6 Posts
    138 Views
    V

    @itinfo

    PICNIC


    I'm glad, that it was as simple to resolve.

  • 0 Votes
    1 Posts
    59 Views
    No one has replied
  • Openvpn Failover

    5
    0 Votes
    5 Posts
    427 Views
    K

    @rajukarthik As I'm sure you've found, you can bind the OpenVPN to both WAN interfaces, so that's the first part.

    After that, I can think of a couple of ways to sort out incoming clients.

    Quick and dirty - publish 2 A records for vpn.mycompany.com with the respective WAN IPs in each. The downside is that there's no real way to have the clients 'prefer' one WAN over the other (so not great if you have a fast leased line primary and DSL backup, for instance) and that if you have a failure it'll take a while for clients to sort themselves out and use the other IP.

    Use DDNS - sign up a DDNS address to use for VPN. You should be able to configure configure PFsense to update it with the 'main' WAN when that is in use and then drop back to the backup if you loose your connection. I'm sure there are guides about on this.

  • OpenVPN Config Export (and other) permission won't show VPN menu

    1
    0 Votes
    1 Posts
    63 Views
    No one has replied
  • Duck dns hostname and pfsense issue

    4
    0 Votes
    4 Posts
    1k Views
    B

    Has anyone found a solution to this?

  • 3 Votes
    14 Posts
    929 Views
    anallamaA

    @johnpoz
    Hey so I actually got this working via OpenVPN for my LAN network on the first try...every device in 192.168.1.0/24 now has the VPN provider's public IP. However, the remote access device connected through my OpenVPN Server (tunnel network 192.168.6.0/24) still has my local IP, even when I add equivalent NAT and firewall rules. What do I need to adjust to also send the remote access device through the VPN client? Do I just assign it an IP on the LAN network range instead?

  • pfSense 2.4.5->2.6.0 OpenVPN: "no route to host"

    3
    0 Votes
    3 Posts
    265 Views
    B

    @SteveITS said in pfSense 2.4.5->2.6.0 OpenVPN: "no route to host":

    @bartgrefte
    Library errors can mean the wrong version of things was installed. Specifically how did you choose update branches etc? Did you try to update or install a package after? (See my sig)

    If starting back far enough Netgate usually recommends just installing new and restoring the config file.

    I chose the branch on System->Update -> System Update ( pfSenseIP/pkg_mgr_install.php?id=firmware ), this after the update to 2.7.0 didn't start, then thought it might be better to go to 2.6.0 first which I selected on that page.

    Couldn't do anything after the update because due to the down connection with PIA-VPN, there was no internet access in pfSense. I'd have to find the tutorial about the "kill switch" firewall rules to see how that works, been so long I set this up I've forgotten how...

    The library issue aside, did anything significant change between 2.4.5 and 2.6.0 that could influence OpenVPN connections? Other than the "no route to host" (and library issue with the proxy server) I've got nothing to go on, setting up the connection with PIA seems to go without any authentication or certificate errors, just the "no route to host"-error.

    edit: @SteveITS Just checked pfSenseIP/diag_routes.php and compared the working and not working install. There are no routes related to ovpnc1 on the not working install. Seems there's no route being created upon connecting to PIA.

  • Route VPN Clients Web Browsing through Squid Proxy

    1
    0 Votes
    1 Posts
    99 Views
    No one has replied
  • Site-to-Site ovpn setup has limited connectivity

    3
    0 Votes
    3 Posts
    364 Views
    F

    SOLVED: This is possibly a bug. In the client specific overrides, the IPV4 Remote Newtork setting doesn't have the desired effect. When I removed that setting and added iroute 10.20.120.0 255.255.255.0 to advanced settings, it began working bidirectionally, between all nodes.

  • OpenVPN Client Deployment Options

    1
    0 Votes
    1 Posts
    152 Views
    No one has replied
  • OpenVPN IPV6 Question

    1
    0 Votes
    1 Posts
    120 Views
    No one has replied
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.