@brianjmc1
Having the OpenVPN server listening on localhost with port forwardings is a way that clients can use different IPs to connect to a single server. These may also be assigned to different interfaces.

I don't think, that this is really necessary in your case, however.
I'd just setup all services to listen on the WAN IP, which is 111.222.333.445 during the setup, and then change it to 111.222.333.444.
Therefor pfSense provides the WAN alias.

Why do you think, that this would mess up something?

I setup all settings, ipsec tunnels as Live non PFsense router

I expect, that IPSec and any other client attempts to connect if enabled anyway.
Maybe the remote site accepts only the origin router IP, so it will fail. But I would disable it till the old router is shut down.

@rec

If Google still works : enter : world's most known VPN providers.

All these companies can offer you what you need.
Before testing one, check :
If you can actually reach their servers.
If they have clear, up to date instruction about how to set up your router with them.
If you can find other customers that are happy about that VPN provider.
And so on.

And Yes mi OpenVPN is an app running on my Pfsense

@viragomann said in OPEN VPN: OpenSSL hardware crypto engine functionality is not available:

@Unoptanio
In the OpenVPN settings, change the hardware crypto to "No Hardware Crypto Acceleration".

AES-NI is used anyway if available.

b58ad999-4447-4bed-90f7-b491dadc7b07-image.png

@Gertjan
Thanks for the update
Still driving me crazy!
Trouble is ping is fine from all the interfaces in the box but there’s no internet on the vlan WiFi nor Ethernet
As you said working before and not after password/namechange
Trouble is I can’t see anything thing in any of the. Logs to suggest where exactly it’s getting “blocked “
There’s obviously udp/tcp connection to the interface insider pfsense to the remote server or ping would fail
Also support at Nord is not very supportive

@viragomann

Thank you. It worked following your indication.

For the benefit of others I add that I did this.

On the server - which is Site B in the schema - I added the CIDR of the client remote access VPN tunnel (10.10.10.0/24).

Then in VPN / OpenVPN / edit the VPN Server and
add 10.10.10.0/24 in IPv4 Remote network(s)

Then, in VPN / OpenVPN / Client Specific Overrides I had to add the exact same thing in (10.10.10./24 IPv4 Remote Network/s)

If I had added the tunnel route only in the server configuration or only in Client Specific Overrides I saw that it didn't work.

thank you very much

@viragomann said in Is it possible to use the VPN on the same LAN network as the OpenVPN server?:

Connect to the OpenVPN server from inside the LAN makes no sense at all anyway.

But it does work, at least here it does. However, that would depend on how you configure the server and what interfaces it listens to. Since I wanted to be able to connect via both IPv4 and IPv6, I had to choose the multihome connection.

@viragomann I finally got it to work. It's something to do with the server certificate I had selected to use which was self-signed. I chose another and the wizard worked.

@McMurphy

This has since been resolved.

I have disabled the SSL/TLS VPN and re-activated the Shared Key. Traffic was slow (e.g. to open the web interface of the remote pfsense) - CPU usage was under 10%. I had to restore the configuration backed up before the SSL/TLS configuration added from the guide on both the devices and now it works again.
I will try to reconfigure it later during the day, and see. I suspect there was some conflict with routing, but not sure.

@AWeidner
To answer myself:

openssl speed -elapsed -evp aes-128[256]-gcm (we use AES-256-GCM) ... type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes AES-128-GCM 72691.83k 150891.86k 222610.26k 254092.97k 263097.25k 265530.03k ... type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes AES-256-GCM 67697.40k 132661.67k 188492.12k 212024.45k 219474.60k 219228.84k

vs. AES-256-CBC (which we don't use)

type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes AES-256-CBC 98913.39k 159960.60k 197932.39k 211052.54k 214461.10k 214832.47k

And as far as i can tell, the block size used for VPN connections via openssl is 128 Bit (16 Bytes). The CPU is the limiting factor it seems.

@stephenw10 the commands however in pfSense shell do not show use also in 23.09

@viragomann Its now works, thank you so much for you help.

@viragomann I see. Yeah I can't seem to find a more specific set of instructions.

Basically we just want anyone who is connected to VPN to route traffic over the VPN when going to a specific site, which we have the IPs for added into an alias.

I did not change anything on the server settings because I am not 100% sure on the steps and this is in production.

@michmoor Yep. :)

It's a shame.

Business customers exist because, somewhere along this path, there were non-business customers who contributed to the project.

Stripping CE of this kind of functionality will do nothing more than make people consider other alternative projects.

Good idea- thx