• Connection Timing out

    1
    0 Votes
    1 Posts
    703 Views
    No one has replied
  • 0 Votes
    1 Posts
    741 Views
    No one has replied
  • AD user accounts for OpenVPN

    4
    0 Votes
    4 Posts
    2k Views
    S

    @skaaptjop:

    Could you describe what you meant by "single OpenVPN configuration file"?

    Sure.

    All my users are using the exact same OpenVPN configuration file(s), but every user can login with his own Active Directory login. The files are

    OpenVPN Configuration file

    Security certificate

    Key file

    Each user has to import those three files in his […]OpenVPN/config/ directory to be able to connect to pfSense VPN. If they connect with this connection/settings, they will see a login prompt for username and password and there they can use their Active Directory login credentials. :)

    Well… At the end I just had to create one single OpenVPN configuration package and user and don't have to create always a OpenVPN configuration for each user. Also I don't have to delete all those users after they may have left the company or just don't need the access anymore.

    To manage the access to pfSense, I've created a security group in our Active Directory, which has members like me and other users, which should have access to pfSense VPN. If somebody shouldn't have access anymore, I just have to remove his membership of this group. Very easy. :)

  • OpenVPN just won't work

    19
    0 Votes
    19 Posts
    4k Views
    T

    yes, I did that. After I switched to automatic, all other rules got disabled. After that I checked that all network applications are still running as intended and it turned out they were obsolete anyway :-D

  • Adding OpenVPN client/interface takes over WAN interface (bug?)

    3
    0 Votes
    3 Posts
    920 Views
    N

    I also have added and removed multiple OpenVPN interfaces before and have not seen this before. Did hestitate to post this issue, because I did expect a question if I could reproduce. But currently do not want to try reproduce, because of the risk of internet connection going offline again. Maybe later, have to schedule.

    But I am also quite sure I did not accidentally changed the WAN interface to OpenVPN interfaces. The moment (described as: "Then I saw no new gateway was added, but the WAN_DHCP (default) gateway was now automatically linked to new created OpenVPN interface") I clearly remember me thinking: how is this possible, that a way to change OpenVPN in upgrade from 2.1.5 to 2.2.5, why does anybody wants this to be done like this, I do not understand the purpose.

    I can PM the config history of that day if you would like?
    (I did make a total diff dump from beginning to end. Maybe something missing from the start of the day, I am not sure. Maybe there is also a easy way to create a total dump for each individual change made during the day from begin to end?)

  • Speed

    13
    0 Votes
    13 Posts
    2k Views
    O

    Thank you for all of the replies.  He said the quality was good after switching on the fastforwarding, which surprises me too, but he seems happy.

    The cpu doesn't seem to be an issue at all.  There is nobody around here that will sell me a faster upstream.  I hope Ting or someone like that will come here someday.

    This is for college sports, which they should sell internationally, but they don't, so he needs the US.

    Is this the type of vps you are talking about?  http://lowendbox.com  I thought about something like this before, but the ones I looked at were much more expensive.

    We started this way, because he was complaining about it and it dawned on me that it would be really easy to do with pfsense, so we could test it for free and go from there.

  • Problem with custom subnet for Windows client

    10
    0 Votes
    10 Posts
    2k Views
    maxxerM

    on a side note I douse tun, but the virtual driver in windows is called TAP anyway

  • Openvpn connect/disconnect custom scripts

    1
    0 Votes
    1 Posts
    495 Views
    No one has replied
  • Weird Site to Site Openvpn Problem

    3
    0 Votes
    3 Posts
    1k Views
    L

    To be honest I don't know why is set with such an algorithm  :o . I changed it to a more standard AES. I tried to change the network mask to 24 but nothin changed.
    For the firewall rules:
    How should be set? is not enough a "allow all" rule in both the openvpn tab?

    Thank you

    Update: now works, but the connection goes down every one hour or so and hangs on ping-reconnect.
    also I found a crash report logging into the server: http://pastebin.com/dHKJ9CKz
    Any advice about what to check?

    Thank you

  • OpenVPN Client not using defined interfaces

    1
    0 Votes
    1 Posts
    563 Views
    No one has replied
  • Reasonably secure config for OpenVPN?

    6
    0 Votes
    6 Posts
    2k Views
    D

    RDP over UDP works even on W7, the RDP 8.0/8.1 updates have been available for quite some time.

    https://support.microsoft.com/en-us/kb/2592687
    https://support.microsoft.com/en-us/kb/2830477

  • PfSense in AWS as OpenVPN Client to OpenVPN server - Not working properly

    3
    0 Votes
    3 Posts
    1k Views
    P

    First, thank you for your quick response.

    I use Linux (10.157.30.147) on one end which is on the LAN of pfSense Firewall and Windows (10.0.10.35) on the other end behind OpenVPN server. No firewall enabled on either of the boxes. I did tcpdump on pfSense and also on the Linux machine.
    On the Linux machine I receive the echo request and it also generates the echo reply. Please see below.

    [root@ip-10-157-30-147 ~]# tcpdump -i eth0 -p icmp
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
    18:18:27.936003 IP 10.0.10.35 > 10.157.30.147: ICMP echo request, id 1, seq 2906, length 40
    18:18:27.936055 IP 10.157.30.147 > 10.0.10.35: ICMP echo reply, id 1, seq 2906, length 40
    18:18:32.928501 IP 10.0.10.35 > 10.157.30.147: ICMP echo request, id 1, seq 2907, length 40
    18:18:32.928553 IP 10.157.30.147 > 10.0.10.35: ICMP echo reply, id 1, seq 2907, length 40

    This means the ping (echo request) is traversing the tunnel and hits the Linux box, the Linux box responds as well. Let's take a look at pfSense now.

    The echo reply from Linux box is getting on the LAN interface of the pfSense firewall (xc1). Please see below output.

    [2.2.4-RELEASE][root@pfSense.localdomain]/root: tcpdump -i xn1 -p icmp
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on xn1, link-type EN10MB (Ethernet), capture size 65535 bytes

    18:22:58.711404 IP 10.0.10.35 > 10.157.30.147: ICMP echo request, id 1, seq 2961, length 40
    18:22:58.711956 IP 10.157.30.147 > 10.0.10.35: ICMP echo reply, id 1, seq 2961, length 40
    18:23:03.719116 IP 10.0.10.35 > 10.157.30.147: ICMP echo request, id 1, seq 2962, length 40
    18:23:03.719689 IP 10.157.30.147 > 10.0.10.35: ICMP echo reply, id 1, seq 2962, length 40

    However, the traffic does not go over the Tunnel interface (ovpnc1) interface or WAN interface (xn0) after the LAN interface (xn1)i checked tcpdump on both while running continuous ping and nothing is showing up.

    To make it more complicated and proof that routing works properly, when I initiate the ping form the Linux box towards Windows. It works flawlessly
    I can also see tcpdump on the LAN and Tunnel interfaces of pfSense. Please check below.

    (pfSense - LAN interface)
    [2.2.4-RELEASE][root@pfSense.localdomain]/root: tcpdump -i xn1 -p icmp
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on xn1, link-type EN10MB (Ethernet), capture size 65535 bytes
    18:33:56.021258 IP 10.157.30.147 > 10.0.10.35: ICMP echo request, id 10512, seq 22, length 64
    18:33:56.106887 IP 10.0.10.35 > 10.157.30.147: ICMP echo reply, id 10512, seq 22, length 64

    18:33:57.022572 IP 10.157.30.147 > 10.0.10.35: ICMP echo request, id 10512, seq 23, length 64
    18:33:57.108684 IP 10.0.10.35 > 10.157.30.147: ICMP echo reply, id 10512, seq 23, length 64

    (pfSense - Tunnel interface)
    [2.2.4-RELEASE][root@pfSense.localdomain]/root: tcpdump -i ovpnc1 -p icmp
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on ovpnc1, link-type NULL (BSD loopback), capture size 65535 bytes

    18:36:47.092394 IP 10.157.30.147 > 10.0.10.35: ICMP echo request, id 14864, seq 4, length 64
    18:36:47.240297 IP 10.0.10.35 > 10.157.30.147: ICMP echo reply, id 14864, seq 4, length 64

    18:36:48.093977 IP 10.157.30.147 > 10.0.10.35: ICMP echo request, id 14864, seq 5, length 64
    18:36:48.261499 IP 10.0.10.35 > 10.157.30.147: ICMP echo reply, id 14864, seq 5, length 64

    All firewall rules for OpenVPN are any any.

  • Multicast over an OVPN bridged tunnel

    2
    0 Votes
    2 Posts
    968 Views
    B

    Any advise ?

  • OpenVPN Shared Key Routing Issues

    8
    0 Votes
    8 Posts
    1k Views
    D

    You need a Client Specific Overide entry in the OpenVPN serve that specifies which external subnets are routed for each client.
    In your case there's (currently) only one.

    In CSC make a new entry and specify:

    Common name                - Enter the EXACT CN name used for the Client's certificate
    Description                      - Free form description for you
    Tunnel network              - OpenVPN Tunnel subnet specified in the Server (10.0.8.0/24 in your case ?)
    IPv4 Remote Network/s  - Client's subnet that you want routed through this connection (192.168.1.0/24 in your case ?)

    Save and restart both the Server and the Client, you should be good to go.

  • TLS Error: TLS key negotiation failed to occur within 60 seconds

    Locked
    10
    0 Votes
    10 Posts
    9k Views
    DerelictD

    Nope. Nothing from 2.2.4 to 2.2.5 would have changed that.

  • Creating a VPN config

    3
    0 Votes
    3 Posts
    1k Views
    johnpozJ

    huh?  Install the openvpn export package and create your users and just export the config file for whatever device they will be using to connect, even export the openvpn client all in one exe to give the user.

  • Routes seem to be broken

    10
    0 Votes
    10 Posts
    2k Views
    M

    Yeah i have a gateway of 192.168.50.254 and 192.168.1.1 and clients are forced at these.

    Mat

  • [Solved] AUTH_FAILED using Active Directory as backend for OpenVPN

    9
    0 Votes
    9 Posts
    4k Views
    V

    @doktornotor:

    @viandham:

    The problem was the binding account. For some reason, it accepts "<accountname>" on server, but needed to be "accountname@domain.tld" on this one. When I entered that, it worked.
    No idea why./accountname@domain.tld</accountname>

    Hmmm… In AD environment, it must be either DOMAINNAME\Username or Username@DOMAINNAME. "For some reason" it could have never worked unless used properly.

    Thats not true under all circumstances, I would argue.. I just rechecked, and I have 4 LDAP backends setup in my Servers-tab on the "working server", and all of them work. In fact, I'm connected via one of them right now. And neither of them have any domain specified in the binding credentials. All backends are AD.
    The domain is, however, specified in the search scope, Base DN. But that's probably not used until the binding is complete, and the actual user is authenticated.

    If there is only one domain configured (no multi-domain forrests etc), maybe it assumes that domain? At least these are working for me, and have been for years :)

  • Local connection ok, remote not

    2
    0 Votes
    2 Posts
    642 Views
    P

    Figured it out. I needed to add a static route to my router so the VPN packets would reach the pfsense machine rather then bounce harmlessly off the gateway.

  • Safe to have PKI CA on same box as OpenVPN?

    3
    0 Votes
    3 Posts
    779 Views
    C

    Sounds reasonable. I am only using the pfSense hosted CA for the VPN.

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.