@FernandoScheffel said in OPENVPN site-to-site LOCAL/AWS doesnt ping between hosts only between pfsenses:

I solved the problem creating a NAT Outbound rule in my pfsense server to translate local IP to tunnel IP

I'm having a similar problem.

Can you give an example of how your configuration looks in pfsense?

I tried to reproduce it but I think I'm making a mistake in some detail.

@Xentrk no idea how you pulled this off but as soon i enable redirection rule on LAN to openvpn gateway i get wierd shit going on like very slow gui reloads suggesting loopback errors, traceroute going through vpn, but websites like ifconfig.me reporting "normal IP" for some time then al web browsers time out, but i can run succesful trace to them through vpn connection....

VPN gateway is heathy - if i set it as default gateway everything works great, except it seems to ignore firewall rules as i get open ports without any NAT rules on it's interface.

@Gertjan said in How many max VPN user supports Pfsense:

@Sf said in How many max VPN user supports Pfsense:

I try to evaluate, and need to understand how calculate a vpn user.

Easy.
You need to know what you 'consume' yourself. With out flat rate ISP price, this notion is lost.
Then you need to know what others need : this question, how hard you try, can't be answered.
From now on, stay at home, do what the 'working world' did during covid.
And go ask others how they experiences it, the quality of their uplink to work, etc.
Understand that everybody wants a "1 Gbit symmetrical" these days ^^

As shown above : 80/100 users over a 100/65 Mbit could work ... but I'm pretty sure they had to wait ones in a while to get to their 'data' ^^

Thank for answer.

It's not bandwith or ISP that I want calculate, but cpu and memory needed.

I figured out the problem. Apparently there's something screwy regarding the bridged connections for my VMs (pfSense and OpenVPN clients) where if I try to force all traffic through the OpenVPN connection, it won't work (I am running VmWare Workstation)

I solved it by switching the external (WAN) and OpenVPN client box to NAT, and it worked just fine.

I have a setup behind a FortiGate and use a DMZ and a LAN for pfsense. So I'm not port forwarding form the internet into my lan and can have strict firewall policy on the wan side, into the Fortigate DMZ \ pfSense WAN.

Then the lan side of pfSense is more of a transit network and not part of my actual lan on the Fortigate, allowing me to also place explicit rules on what can cross into my lan and other network from the VPN connection.

Internet > FortiGate(DMZ) > pfSense(WAN)
pfSense(Lan\Transit) > Fortigate(Transit) > Fortigate LAN, Guest, IOT, NOT (Network of things, No internet access) and more.

You will need to be aware of port forwarding, firewall rules, routing to set this up correctly.

I'm guessing your issue was port forwarding or firewall rules on the Fortigate.

@AntonioR said in Connect to another site (same LAN segment, with radiolink):

the LAN is 10.0.0.0/24 in both sites.

easy : don't do that.
The router on the first site knows where 10.0.0.0/24 is, its local.

The solution is something like :
Change the 10.0.0.0/24 on the first site for (example) 10.0.1.0/24.
and tell router site 1 that 10.0.2.0/24.= can be reached using the VPN.
Change the 10.0.0.0/24 on the second site for (example) 10.0.2.0/24.
and tell router site 2 that 10.0.1.0/24.= can be reached using the VPN.

@opticalc said in Netgate's openvpn client's remote server and my homes public IP:

and it was leaking DNS due to my client still using PFSense as the DNS server

Unbound (the pfSense resolver) can be forced to use the VPN connection also .....

I followed some of your instructions and it is working once more.

I made a new CA as stated
I made a new Server Cert
I changed the OPENVPN to use the new CA & Cert
I changed 1 user to use the new CA & Cert
I downloaded and installed a fresh installed and it is now working.

@Gertjan Once more, thank you for time help time and assistance with helping me get this fixed. I really appreciate it.

That did the trick. 🙂

Thank you again. Pleased to have it working.

So I figured it out. You need to go to Interfaces -> WAN and set "IPv6 Configuration Type" from "DHCP6" to "None" and then reboot pfSense. When rebooted, the interface now has an IPv4 virtual address when you look at interface status that you can bind to and use.

I got the same error message after upgrading to a more recent pfsense version (2.6). I tried the packet capture (and I saw the client packets arriving), I switched from UDP to TCP (to no avail), I tried different port numbers and still got the same error message (TLS key negotiation failed to occur within 60 seconds).

Then I configured the OpenVPN server "Endpoint Configuration" and switched the interface from "WAN" to "any". Et voilà - the error message was gone and the connection was established as desired!

I then tried all different settings for "interface" to find out which was the right one, but I got the error message for every single one of them. Only "any" worked.

I reviewed DCO limitations and the document states that openvpn /DCO should honor kernel level routes. I added static routes (although dpinger should do this as well) and that didn't fix anything.

@Bambos This is surely the case

@Gertjan
Thank you for your time.
Brief, competent and clear.
Most likely my solution is to use the DUO Security platform first, and then, if successful, deploy my own server. Because I have a large number of VPN servers that require increased security
Thank you very much again!
Have a nice day.

@viragomann said in Can't access to Proxmox from outside (OpenVPN client):

o limit the rule to a single IP, enter the IP with a /32 mask.

Effectively !
Thanks again for your support.

@Gertjan said in OpenVPN Server dco:

so its really hidden ?

i checked this. only in my windows connect app:

433cb667-86dd-4934-aee9-06dfb0bed48f-image.png

@johnpoz is there a custom package (OVPN) implemented with this feature ?