@johnpoz
Hey so I actually got this working via OpenVPN for my LAN network on the first try...every device in 192.168.1.0/24 now has the VPN provider's public IP. However, the remote access device connected through my OpenVPN Server (tunnel network 192.168.6.0/24) still has my local IP, even when I add equivalent NAT and firewall rules. What do I need to adjust to also send the remote access device through the VPN client? Do I just assign it an IP on the LAN network range instead?

@SteveITS said in pfSense 2.4.5->2.6.0 OpenVPN: "no route to host":

@bartgrefte
Library errors can mean the wrong version of things was installed. Specifically how did you choose update branches etc? Did you try to update or install a package after? (See my sig)

If starting back far enough Netgate usually recommends just installing new and restoring the config file.

I chose the branch on System->Update -> System Update ( pfSenseIP/pkg_mgr_install.php?id=firmware ), this after the update to 2.7.0 didn't start, then thought it might be better to go to 2.6.0 first which I selected on that page.

Couldn't do anything after the update because due to the down connection with PIA-VPN, there was no internet access in pfSense. I'd have to find the tutorial about the "kill switch" firewall rules to see how that works, been so long I set this up I've forgotten how...

The library issue aside, did anything significant change between 2.4.5 and 2.6.0 that could influence OpenVPN connections? Other than the "no route to host" (and library issue with the proxy server) I've got nothing to go on, setting up the connection with PIA seems to go without any authentication or certificate errors, just the "no route to host"-error.

edit: @SteveITS Just checked pfSenseIP/diag_routes.php and compared the working and not working install. There are no routes related to ovpnc1 on the not working install. Seems there's no route being created upon connecting to PIA.

SOLVED: This is possibly a bug. In the client specific overrides, the IPV4 Remote Newtork setting doesn't have the desired effect. When I removed that setting and added iroute 10.20.120.0 255.255.255.0 to advanced settings, it began working bidirectionally, between all nodes.

@abonent1978

If the only VPN config present contains :

remote 171.x.x.x 1199

Then where does "92.113.146.1:1194" come from ?

What / who is the client VPN ?

Several things will affect performance. VPN will always be slower due to the encryption-decryption processes.

What else is the VM host doing ? Have you tried other encrytpion algorythms ? What CPU is the client using ? Perhaps run PfSense on it's own hardware ?

@IT-META
I guess, your "TLS Key Usage Mode" is wrong.
You can either configure it for authentication only or auth + control channel encryption.

Check your server settings and configure the client accordingly.

I found an error in the RADIUS server setup that has fixed this issue.

@patient0 Thanks much, I'll check it out!

For reference, the site-to-site environment we had set up between the two locations was based on this official Netgate configuration:
👉 [OpenVPN + OSPF Site-to-Site Setup]

This is the exact topology and integration model that was implemented, that worked flawlessly until the upgrade to 24.11, which further supports the conclusion that the issue lies with the OpenVPN tunnel performance rather than OSPF itself.

@pietsnot56 said in Endpoint address family (IPv6) is incompatible with transport protocol (udp4):

Any idea what's wrong?

Many cell networks are now IPv6 only. On Android devices, 464XLAT is used to connect to IPv4 only sites over an IPv6 only network. iPhones use something similar, but I don't know the details. Perhaps there's some issue there. My phone gets the IPv4 address 192.0.0.4, which is reserved for 464XLAT, as well as a global IPv6 address.

I have pfSense configured to allow openVPN to use either IPv4 or IPv6 to connect. Do you have IPv6 available from Telenet?

BTW, Telenet used to be an X.25 packet switched network back in the dark ages. The company I used to work for provided Telenet in Canada and I maintained part of that system.

@stephenw10 Yes you are correct, I misunderstood myself. After my box crashed doing the 2.6.0 to 2.7.0 upgrade and eventually after getting 2.7.0 to work, I compared both xml backup files and only saw differences in time stamps, but now realise it's the import of updated packages that caused my problem.

I'm running ZFS and will look at taking an image snap once I work out how to get from Pfsense to FreeBSD, out and back via a USB3 port. That suggests I need an external monitor, keyboard, and mouse on the box, unless it can be done through Pfsense GUI, but that won't work for recovery if the GUI has crashed. I've met these situations before and an image snap can only be trusted to work if you've actually used it successfully to recover. In the PC world I've trusted and used Acronis for years. Thanks for the link. I've always created bootable flash sticks and created matching config XMLs. Once the box crashes, I'm offline with no internet access to download anything or get help asking questions. I still keep an ISP Thomson box handy just in case.

Thanks for your help - regards - Vox

Solved, since i'm using azure vm i'd to add route on azure portal.

Thanks to all

Update:

I had the same issue today, configuring another client with the same topology.
This time i had another pfsense 2.7.2 needed the extra routing on CSO when i created a remote access open VPN Server on the same pfSense.

I lost access suddenly during configuration, and then i had to use again Client specific override for the VPN Tunnel in order to communicate again. Based on above, it seems that Open VPN inter-routing acting strangely.

Is this a miss-configuration from my side, and i should always have that extra routing for the remote access tunnel ? or is a bug in the OpenVPN implementation on pfSense ?? Still i'm wondering why some instances working and some not.

Please, awaiting for any comments and if someone faced that again in the past.