@slu OK, thanks for the suggestions, I will investigate when user is available.

I just also found it on the Tunnelblick website.
https://tunnelblick.net/cTunnelblick4.html

@viragomann
Thank you. Long day and was not thinking.
I was thinking outbound traffic was on port 1194

@labu73
pfSense uses the reply-to tag to route response traffic to public sources back to a non-default gateway. Otherwise it would be routed out on WAN.

The reply-to tag is added by the filter rule, which allows the incoming request packets. So this rule has to be defined on an unique interface.
However, OpenVPN is an interface group including all OpenVPN instances, which are running on pfSense AND rule on interface groups as well as floating rules have precedence over rules on member interfaces. That's why this rule got hits, while the rule in the interface didn't.

@tman222
I don't expect, that any Radius traffic going out of pfSense. I don't use it, but as I understand it, it's just a local authentication server.

So if the reply-to tags are applied properly to the VPN connection, I'd expect it to work.

@pyite
You can revoke the client certificate to prevent using it to connect.

To do so, you have to create revocation lists for the used CAs in System > Certificates > Revocation, as long as you didn't this already. Then assign it your VPN servers.

The reason was (a), the username was not matching Common Name. One needs to enable "Username as Common Name" for the server for this to work properly.

If you don't know a remote source beforehand you can't firewall it in advance. My approach would be to make sure you're using TLS keys in addition to client certificates and also usernames and passwords. That's three levels of authentication where if any one of them is not present, the connection won't establish.

Yes, you can use the cloud provider approach but then you're relying on your connections first establishing to that provider and then to you. All that is doing IMO is moving the "noise" elsewhere.

I'd just use good security and live with the noise. TLS key, client certificate (which can be revoked), associated private key are something the user has. The username and password are something the user knows. That's not terrible in my book.

edit: you can also cut down on the noise by using a different port on the server. The usual port of 1194 UDP is going to get probed a lot. Pick something else and you'll likely have less noise in your logging.

second edit: the response about using dynamic DNS didn't make any sense to me at first as I was thinking of this as supporting a fleet of remote users but that could work. However, I tend not to trust dns resolution in critical aliases as I've seen empty alias tables too many times.

@djlandino
If you want to be able determine the clients on the destination devices by their virtual VPN IP, you have to connect the VPN box to a separated network setment, a transit network, to get the routing work properly.

@viragomann
I'm trying to still with the traffic over the VPN tunnel and don't expose the syncthing encrypted traffic trough the internet, that way don't need to NAT any ports on remote touter. I will check how to set up VPN as private network I don't have any idea but i will investigate

Thanks

@Pippin that common subnet list is excellent!

@viragomann OK, so this issue is resolved. I disabled ALL the other P2 proposals under the corresponding P1 (the reorder function in the UI crashed?!) And now I can see traffic flowing from a host on the LAN subnet to the host at SiteB and from the OpenVPN client to the same host on SiteB. They are both using the same BINAT network range for NAT, which is a non issue in this test setup but could cause issues where the last octet of a client is the same in both P2's. I suspect the issue was the ordering of the P2 proposals, it's the only change I made. Thanks for pointing me down the right path!!

591ec58a-5e86-4b6f-a4b0-e619692ca83b-image.png

@ariban99
You were missing the clients tunnel IP in the CSO.

Note that a tunnel network of /30 or less is not compatible with DCO (only supported on Plus at this time, but I cannot see, which version you're using).

I fixed on my own. I am not sure why but the default "Camera Subnets" was somehow not correct. I created a new Alias with the Camera Subnet defined properly, then applied it to the Firewall Rule and the Nat Rule for the Camera Subnet section, and it worked.

I also added the kill switch with tagging which is defined in this video. Which for anyone having trouble, this was the best thing I found in all my searching.

https://forums.lawrencesystems.com/t/how-to-setup-pfsense-openvpn-policy-routing-with-kill-switch-using-a-privacy-vpn-youtube-release/12441

@Jarhead
I have the same style of configuration for the "Wireguard" tab where there are rules put in and the "Wireguard_VPN" tab where I also have no rules in it.

From memory, I had to create it this way because something wasn't working ... but now I can't remember what exactly.

EDIT:
I deleted "OpenVPN_VPN" but no better, my problem is still there ... fortunately the "Boot Environments" exist, I was able to go back to my original situation without any problem (so back with "OpenVPN_VPN")

EDIT 2:

I may have found the source of my problems and if so, I'll have to do some more tests soon, I'm ashamed ... my problem would rather be in the firewall of my Android phone.

If that's the case, I apologize for my request and thank you so much for all the advice you've given me!

@Bambos said in No traffic over CloudConnexa Connector:

I have other site to site tunnels between pfsense boxes, and there is no rule on OpenVPN interface, and all the rules apply to the dedicated assigned interface.

What is the difference with this setup ??

As I mentioned, OpenVPN is an interface group. Rules on this tab are applied to all OpenVPN instances on the machine.

Refer to the docs:
Interface Groups
Rule Processing Order

Good news is that it is not sorted and I have the devices split over the VPN and WAN as needed.

Only issue I am having ensuring that the VPN us using the VPN DNS servers. I have the VPN client set to "Pull DNS", however when doing the leak test, it is showing that Cloudflare DNS is being used, which is not too surprising as I use Cloudflare (1.1.1.1) as my remote DNS server.

That being said, earlier in this topic, we created a rule to redirect my VPN clients to 1.1.1.1 as shown below.

e7bab4a5-59b0-4ebe-8435-7875a0fc3857-image.png

So I altered this to the DNS of the VPN provider (5.254.106.2), unfortunately after doing that I cannot get websites to resolve for clients on the VPN. I have confirmed I can ping the VPN DNS servers (When connected/disconnected from VPN), so all is well on that end.

While possibly completely unrelated, I went into the DNS settings and input the DNS servers for the VPN and allocated the VPN DNS entries to use the VPN Gateway as per the below screenshot.

bcd36cb3-e464-4e0c-a65e-ea13c4acb4a3-image.png

Any suggestions ?