Another advantage is the ability to use the cryptographic acceleration hardware built in the firewall Netgate appliances, the use of DOC, control access with radius, or even set up local access policies, direct use of syslogs and a granular level of security by way of a magnitude of logs available directly on the firewall, a separate access control list can be used for OpenVPN. Share a NAS private cloud with your family for photos and large files. Many types of encryption algorithms are also available, and Netgate’s open source community that can help you with issues. Finally scheduling, an ability to set up when users can access the VPN even lock it completely out on holidays.

@PerfectBake420 NVM. I had a failover internet on the same IP scheme as Site 1.

I've crawled through the routing tables (previously posted), and I find nothing incorrect. The tracert result from a client behind the Z router/OpenVPN client to a client behind the Y router/OpenVPN server shows the correct first two hops, and I can see no reason why it should not find the final destination (10.55.73.193): @wmcneil said in SG1100: routes seem correct, but not working: tracert from Z windows client (192.168.2.135) to Y client 10.55.73.193: > > 1 1 ms <1 ms <1 ms cabin_pfSense.localdomain [192.168.2.1] > 2 33 ms 31 ms 39 ms 10.55.203.1 > 3 * * * Request timed out.

Been overseas for a few weeks sorry. So yeah, i have tried different servers, even TCP. But they all DC under load. What i have also now done, is setup a VPN gateway group, with two VPNs in it for failover. What i have been noticing is that sometimes when one fails, the other takes over in under 10ish secs, so all good. But sometimes when one goes, the other fails at the same time, so yeah ded. I have been in contact with PIA, my VPN supplier, and they are bloody useless. He started going on about how their VPN app running on the end clients is the best way as its the most configurable... I kind of gave up on PIA support after that haha. I have posted my config to one of my VPNs for anyone to have a look to see if they can see any glaring issues? BTW, when i took that, i had the custom options feild empty. I have now got: resolv-retry infinite persist-key persist-tun tls-client remote-cert-tls server compress reneg-sec 0 In there and it seems to like those settings i think? (some might be redundant) I have it running on an old PC with dual NICs (and with AES-NI) And untill not all that long ago, it was fine. What im thinking now, is that i should buy one of those little gateway devices like the Protectli Vault FW4B or something as it might be a hardware error? Whats you peoples thoughts [image: 1704928049909-signal-2024-01-11-100631.jpeg]

Has anyone using OpenVPN on Yealink phones experience this issue after upgrading? These phones report to a FreePBX system, maybe this is a blessing in disguise and another good reason to move to a different phone system!

@george1116 said in OpenVPN does not work on bridged PFsense router: My pfsense router is installed behind my home router, the LAN port on my home router which pfsense is connected to is set in bridged mode, so my pfsense WAN side is getting a public IP in the 199.x.x.x.x range. I then installed openVPN on my pfsense router, but when I am connected directly to my home router (the bridged router) openVPN is not able to connect, however, when I connect via tethering to my mobile device hotstpo OpenVPN connects successfully. What is the error I am getting: When connecting to openVPN I get the below error message after some time. 2024-01-03 08:30:08.123554 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 2024-01-03 08:30:08.123640 TLS Error: TLS handshake failed What have I checked: I checked my home router to see if port 1194 is blocked, and it isn't I verified that my pfsene router WAN side is indeed getting a public IP and it is. I ensured there is no double NATing, this is evident from the public IP on pfsense WAN I used Packet Capture to verify that indeed there was an outbound connection from my machine to pfsense router, and there was. I changed the Tunnel Network of OpenVPN, but it didn't help I used different authentication Modes, but it didn't work I have been going on for 2 days now, has anyone experienced this or knows what the problem could be I think the router in front of your firewall is causing the issues, is this a standard ISP issued router with a dmark or a modem?

@Diablo666-0 said in OpenVPN with Remote Access (SSL/TLS + User Auth) // Auth Certificate issue: Everything is working fine, but suppose I have two users, A and B. When I try to connect with the profile (file .ovpn) of user B using the credentials of user A, it works. To avoid this, go to the server settings and check "Strict User-CN Matching" in the "Cryptographic Settings" section. Ensure that the CN in the client certificate matches the username. Additionally, when I remove the certificate of user A, for example, they can still connect to the VPN. Removing a valid client certificate is a bad idea at all. This cannot prohibit that the OpenVPN server is accepting it, because the server only verifies that the delivered client certificate is singed by the CA in use. To reject a client certificate you have to revoke it instead. Maybe you need to create a revocation list first (System > Certificates > Revocation) and add it the the OpenVPN server then. You may remove a certificate after its expiration though.

@JonH they also have a windows release, just a exe you can run.. Thats what I used in my screenshot

@evangelos-ziakas Would need your host configuration screen shots. Sounds like each device is connecting to a different host (server) configuration. As in having multiple dial-in servers with different tunnel networks.

@notcloud I used this article very sucessfully with my transition from Shared Key to TSL. Look at your routing tables to ensure all the routes were auto-created Status-OpenVPN - Click Show Routes - this shows the VLAN to Public IP routes Diagnostics-Routes - this shows all the routes - should have your remote sites (example: 192.168.1.0/24) mapped to the destination IP of your VLAN - example, you set up the Tunnel network as 10.10.9.0/24, and the remote site connected as 10.10.9.2. This means the host (server) is 10.10.9.1. The route should show Destination=192.168.11.0/24 Gateway=10.10.9.2. On your client the route would be if the host network is 10.10.10.0/24: Destination=10.10.10.0/24 Gateway=10.10.9.1. You may need to restart the host server to get the routes updates - I did.

Interesting, there is an option to use SHA1 certs(?) with openssl 3.x: https://github.com/OpenVPN/openvpn/blob/master/Changes.rst --tls-cert-profile insecure I set this option (for testing only) and now it look like: ink remote: xx.xx.xx.xx TLS: Initial packet from xx.xx.xx.xx Connection reset, restarting [-1]

@viragomann Hell :( I can't get both server IP and ubuntu box to operate at the same time. I guess I will live like this for now. Thx for your help!

Thanks that fixed my issue also, I was wondering what that was.