@viragomann Oh wow, thats true o.O

Thanks for that!

@viragomann That is what i think. A lot of us have home labs. And 130 $ a year, it's much too much.

@the-other said in Dashboard Traffic Graph VPN:

what works:

Correct that works fine.

@the-other said in Dashboard Traffic Graph VPN:

I cannot even select opt1

seems "different" that you can't even select it on the widget.

My solution to the flat line was to unselect that graph, so it doesn't even try to show the flat line. Deal with it another day. Since it looks like it is most likely a bug.

If you are a n00bie like me, and are coming across this article... I figured it out. Below are the steps:

Install OpenVPN Access Server (OpenVPN AS) on a Virtual Appliance or Dedicated Device. On your firewall, "Pinhole" the OpenVPN port through the firewall (usually UDP Port 1194). Update the hostname to OpenVPN AS to a DNS entry that is accessible locally (e.g. 192.168.x.x) and globally (123.210.x.x). Get an SSL certificate from LetsEncrypt, and configure automatic renewals (guide). In OpenVPN Access Server, configure SAML Authentication with your Identity Provider (IdP) of choice (e.g. Entra, Google, IBM Verify, etc.) Within OpenVPN Access Server, configure your Access Control policy via User Permissions or Group Permissions Use your phone to test the if your SAML authentication and OpenVPN Access Control policies are working.

As for forum moderators and pfSense developers, I think it would be helpful if within your documentation you emphasised that OpenVPN Access Server is an easy option for organisations looking to implement a MFA-protected VPN solution. IMO everything on the web points to using OpenVPN embedded into pfSense, making organisations think that authentication via RADIUS and LDAP are the only options.

Personally, for VPN I think it is safer to limit the number of times end-users need to enter their username/password. Instead, each time they access they should complete a push/biometric challenge. Since re-authentication is so much faster, you can make your VPN disconnect after a few minutes of inactivity. And, end-users can't really complain since reconnecting is so simple. OpenVPN AS as a FREE license that allows 2 concurrent connections. After that you have to purchase a subscription, which is reasonable, all things considered.

@pfadmin
so it seams that OpenVPN is not the problem. I brougth up a wireguard tunnel with the same effect. Example File stops at 55% copie. Do I use at the same pc out of the same LAN a OpenVPN connection we use for Roadrunners, than it works. I can not see the difference...

@slu

After I've turned off the IPSec-Tunnel it worked again.
It routed everything to the IPSec-Tunnel.
Of course I have a route 192.168.0.0/16 into the IPSec-tunnel and my local LAN is 192.168.1.0/24, but this normally should work (and it did), because the LAN is locally connected and connected routes are better than static.

But I do not have so many subnets behind the IPSec-tunnel, so I can route only the needed subnets.

@gschmidt i stumbled upon this and while youve seem to have had your issue solved, i found two solutions within the several hours i was trying to fix this leak.
one way is to use cmd in windows and using openvpn community edition cmd line interface to use

"path to ovpn gui exe, keep quotations" --config "path to ovpn file to use, keep quotations" --block-outside-dns
pause

OR
change all dns to google or cloudflare dns in network connections
you can use this software to do it automatically instead of manually
https://www.sordum.org/9432/dns-lock-v1-5/

@streetsfinest
Hello,
Have you found a way Maybe?

@munson
What do you mean by "unencrypted traffic"?
It's on the web browser to request traffic unencrypted (http) or encrypted (https). pfSense has no impact on this as long as you don't run a proxy.

Generally to force all upstream traffic from the client over the VPN, check "Redirect IPvX Gateway" in the server settings.

Then ensure, that there is an outbound NAT rule in place for the OpenVPN tunnel network.
If not switch the outbound NAT into hybrid mode and enter a rule for the source of the tunnel network to WAN.

@ontzuevanhussen said in Can't access client LANs from servers on DigitalOcean private cloud network behind OpenVPN on pfSense:

Anda memiliki kasus yang sama dengan saya, saya juga mengalami hal demikian dan sampai sekarang saya belum menemukan solusinya. Ketika VPN (wireguard) saya aktifkan, saya dapat menjangkau web app di server digital ocean. Namun ketikan tanpa aktifkan VPN, saya kembali tidak dapat mengakses website saya.

Hi @ontzuevanhussen, I ended up working around it by setting up an OpenVPN server on each location's router, and initiating the connection for each from the server I needed to be able to have access to those networks. For whatever reason it works as an outgoing connection from DigitalOcean but not an incoming one. I think DigitalOcean's must just be dropping the traffic. Anyway, it works this way and I am able to run my ansible playbooks from my server on systems on these locations' LANs. Somewhat annoying but it works.

@adamw If you export pfSense logs to a syslog server, you can start filtering information about connections and disconnections via:

grep -E 'Peer Connection Initiated|new connection by client|Inactivity timeout' openvpn.log

It's possible to make a shell script to parse the information to make a report and send by email.

@viragomann said in Site-to-site tunnel, remote dont have route but can ping network:

Yes, of course, if the tunnel goes (routes cleared) down traffic destined to the remote site will go out to the default gateway.

You can circumvent this by adding a floating Quick block rule to WAN for outgoing traffic to RFC1918 destinations.
RFC1918 is an alias containing all private network ranges. You have to create it before.

Thanks!

@netgatech said in OpenVPN assigning interface not working:

thanks but can you go on internet from clients using the vpn ?

I'm answering this post with my phone. The phone uses OpenVPN connect, and is a OpenVPN client.
I'm connected to the pfSense VPN server shown above.
So, yes 😊

@TYz your apps can not get to the internet, or you can not get to your apps from the internet?

For me for example to get to your docker you would need to forward to that port 30050 at 192.168.1.200 on pfsense.

I would then go to your actual public IP.. pfsense would forward it to 192.168.1.200, which in turn would be sent to your docker 172.16 address.

@SteveITS

My own hardware.

I did select QAT but it still shows as "No" on the dashboard so I guess it is not available.