I have a setup behind a FortiGate and use a DMZ and a LAN for pfsense. So I'm not port forwarding form the internet into my lan and can have strict firewall policy on the wan side, into the Fortigate DMZ \ pfSense WAN.

Then the lan side of pfSense is more of a transit network and not part of my actual lan on the Fortigate, allowing me to also place explicit rules on what can cross into my lan and other network from the VPN connection.

Internet > FortiGate(DMZ) > pfSense(WAN)
pfSense(Lan\Transit) > Fortigate(Transit) > Fortigate LAN, Guest, IOT, NOT (Network of things, No internet access) and more.

You will need to be aware of port forwarding, firewall rules, routing to set this up correctly.

I'm guessing your issue was port forwarding or firewall rules on the Fortigate.

@AntonioR said in Connect to another site (same LAN segment, with radiolink):

the LAN is 10.0.0.0/24 in both sites.

easy : don't do that.
The router on the first site knows where 10.0.0.0/24 is, its local.

The solution is something like :
Change the 10.0.0.0/24 on the first site for (example) 10.0.1.0/24.
and tell router site 1 that 10.0.2.0/24.= can be reached using the VPN.
Change the 10.0.0.0/24 on the second site for (example) 10.0.2.0/24.
and tell router site 2 that 10.0.1.0/24.= can be reached using the VPN.

@opticalc said in Netgate's openvpn client's remote server and my homes public IP:

and it was leaking DNS due to my client still using PFSense as the DNS server

Unbound (the pfSense resolver) can be forced to use the VPN connection also .....

I followed some of your instructions and it is working once more.

I made a new CA as stated
I made a new Server Cert
I changed the OPENVPN to use the new CA & Cert
I changed 1 user to use the new CA & Cert
I downloaded and installed a fresh installed and it is now working.

@Gertjan Once more, thank you for time help time and assistance with helping me get this fixed. I really appreciate it.

That did the trick. 🙂

Thank you again. Pleased to have it working.

So I figured it out. You need to go to Interfaces -> WAN and set "IPv6 Configuration Type" from "DHCP6" to "None" and then reboot pfSense. When rebooted, the interface now has an IPv4 virtual address when you look at interface status that you can bind to and use.

I got the same error message after upgrading to a more recent pfsense version (2.6). I tried the packet capture (and I saw the client packets arriving), I switched from UDP to TCP (to no avail), I tried different port numbers and still got the same error message (TLS key negotiation failed to occur within 60 seconds).

Then I configured the OpenVPN server "Endpoint Configuration" and switched the interface from "WAN" to "any". Et voilà - the error message was gone and the connection was established as desired!

I then tried all different settings for "interface" to find out which was the right one, but I got the error message for every single one of them. Only "any" worked.

I reviewed DCO limitations and the document states that openvpn /DCO should honor kernel level routes. I added static routes (although dpinger should do this as well) and that didn't fix anything.

@Bambos This is surely the case

@Gertjan
Thank you for your time.
Brief, competent and clear.
Most likely my solution is to use the DUO Security platform first, and then, if successful, deploy my own server. Because I have a large number of VPN servers that require increased security
Thank you very much again!
Have a nice day.

@viragomann said in Can't access to Proxmox from outside (OpenVPN client):

o limit the rule to a single IP, enter the IP with a /32 mask.

Effectively !
Thanks again for your support.

@Gertjan said in OpenVPN Server dco:

so its really hidden ?

i checked this. only in my windows connect app:

433cb667-86dd-4934-aee9-06dfb0bed48f-image.png

@sgw said in set up pfSense as additional gateway into VPNs:

googled for router on a stick with pfSense, found mostly setups using 2 VLANs on one NIC.

You have two network segments on two interfaces as well in fact. With at least two, a router makes sense. But only one of them has an outside NIC.
This one you connect the existing LAN subnet and the other one is the VPN subnet, which has a virtual interface inside pfSense.
On the VPN you have a route to the remote site. On the LAN you have the default route.

As mentioned, you can use either interface for this, but if it's the WAN, ensure the remove the "block private networks" check in the interface and in both cases enter the gateway directly there. This sets the default route automatically and add outbound NAT rules, so that pfSense is able to search for updates.

@johnpoz is there a custom package (OVPN) implemented with this feature ?

@Aadrem said in OpenVPN Slow Only on One Specific Client (2.5G/1G Network):

Super Micro 1537 with a CPU that never exceeds 10% load,

pfSense is waiting on the WAN interface for traffic that comes in. Other VPN users have no issue, and you're pfSense handles them just fine. Just this 'one more' shows issues ?
So, the issue isn't pfSense, the VPN server ..... but the client, or the connection to/from the client.

What happens if you swap the VPN client config between 2 of your VPN users ?

@Aadrem said in OpenVPN Slow Only on One Specific Client (2.5G/1G Network):

(2.5 Gbps download / 1 Gbps upload). They are not on mobile 5G or a limited connection

No need to mention this, if you already know the hard sealing :
(1 Gbps download / 300 Mbps upload)

That said, the "problematic clients are a MacBook Pro and a OnePlus" have the connection "(2.5 Gbps download / 1 Gbps upload)" all for themselves ? Or is this connection shared with others ?
ISPs do sell their speeds measured with special conditions : like sun, Mars Earth and Jupiter aligned.

@Aadrem said in OpenVPN Slow Only on One Specific Client (2.5G/1G Network):

The issue does NOT occur when using 5G or FTTC connections, only on this specific FTTH connection.

Ah : That's useful info. The issue points to that network and the ISP.

@Gertjan
in case anyone has this issue, i found the solution. besides removing the DNS line remove the TLS key from Custom options under advanced configuration towards the bottom of the openvpn client. then go to the top and select USE A TLS KEY, then uncheck automatically generate a key and paste your key from your server here.
then for TLS Key Usage Mode change it to TLS encryption and authentication.
now it works after saving the changes!

@viragomann Sorry for that. Yes, it looks like there was a misconfiguration here. I had to change my default gateway it was still setup to be the 10.0.0.1 that the switch comes with. I thought it would be set from DHCP but i guess it wasn't. It's all working now! Thanks!