@ermilan2309

Sure.
"SHA1" isn't, afaik, not depreciated or even forbidden, as it shows up as an option in the GUI.

Do read this : HEADS UP: OpenVPN deprecating shared key mode, requires TLS, deprecating cipher selection because you've skipped over a lot of small and big security issues.

It's possible that you have to re generate an OpenVPN client export file as the OpenVPN client side was probably updated several versions already.
The idea is that you keep versions used on both sides nearly identical.

Can you tell more about your OpenVPN server setup ?

And of course, shows the OpenVPN logs. It doesn't matter if you can understand them. Maybe we do ^^ so we can tell you what's up.

@poldus
What do you consider as "static" here?

The above shows the client log. But what shows the server log?
Does the server even see any VPN packet?

Are you aware, that shared key OpenVPN is deprecated these days?

Do you really intend to setup a tap client?

@guillaume14
Ensure all related states are flushed.

If the no-nat rule still isn't applied, there might something wrong in its settings, so that it doesn't match.
Ensure that the protocol and the destination port are correct if stated.

@rajukarthik its just the normal openvpn community edition.

[2.7.2-RELEASE][admin@test.mydomain.tld]/root: openvpn --version OpenVPN 2.6.8 amd64-portbld-freebsd14.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] [DCO] library versions: OpenSSL 3.0.12 24 Oct 2023, LZO 2.10

Yeah it is a bit dated, sure that will update when 2.8 drops.. but its not the access server version.

As to soc2 - As to the just community edition, prob not - since really the user of said edition can pretty much do anything they want with the config, were with the AS and Cloud versions of their server being more strictly controlled in what can be configured.

Those 2 versions are not free, so sure they can get certification of meeting specific standards, etc. But I doubt they would run through such trouble with audits of controls, etc. for something the user might easy override even a config change.

If you really want to make sure its soc2 compliant - I would run either of those on something other than pfsense. I have not heard of anything about being able to run say the as version on pfsense.

I run an as version on one of my vpses - you can run it for free for max of 2 concurrent connections. Which for me is plenty for my use case.

@bozo-bogd

We tried setting reneg-sec on both sides to 0 but it caused the client to constant want the MFA prompt satisfied. The pings settings are already set to 0

Details from Azure. We have a CA policy that requires MFA when authenticating to the EntraID account. The Entra RADIUS VPN app is installed on our RADIUS box to interject the MFA prompt when authenticating to our local AD with the OpenVPN client. The MFA app has a limited config, with caching and renegotiation settings not being options.

@McMurphy hahah - yeah minor detail ;) hehehe

@DSTMalo Thank you so much! Happy new year.

@Gertjan perfect thank you. Still shows as applied and has the revert option so i'll keep it applied

Perfect. Thank you

@viragomann It works!

I remove the client static IP configuration from the server setup and ping works from both sides.

It was quite difficult but the reason why I didn't read the documentation about s2s OpenVPN connection. Thank you!

@ctarbet

I configured the OpenVPN with OpenLdap. I had some issues regarding to setup but I found the solution:

Start configuring A connection from scratch (SystemUser -> ManagerAuthentication -> Servers) - don't copy the connection!

Screenshot from 2025-01-17 09-53-21.png
Screenshot from 2025-01-17 09-56-57.png

QUERY: &(objectClass=groupOfNames)(cn=vpn)(member=*)

LDAP tree structure:
Screenshot from 2025-01-17 09-59-59.png

Please take a look at the screen. This is an example of configuration, but maybe it'll help you. Good luck!

@Gertjan You helped me find the problem, on the other VPN server, I had selected to give the client the domain name and swapped my DNS entries. All good now. Appreciate your help, your the man!

@Dharmender-Bankal said in Can ping my entire network but can not access any server:

what could be the issues?

When you're on site, and if your server has a keyboard and screen : connect to it.
I'll bet it has a firewall ^^
And I bet again : your server, as per security rules, only accepts connection coming from the local network it's connected to. And from no where else. Right ?

Change (adapt) the server's firewall rule(s), and you'll be good.
I suggest : don't open up 'from everybody' (which includes the entire Internet !), start by adding the tunnel network you are using when connected to your VPN.