Thanks Jim,

Problem solved.

Ricky

@mauzilla said in Accessing a VIP IP on the WAN side when connecting to openVPN:

In my local openVPN confige I have route-nopull

Basically access to the WAN VIPs should work normally with this option.
But why don't you just uncheck "Redirect gateway" in the server settings and enter the local subnets to be routed over the VPN instead?

You can also go the other way round and route the whole upstream traffic over the VPN (including the VIPs) and enable NAT reflection for 1:1 NAT.

@Bronko you don't want to use NAT?

unfortunately, NO

@Gertjan Ok so I was able to connect to the VPN from my laptop using the bluetooth connection for the hot spot since I disabled wifi on the cell phone to ensure all traffic going over cell provider. Cell service is weak here so it is slow but traffic is passing (see below). So I guess given this can now confirm vpn is working across the 2 devices as expected but why the initial issue or can it be considered a one off and is everything else setup as it should for best performance and security.

0c5ca90b-4860-4044-aa3e-5912349a7f20-image.png

2444eff2-8883-4053-ac52-a59f63729199-image.png

Start your own thread, it's unlikely to be the same issues others have hit. While symptoms may be similar, there are numerous possible causes that can look the same, and trying to diagnose multiple people's issues in a single thread is not feasible.

Just to close this off, I got it working as desired using a simple Peer-Peer OpenVPN, and then added a bridge from VPN to OPT1 at both ends. Client CPE & Juniper VRF can reach each other with perfectly.

The only remaining challenge was the size of IPSEC packets from the client. Control packets were small, but Data often exceeded the payload maximum inside the OpenVPN tunnel. Eventually I used tun-mtu & fragment options to split packets >>1400 bytes across two OpenVPN UDP packets.

LAN interfaces are completely separate and only used for local access to the PfSense GUI.

PfSense OpenVPN.jpg

@hr1sha thank you for your responses, yea I have tried TCP and working just fine but performance worsens. ISP does not blocking un-obfuscated TCP connection with an SSL/TLS key configuration for some reason.

worked perfectly, thanks so much..

just noticed a warning about link-mtu is used inconsistently, local=link-mtu1537, remote=link-mtu1534. Just searching it up now..

thanks again for sorting this!

@willjohn
A VPN in itself will not change anything - it just moves your connection to a different node in an encrypted tunnel. It may disguise your identity or location but you can still make connections from it to a potential source of malware, viruses etc.

☕️

@hajdeo said in WEBGUI access from VPN:

@viragomann I want to access it from the internet. I don't have a public public IP, this way I can access pfsense webgui directly using the client. I already had it set up this way once, but I had to reset the router and I can't get it set up

hi frien...is done :) my opsense webgui is accessable from internet, just added this to port forwarding :)
e7e5fa37-cc9c-4533-b4b3-ca40006f3bc5-image.png

Do you think, is possible add rule to access another LAN IP adress (where is plex) from internt through this VPN connection?

@michaelschefczyk
I Did not touch any NAT Here.

Simply add a Interface gate way from the Interface Assignments Menu first and add Then Select and add a VPN, Enable it without any setting here you will get a new Gateway. At Firewall Rule from your LAN, Add a new rule with S: Lan Net > D: Network VPN Address >> Specific VPN Gateway from first step.
3f1daa6c-cf0c-4418-ab35-1625fa15f8d0-image.png

Have a look on the Latency, and how the App works, go for a pcap.

If the start use 10k queries to the DB, on lan site no problem but on VPN site with 20-30ms it takes Min to start.

@Tetz
Yes, all my sites are having this issue since at least v23.05 or possibly one version prior. However, turning off DCO does resolve the issue.

I can confirm after several days of work that the VPN has been rock solid and speedy with the 'redirect all traffic' box unchecked since I killed that sneaky DHCP server on my AP.

Glad this forum is here!

was able to get this going.. the one part that i missed was in the Client Specific Overrides on the server side. I didn't realize that the entry had to be named the exact name of the client certificate, not just a random name. Soon as i re-read that and changed, everything worked as it was supposed to. Hopefully this helps someone in the future.

@viragomann

You are awesome!! That did the trick. I didn't have "remote networks" on my server config only "local networks" so I kept the the route in the custom options and it worked.