I found this guide, do you think it can work? Its some years old.

https://nguvu.org/pfsense/pfsense-multi-vpn-wan/

Thank you.

@MathiasMa said in OpenVPN fails to start:

But does it really matter?

No, as long as you keep it in mind and don't add another subnet to pfSense which overlaps it, it doesn't.

On the server-side (if that's the right config), looks like it's set up as a remote access server, which isn't what you want. You need to change the server mode to one of the Peer to Peer options and configure the server for either a shared key or PKI setup.

On the client-side, the client is not routing any networks over the tunnel.

So, there appear to be several issues:

The server-side needs to be reconfigured for Peer to Peer mode The client-side is not routing any networks over the tunnel.
a. If the objective was shared key, here's one of your issues
b. If the objective was PKI, the server-side will need iroute statements for the client's network(s) in the CSO section The client override screenshot posted in your OP is missing an entry in the "IPv4 Remote Network/s", which will autogenerate the iroute statements needed for the server to reach the client's network behind this connection. Assuming you went with a PKI setup. This is unlikely, but the client-side is double NAT'd behind an edge device, so if basic end-to-end IP communication still isn't working after making your corrections, it's possible that the client may need a static route on the edge device for the tunnel network.

@althaf said in Connection Change issue:

tls key negotiation failed to occur within 60 seconds

That error simply means the server did not respond. So either it is unable to reach the server via that connection or the server is blocking connections from that IP address.

Steve

In the OpenVPN RAS Advanced Client Settings push your pfSense IP as DNS again together with Force DNS cache update:
pfSense_Push-OpenVPN-DNS-Server.png

You also need a Firewall Rule for the OpenVPN Client to reach pfSense DNS. For testing best practice is to put some any-any Rule in the OpenVPN Firewall tab. Once you have everything working tighten your Rules.

-Rico

The closest thing I can find there is --show-gateway, which lists the IP of the gateway interface that OpenVPN uses to make its connections. I don't see any commands that give me the remote host information shown on status_openvpn.php in webconfigurator.

edit: Success! I accomplished what I wanted by using the following:

INTERFACEIP=`dig @resolver1.opendns.com ovpnc1 myip.opendns.com +short`

Some VPN providers offer port forwarding.
Search Cyberghost's help/faq if they offer that.

I'd recommend you to change one sides subnet and run OpenVPN in default and recommended tun mode.

-Rico

Will do, in the mean time I got something more stable using limiters on in and out at half our DSL capability.

Seems like when the link is saturated, the copy get frozen and not when the limiters are reducing.

Might very well be due to failover of our SDSL WAN to ADSL second link activates (automatically in suppose due to poor ping)

https://www.netgate.com/resources/videos/advanced-openvpn-on-pfsense-24.html
Multi-WAN Tactics starting at around 40:05min.

-Rico

I think I touch something but I do not know exactly what. But when this happens it's better to start again :).
thanks!

FreeRadius and hand IP addresses (framed) out that you can use in firewall rules for the clients, I do it with IPsec so I can access everything and friends can only access the internet.

Sort of pointless if all the users PCs the LAN side of pfSense are all on the same subnet.

"andy" Cleartext-Password := "XXXXXXXX", Simultaneous-Use := "1", Expiration := "Apr 11 2027", NAS-Identifier == strongSwan Framed-IP-Address = 172.16.8.4, Framed-IP-Netmask = 255.255.255.0, Framed-Route = "0.0.0.0/0 172.16.8.1 1"

Give an idea about your configuration and post the full log as text not picture.

-Rico

Thank you for your reply. When I check the widget, it only shows me the default gateway
WAN_DHCP and does not show the openvpn gateway as a choice.

@viragomann
"Second" P2 is the key word 👍 👍
Solved, Thank you very much

@vidarne77 said in Openvpn site to site Problem:

Reason for the Manual nat/was as for at main site it is needed for getting the right clients and servers over the proper vpns and vlans, atm you are right it is not needed for the basic setup so is at the offsite. (old habits setting it to manual)

Glad it's working. Although just to throw it out there again, if you have access to both firewalls you don't need any NAT's for communication. All you need is routing and the firewall rules to allow the traffic. If you needed to add NAT's to get traffic flowing that tells me there are routes missing.

By NATing, you lose granular auditing functionality, which may or may not be a concern for you. Personally, I always like to know exactly what is connecting to what.

If you post your configs, we can offer more targeted info.

Trying to understand your problem here - your saying if you route traffic out a vpn, you can not load that site?

What does that have to do with pfsense? They prob just block your vpn service.. Just like forums here blocks many vpn IPs..

What IP are you getting when you route through a vpn.. Is prob on a shitton of black lists..

@johnpoz I am certainly not an expert with pfnonsense... I solved my issue by moving to a 2.4.4 release. I was running on an old piece of hardware (32bit/2.3.x). I was trying to use OpenVPN client on PFSense to connect to ExpressVPN. It was clear in the logs that SSL3 was being used in the negotiation and the cert verify was failing as a result. Not an issue on 2.4.4. I am used to enterprise networking products where there is a clear documented way to control those settings client or server.

I assume you are talking about OpenVPN server custom settings. I am not running OpenVPN server. Thanks!