Glad you have it working. ☺

-Rico

Glad you have it working again. ☺

-Rico

@derelict said in Dual routing from OpenVPN server to Client Internet:

Negative.

The moment you assign the interface the VPN breaks. THEN you have to stop and start the server process. Client or server. Does the same thing.

Show me in the manual where it says not to assign an interface to an OpenVPN server.

You are right. It worked. Many thanks.

Yes, if you have checked "Don't pull routes" like it is shown in the tutorial, just add a firewall rule for that traffic (source = the two laptops) and leave the gateway setting at its default. Place this rule to the top of the rule set, so that it matches first.

grateful, but it does not help me yet. I just want to get the cadastral information of my openvpn clients. the suggestion given brings everything (usable and revoked) and would have to be done one by one. Understood ?

@philip2019

I'm not sure, finally it worked.
It can't be test in the Lan inner in my situation, I can't ping my Wan public IP address from inner lan PC when it set a DMZ, I have to use another Internet connection to ping the Modem ip address. because the modem(router, Bell hub 2000), set a inner PC as DMZ, so in this pfSense server (as DMZ PC in Bell router), should allow ping in Wan interface, it's a simple firewall ruler, this help me know only another Internet connection can easy get the DMZ.

other thing almost same with some guide in Youtube or web article, the only change is configuration will show the DMZ pfSense server Wan ip address as remote address(it also a Lan ip address), it impossible be visited for the Lan ip reason, change this IP to public IP address can be OK.

No there were not.

I have deleted everything related to the RoadWarrior Server now and recreated it with another cipher, but same settings/TunnelNetwork/Buffer/Rules. It seems to work now. Could it be that pfSense sometimes doesn't activate rules unless you recreate them? It felt like that, though I dont really know why it didn't work and now works.

changed my working split tunnel... turned on "Force all client-generated IPv4 traffic through the tunnel." and no web traffic traffic to LAN works but nothing webwise

@marvosa said in Side effect of OpenVPN:

Per the "redirect-gateway def1" option in your config, all of your traffic is being routed over the tunnel when it's enabled.

It appears that you are right, many thanks! After replacing "redirect-gateway def1" with "route-nopull" the games stopped misbehaving while VPN-enabling rules (based on IP) still work. I'll do a bit more testing but it looks like your advice was spot on. Thanks a million!

It appears that IRC "redirect-gateway def1" option changes the default gateway to VPN while pfSense still reports non-VPN gateway as default - this is quite confusing.

Here's the CA config:

0_1552493751762_e723bfb8-e9c0-455c-b3f2-942ac30cbce9-image.png

Here's the certs:

0_1552493856116_cd999b63-9e85-42db-a14d-f155fc22a745-image.png

OpenVPN config:

0_1552493957104_a5e29c1c-0640-48a7-8874-ca2fd4c6e2c5-image.png

0_1552493986385_7f24c244-8bd3-4323-a500-6c0f5b254e1a-image.png

0_1552494017076_7ed90863-b4a5-4516-875f-93e93ef73ff7-image.png

0_1552494045679_88cce4ac-b899-44d2-8e47-7dd7bcbe02de-image.png

0_1552494074567_4bd514f7-62ee-44b7-9652-7b60bac57014-image.png

0_1552494107354_1ba37b41-5a6d-4dac-9264-25713bf576fb-image.png

Interface assignment:

0_1552494378067_d1724e7c-e13d-4605-89ab-a87cb53f3958-image.png

Gateway config:

0_1552494449268_69bb04c3-c843-4da1-b2d8-4b3da3a73a76-image.png

Firewall rules for RW_VPN:

0_1552494511502_b15e4d2f-5a59-491d-ad31-5f888e56020a-image.png

Even added this for the OpenVPN just in case:

0_1552494547588_79c2b5fa-f6f7-4b75-a74b-eaab0eac7601-image.png

Firewall rules for WAN:

0_1552494655495_6b8c3780-63e9-4646-b2be-ab778336fc30-image.png

Added the RW_VPN interface to DNS resolver:

0_1552494749554_569abb4c-ae5a-4199-91a1-33590902ac89-image.png

Added outbound NAT for the new VLAN:

0_1552494883270_82fe6e41-9301-4c3d-855d-0f81161919dc-image.png

Updated my aliases:

0_1552495005552_0d745260-6d3e-44f8-93c7-6b6c89a09fc7-image.png

Client Export Config:

0_1552495081346_fac4b5ef-81fa-4216-9d4a-59ab4308f8ef-image.png

0_1552495124130_9c5770e1-1bad-46b1-8b36-65ac0e93f61a-image.png

The OpenVPN client log shows:

0_1552495342786_52ae1f7a-2645-4728-9763-92fc7c2ae833-image.png

The logs in the pfSense GUI show:

0_1552495412016_94aa4c2d-c508-4f30-9d90-8e6b8d52f4f0-image.png

The log file shows the same thing:

Mar 13 12:40:12 pfSense openvpn[5481]: 205.128.239.51:20640 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 13 12:40:12 pfSense openvpn[5481]: 205.128.239.51:20640 TLS Error: TLS handshake failed
Mar 13 12:41:16 pfSense openvpn[5481]: 205.128.239.51:25518 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 13 12:41:16 pfSense openvpn[5481]: 205.128.239.51:25518 TLS Error: TLS handshake failed

I'm going to guess to get some more verbose logs I need to change the Verbosity level to 5 or higher?

Cool, glad you got it working. ☺

Steve

Hello.
Thank you very much.
Let me see if I got it right..
The forum is blocked because i am redirecting all my traffic viabAirVPN and i should create a bypass rule?
If that's the thing, how I do that?
I was able to setup my system following guides butnI might lack a lot of theory... About advanced networking i am a newbie.
Thank you

Glad you have it working now.

-Rico

It works!! I think the error was the public IP,

thank you !!!!

There is no limit for mesh or star.
With lots of sites and traffic you just need beefy hardware. ☺

-Rico

Thank you very much for your help.
I had to leave the office now...I will retry it on Monday and let you know.
Thank you very, very much! 💪