@johnpoz 1 - When I've tried in my LAN the latency is 1ms.
In my land (switzerland) you have never ever more that 20ms. (if you have a fiber connection it's about 1 - 8ms).
Now the thing is ... even if SMB is designed for LAN, I've a throughput of 8Mb... even when I'm streaming films from my server. So when I and a couple of friends are looking a stream at the very same moment.. that's fullfilled.
I don't expect to have 1Gbps over VPN... but from 1Gbps to 8mb/s... it's a lot.

SOLVED thanks to another thread on this forum ..it was actually the VPN client configuration in that I had to check "Dont Pull Routes" which did the trick.

Thank you!!

Ok, yeah. So if you add a pass all rule on the OpenVPN tab it will break traffic coming from location two across the load-balanced OpenVPN pair.

You need to either assign the remote access OpenVPN server and add the rules on the new interface tab created.
Or add rules on the OpenVPN tab that catch only the remote access users by specifying the source subnet.

Steve

https://www.netgate.com/resources/videos/openvpn-as-a-wan-on-pfsense.html

-Rico

Assuming you have rules to allow it, login to the sever gui and check the OpenVPN tab in the firewall rules. Or the assigned interface tab if you have assigned the OpenVPN server as an interface.

Steve

@trazom

????

The same way as you configured it. Fire up a browser and connect to pfSense. They're under Firewall > Rules.

@gertjan

yes your onto it ;)

yes its tun,

"IPv4 Tunnel Network" ---> 10.10.77.0/24

Do you policy-route this 'call-in' network also ? ive tried to set it as follows..

Firewall / Aliases /IP

Network or FQDN --->> 10.10.77.0/24 (OpenVPN)

Firewall / Rules / LAN

Interface (LAN) "also tried the openvpn here too"
Source > Single host or alias "OpenVPN"
Gateway is set the expresssvpn

with that set like this, when the phone is connected, its works, but the internet connection is still show as my wan ip, and not the expressvpn ip

Yep, LAN net is double NAT'd - I'm now working with ISP for switching router to bridge.
My net is:
0_1551583398678_c15a2547-b459-4c5e-8722-b83f9f7cff6f-image.png

On VPS I have OpenVPN server + Zabbix (10.8.0.1). On pfSense I have Zabbix agent + proxy (10.8.0.2). Pfsense self-monitoring works fine (without proxy). I want to monitor some devices in LAN - 192.168.1.101. Now i've been stuck in settings - pinging LAN devices from OVPN interface is not work, but pinging pfsense LAN address works fine.

UPD

dev ovpnc1 verb 1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_client1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp4 cipher AES-256-CBC auth SHA512 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 10.10.10.4 tls-client client lport 0 management /var/etc/openvpn/client1.sock unix remote <ip> 31194 ca /var/etc/openvpn/client1.ca cert /var/etc/openvpn/client1.cert key /var/etc/openvpn/client1.key tls-auth /var/etc/openvpn/client1.tls-auth 1 ncp-disable resolv-retry infinite route-nopull link-mtu 1601 remote-cert-tls server

My goal is to set up Zabbix monitoring from VPS (IP 10.8.0.1) of devices on the LAN network (IP 192.168.1.101) through a proxy installed on pfSense router (IP 10.8.0.2). Now zabbix says "Timeout while connecting to "192.168.1.101:161"." In the diagnostics tab of the pfsense router in the ping section i can successfully ping pfsense itself: 192.168.1.1 from 10.8.0.2, but 192.168.1.101 from 10.8.0.2 fail: packages are lost somewhere

@eric-marshall

I guess that was just way TL/DR. Sorry Guys.

Thanks for the info guys

@artware said in Only first IP connected have acces to network:

Certificate are different

In that case, you could switch to :
0_1551452942045_3f385396-4483-40f0-a99b-7a9e484c020a-image.png

De-select Duplicate Connection.

Firewall rules ?

Which version of pfSense is this on?

If it's not current, upgrade.

Otherwise you might want to report this specific error condition upstream to OpenVPN:

Feb 28 20:43:38 openvpn 1805 username/83...79:1194 Assertion failed at ssl.c:1929 (ks->authenticated) Feb 28 20:43:38 openvpn 1805 username/83...79:1194 Exiting due to fatal error

@uwscia said in ACL with HAProxy through OpenVPN:

HAProxy is not seeing the OpenVPN client with the assigned subnet IP.

Seems like the wrong chicken created a egg explanation cause/result.. :)

I think you mean.:
The openvpn client is not using the VPN to connect to the IP the domain name resolves to.

To solve that, make dns resolve a different ip that is part of the vpn network routes that could perhaps be done with a hostname override in the dnsresolver settings, or make the vpn the default gateway for all traffic? or perhaps push routes for the public ip that needs to be directed over the vpn?

Yes that should not be a problem as long as everything is using different tunnel addressing, etc.

It's the Windows clients in Azure that need the route. That can either be added on each client or you can add it to the Azure routing for your VPC (or whatever Azure are naming the local subnet there). That will then apply to traffic from any client that hits the Azure gateway.

You can assign the OpenVPN interface there to get an additional logical interface. Because it would be the second interface it will appear as LAN which might make things even more confusing! WAN and LAN are just names though.

Steve