How would you route traffic without adding some kind of router to this LAN? 🙃

-Rico

@konstanti I disabled the first rule still not working

@fergomez1980 said in OpenVPN cant connect static routes:

Static Routes in LAN
192.168.0.0/24 + Gateway in LAN 172.26.0.199 (ip alias of router to connect at that network)
192.168.1.0/24 + Gateway in LAN 172.26.0.199 (ip alias of router to connect at that network)

Other than your current openvpn problem this sort of setup also screams asymmetrical traffic flow.. If you have a network that you get to via a downstream router, then this downstream router should be connected via a transit network no using a network that has hosts on it.

So lets say lan device wants to talk to an IP on these networks.. does it have a host route - or send its traffic to pfsense? The return traffic will just go direct to client from the downstream router = asymmetrical.

But as mentioned by viragomann, you will need routes on your downstream router on how to reach the tunnel network(s) you use for your openvpn clients.. Or no you will never be able to get there without doing source nat.

@rico hello

I just finished configuring ssl/tls openvpn all working fine, but I couldn't understand in the server there is a section "Local Networks" what exactly this is for. Because without it I don't see any issues????

Also my cpu support AES-NI - Hardware crypto AES-CBC,AES-XTS,AES-GCM,AES-ICM

0_1548063058698_2019-01-21_3-29-53.jpg
My pfSense box also have Chelsio T580-SO-CR witch I believe support Crypto offload, but I am not sure how to use that function OpenVPN seems to support only "cryptodev" I have to set to AES-NI and BSD Crypto Device in order to get any crypto offload on the OpenVPN. Even so I get much better performance on the bare metal then VM, but I am sure with my setup that's not it !!!!!

Also the million dollar question is HOW TO: OpenVPN Site-to-Site with DNS
In the past I tried to setup Bind with no luck seems I need to study more and I have to go with build in unbound for now
My sites are subdomains like:

site1.myco.local
site2.myco.local
site3.myco.local

Is there a way I can resolve without adding the hosts to each site manually

Thank you

EDIT:

Is this section of client specific Overrides can be the key to be resolved by other clients

0_1548266210000_2019-01-23_11-53-21.jpg

Some further digging and this seems to be a metric issue.

If I change the metric for the TAP adapter on both clients they can find each other and everything works, but not otherwise.

Is there a way to have Windows push all of the broadcast traffic down the VPN without having to manually change the adapter metric setting? Perhaps some setting I can push though the OpenVPN server that ensures 255.255.255.255 requests go down the VPN?

@lansmurf said in ExpressVPN interface is up but gateway is down:

The only problem I stil have is that althought the interface and the gateway are up and working. Dpinger cannot ping the VPN server. I have set the Data payload to 1 but I still don't get a ping… If I enter 8.8.8.8 to monitor I get a huge packetloss >40%... 
Maybe someone can give me advise at this point to get better monitoring results? (I guess this is important for load balancing if you enter multiple gateways to diffenrent VPN servers)

A bit late, but replying in case it might help someone. I had same problem with Dpinger and packet loss. Solved it by enabling Hardware Crypto in openvpn client. Now I can use external IP to monitor if VPN gateway is online. Of course, your hardware needs to support this.

@jimp
Thank you jimp! Works now.

Thanks for you time,i don't need a VPN when i am at home,but i don't know how to bypass vpn just when i am at home.If my vpn is active when i am connected to my home wifi it will lose connection and he try to connect to my wan.My wish is too be always on vpn because with my work i go in many places.
I will try your idea with dns override,sems more clean,right now i have on my client config my wan and my lan ip,so he will try next if one will fail.
I might create 2 vpn servers one on wan and one on wifi interface.

Multi-WAN Tactics with OpenVPN are covered here: https://www.netgate.com/resources/videos/advanced-openvpn-concepts-on-pfsense.html (22:50 min).

-Rico

@rsaanon

Did you get it to work?

@ffarkas said in OpenVPN only recognizes the first of two DNS servers:

Windows clients would automatically search on the other DNS server when a name cannot be resolved

One of the most common misconceptions to how dns works at a basic level.

As stated by Derelict all NS pointed to by a client need to be able to resolve the the same stuff the same way or your going to have a bad day.

If a NS returns NX for something that is asked for - then the client stops asking.. Because it was told that doesn't exist, so why should it go ask anything else for something that doesn't exist. The only time a client will go ask the other NS is if there is a time out.. And you can never be sure which NS a client will be asking out of the NS listed..

Thanks for the reply but was going nuts had to check Disable hardware checksum offload and solved it

Looks like the 'up' statement is already being used by one of pfSense's internal scripts. So I'm gonna have to use the 'route-up' statement to execute my command. Also, 'script-security' has already been set to 3, so setting it again would be redundant.

Glad you have everything up and running again. ☺

-Rico

@Konstanti
Thx for the help.
Indeed outbound NAT was enabled. After changing that everything works as exspected.

It's now resolved.
It was none of the above.

Changing tunnel network to be /30 resolved it.
I tested it afterwards:
switching to /24 works in one direction
switching to /30 full routing in both directions

It shouldn't happen. I did try on a fresh installs of pfsense.

Piotr

@konstanti I get 3 simultaneous connections; One connection is dedicated to the pfSense box. The other two are used on family laptops when travelling.

@viragomann Thanks very much, that works perfectly :)