I kind of gave up on the openvpn and went with IPsec... seemed to work as expected on the first try.

After this, I'm going to move this to a different thread. The topic has moved to remote/client performance.

I did a google search. There are some other users that have had some success with various config settings.

tun-mtu 9000

#ifndef WIN32
o->rcvbuf = 65536;
o->sndbuf = 65536;
#endif

-or-

sndbuf 0
rcvbuf 0

Along with some other settings that I didn't find helpful. I need a true remote setup where I'm on an alien WAN, at a distance. Best I can do at the moment is test on my AT&T WiFi Hotspot, which is horrible in itself. (Though most hotel WiFi is just as horrible, so...).

Anyway, unless anyone has anything to add, I'll close this thread down. If I find out anything new/interesting, I'll start a new thread.

Thanks for listening.

Glad you figured it out, and thanks for posting detailed information about how.

@rico Thanks !

@viragomann
Thanks for the further response.

The 4G Router used at the Client site is either a TL-MR6400 or an Archer MR400. Those routers only have only one LAN port which is connected to an internal 4-port Ethernet Switch.

Unfortunately, given that scenario, I can't see a way to connect the VPN Client machine on to a separate subnet at the router. Given the number of potential Client sites the cost is significant so changing the router is not really an option.

OpenVPN has no user licenses. If it doesn't work, it's almost certainly in your configuration.

Typically issues with multiple clients end up being a problem with the certificates/credentials being used (everyone needs unique certs and usernames), or the tunnel network (it should be x.x.x.0/24), or possibly incorrect firewall rules.

Post more detail about your configuration and we might be able to help narrow it down. Also check the OpenVPN log for errors, and check the clients to see what addresses they claim to be using at the time.

Thanks alot for all of the answers.
I'll try out the portforwarding thing, aswell as tls-crypt and stunnel.

@rico said in How to use VIP's for OpenVPN:

Well you don't have unlimited VIPs to cycle them over and over again right?

No, but in the past the banned ip's have been unbanned after a month or so.

Best Regards
Esben

@derelict I got it working.
Idd the Interface needed to have the traffic defined on which the gateway was defined.

Thx for the response.

Then pcap a hop at a time until you see where the traffic is stopping I guess.

@peter808 said in unsupported certificate purpose:

When did that change? Although I usually try to read the changelogs completely, I do not remember having read about that.

That would be a change in OpenVPN itself, not pfSense. Most likely when that changed to OpenVPN 2.4 (which by coincidence was new in pfSense 2.4.0 and later)

@alivdel said in kill openvpn_client after n seconds:

for my Information can you tell me please whats the problem to put a file in rc.d directory?

None ☺
If you know how to write startup (stop) scripts for FreeBSD (pfSense), then it should work just fine.

Thanks you very much you save my day ;)

I worked on it for few hours now and the solution was in fact very simple

Note from the pfSense Book:
Not all clients support tap mode, using tun is more stable and more widely supported. Specifically, clients such as those found on Android and iOS only support tun mode in the Apps most people can use. Some Android and iOS OpenVPN apps that require rooting or jailbreaking a device do support tap, but the consequences of doing so can be a bit too high for most users.

Can you see any activity in your Firewall Logs when trying to access the pfSense via WebIF or SSH?

I would follow the guide again and try exactly as described with a very basic setup: https://www.netgate.com/docs/pfsense/book/openvpn/bridged-openvpn-connections.html
e.g. don't push any routes, don't use redirect gateway and so on, just basic.

Disable the Rule in your OpenVPN tab to make your Interface Rule active (which should not make any difference for this problem tho).

-Rico

@thenarc

Ok, I will try that. Thanks!

@gareigle said in OpenVPN Client can not traverse site 2 site vpn:

I'v tried different fw rules, and the redirect options on the vpn and no changes.

I don't think it's a rules issue. I'd say routing. Since this is site to site, the firewall has to route the traffic from it's local network to the other end. Devices connected to the network should have a default route pointing to the pfSense router/firewall. Each pfSense router needs to know a route to the local network at the other end. Do you have that configured. Please note, I've only configured pfSense for a "road warrier" mode, where it runs on a computer to connect back to my home network, not site to site, so I can't advise based on my config.

I found the issue, it turns out that the OpenVPN server didn't know where to reply to the LAN traffic coming in so I had to add the LAN's route to the OpenVPN server.