please can you send YealinkOpenVPNGuide file one more time.
thanks :-[

Don't believe the iPhone environment will allow that.

There might be something that allows transfers but it has nothing to do with pfSense.

Maybe someone else knows.

To all other readers: https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting  (Check (really check) everything there!!!!!)

No, it is not possible. That host's routing table prevails. If that host happens to have some reply-to magic like pfSense does, then maybe. But that would be a subject for that host's support forum.

Hi gentlemen,

not able to figure out so far…

However my route table seems fine doesn't it ?  ???

Sure I'm not far from the end, seems so simple, did I miss something ?

Thanks.

routes.png
routes.png_thumb

@joelones:

EDIT: I just realized that there's a "IPv4 Local network" allowable networks field in the server configuration. Is that it?

Yes, you have to enter the VLAN 10 network, 192.168.10.0/24 into the "IPv4 Local network" box.

However, this field is not for allowing access, its just for pushing routes for network entered to the client. To block access from VPN clients to other networks you should restrict the firewall rule on OpenVPN interface to only allow access only to VLAN10.

I also see that the 'Connected since' time is ahead of the PFsense time. The time show correctly for the OpenVPN servers that are setup as 'remote access'

Does anyone have a clue?

So just add 99.99.99.0/24 as a remote network on the OpenVPN at site 1.

See also all the stuff above about reply-to and assigned interfaces at site 2.

Pass the traffic on site 1 WAN that you want to pass such as tcp source any dest 99.99.99.1 ports 80 and 443

Make sure that traffic DOES NOT MATCH on the OpenVPN tab at site 2. It has to NOT MATCH there and match on the assigned interface tab.

Well this was fixed in the latest OpenVPN connect client on iOS (1.2.7) so we can start our bad habits again 🍻

I have a simillar issue on an x86 which I have posted about in the forum before.
For me the issue is only certificate depth checking… have this issue on 3 VMs.

Anyone taking notice of this?
Best regards,
V

I fixed the issue.

From memory I had to create a BRIDGE interface between my MGMT VLAN interface and OpenVPN TAP interface and remove the assigned IP from the MGMT VLAN interface and assign it to the BRIDGE interface.

I now use a tun routed setup though.

Amazing what a little "light" reading can do for you, that and stepping away from it all when your eyes feel like they have sand in them.
Opted to restore my pfsense install from a period before I started trying to hide my traffic.
Worked great. Then I followed a more recent DIY to install openvpn and PIA, and what do you know, it freaking worked. I even went to a bunch of dns leak test sites, and voila, NO MORE DNS LEAKS!
My traffic is protected from prying eyes, and my children can't see things that they won't forget by using pfblockerng

However, this leaves me without the ability to remote into my pfsense box from work. Another project for another day!

Does this help ?  https://openmaniak.com/openvpn_static.php


@viragomann:

Of course, the packets should be routed to the vpn server.

However, the traceroute shows the packets are directed to 192.168.8.254 from the source device, while according to the routing table above 192.168.8.250 is the pfSense LAN IP.
???
What's the real LAN IP now?

sorry for the confusion, I did change the pfsense LAN IP to *.254 from *.250 since I finally managed to get it working (albeit a bit complicated) so I can finally shut down my openwrt router. I have several VLAN set up in the pfsense (management interface, trusted, guest, iot) and all pfsense LAN :

my topology is something like this:

WAN pfsense home (192.168.0.2) ==> connected to the ISP router

few vlans in the 192.168.x.0/24 subnet (management, trusted, guest, iot)

all client on the VLAN interface can browse the internet fine and all interface currently have any to any except for the IOT

WAN pfsense office (pubic IP)

and also has few VLANs, in the 10.0.x.0/24 subnet

subnet for openvpn interface is in 10.0.102.0/24

I managed to get it work after I followed https://forum.pfsense.org/index.php?topic=29944.0 and modified according to my needs so only routes to VPN tunnel based on the destination IP/network and working good so far :) Not sure this is the correct way to do it but it's working. More configuration needed (usually only configure the client config file in the openvpn server), now I need to also configure few firewall rules for in the openvpn client end (in addition to configure the outbound NAT)

The odd thing is, if I traceroute from office lan side to internal network it does pass thru openvpn lan interface and I dont need to configure anything on the firewall openvpn server side.

C:\Users\thasan>tracert 192.168.5.201 Tracing route to 192.168.5.201 over a maximum of 30 hops   1    <1 ms    <1 ms    <1 ms  10.0.7.254   2    6 ms    6 ms    11 ms  10.0.102.3   3    12 ms    16 ms    10 ms  192.168.5.201

whereas if i traceroute from the other side it ommits the pfsense LAN IP and goes directly to the openvpn interface

traceroute 10.0.7.10 traceroute to 10.0.7.10 (10.0.7.10), 30 hops max, 38 byte packets 1  10.0.102.1 (10.0.102.1)  7.177 ms  5.878 ms  6.333 ms 2  10.0.7.10 (10.0.7.10)  6.048 ms  *  6.322 ms

I am happy now :), but just wondering is this the correct way to do it