Hello,

I have a other path to resolve the project.

Is possible to create up to 100 openvpn server instanze on a different port on the pfsense or this is most cpu intensive?

Thx for all ansfers and other tips to resolve my projekt…

Hi,

Just wondering if you were able to resolve your issue?, it seems that I have a very similar problem which I detailed in post:

https://forum.pfsense.org/index.php?topic=141511.0

I didn't get any replies either and I'm stuck where to go from here as well.

Regards,

Robert.

Please use specific IP addresses and a specific mode of testing so people can know exactly what you're talking about.

Thanks.

Turns out that I got the wrong gateway ip from the ISP. Figured it out, changed the gateway info in pfsense and all was well.

Where do you see those two?

The /1 means a subnet mask with only the most significant bit being used to identify a network.

–redirect-gateway flags...
    Automatically execute routing commands to cause all outgoing IP traffic to be redirected over the VPN. This is a client-side option.

This option performs three steps:

(1) Create a static route for the --remote address which forwards to the pre-existing default gateway. This is done so that (3) will not create a routing loop.

(2) Delete the default gateway route.

(3) Set the new default gateway to be the VPN endpoint address (derived either from --route-gateway or the second parameter to --ifconfig when --dev tun is specified).

When the tunnel is torn down, all of the above steps are reversed so that the original default route is restored.

Option flags:

local -- Add the local flag if both OpenVPN servers are directly connected via a common subnet, such as with wireless. The local flag will cause step 1 above to be omitted.

autolocal -- Try to automatically determine whether to enable local flag above.

**  def1 – Use this flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway.**

bypass-dhcp – Add a direct route to the DHCP server (if it is non-local) which bypasses the tunnel (Available on Windows clients, may not be available on non-Windows clients).

bypass-dns -- Add a direct route to the DNS server(s) (if they are non-local) which bypasses the tunnel (Available on Windows clients, may not be available on non-Windows clients).

block-local -- Block access to local LAN when the tunnel is active, except for the LAN gateway itself. This is accomplished by routing the local LAN (except for the LAN gateway address) into the tunnel.

**    ipv6 – Redirect IPv6 routing into the tunnel. This works similar to the def1 flag, that is, more specific IPv6 routes are added (2000::/4, 3000::/4), covering the whole IPv6 unicast space.**

!ipv4 – Do not redirect IPv4 traffic - typically used in the flag pair ipv6 !ipv4 to redirect IPv6-only.

https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

Two routes that OpenVPN can insert and delete at will that override 0.0.0.0/0, due to the longer mask, without OpenVPN having to track, save state of, and reset the user's current default gateway configuration, while continuing to match all IPv4 destinations that don't have a more-specific route.

They do the same thing for IPv6, as highlighted.

Ok, so I was doing some more tracing and I was checking the config files when I found that someone changed the gateway on the camera system to 192.168.1.1 as soon as I changed it back to 192.168.1.150 everything started working again. Sorry for the problems but all is solved and working. Thanks very much for the help! It is much appreciated.

I want statistics when someone connect and when disconnect.

For example:
User: karanik
Connected : 14/12/2017, 09:00
Disconnected: 14/12/2017,12:00
Total time of day: 3 hours
Total time of month: 22 hours and 45 minutes

No i have only this status


https://imgur.com/R3hNEvs

Thanks viragomann & johnpoz, i solved this trouble, only need install the agent openvpn on my desktop LAN and i can access to the laptop. Thanks for all.

@s_moffa@securex.ch:

Hi,
I don't know if you already find it, but it was my same request.
To do that I just modify the connect and disconnect script on openvpn on pfsense 2.2.4

/usr/local/sbin/openvpn.attributes.sh

and add the line on connect and disconnect:

/bin/echo "Connexion de ${common_name} date" | /usr/local/bin/php /usr/local/bin/mail.php -s"Connexion de ${common_name} date"

Best regards,

Hello again.
Now my version is 2.4.2-RELEASE (amd64) FreeBSD 11.1-RELEASE-p4
and my /usr/local/sbin/openvpn.attributes.sh has

#!/bin/sh # # openvpn.attributes.sh # # part of pfSense (https://www.pfsense.org) # Copyright (c) 2004-2016 Rubicon Communications, LLC (Netgate) # All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. if [ "$script_type" = "client-connect" ]; then         if [ -f /tmp/$common_name ]; then                 /bin/cat /tmp/$common_name > $1                 /bin/rm /tmp/$common_name         fi elif [ "$script_type" = "client-disconnect" ]; then         command="/sbin/pfctl -a 'openvpn/$common_name' -F rules"         eval $command         /sbin/pfctl -k $ifconfig_pool_remote_ip         /sbin/pfctl -K $ifconfig_pool_remote_ip /usr/local/sbin/openvpn.attributes.sh fi exit 0

how it should be done?

thanks for reply,
but that's what we need to do, we want to activate or deactivate our VPN Client anytime just by pressing a Switch.
but ist not my Problem, it works if i execute script manually, as i said it works strange when i put the script in /usr/local/etc/rc.d to execute on Startup.

That's a very fair statement, I'll try a packet capture when I get a chance. Thanks

@raiderj:

Have you checked NTP? I see a note I have about that, but not sure if it's related. Maybe a time drift causing issues.

Yea… This is the error I get (after trying to reconnecting)
Warning: route gateway is not reachable on any active network adapters: 172.16.0.1

When connection first time it works fine tho...

@kaas:

Hi.

So I followed this video: https://www.youtube.com/watch?v=xiy52Hn5bTc

I had this running on my old network. It's used for me to get access to my work network from home.

So, I recently switched ISP both at home and work to the same new one.

I setup PFsense and OpenVPN.

When I boot my PC, I can connect. However, after disconnecting and then trying to reconnect nothing happends.
These are the logs:

Tue Dec 12 21:31:17 2017 Initialization Sequence Completed With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )
Tue Dec 12 21:34:47 2017 Warning: route gateway is not reachable on any active network adapters: 172.16.0.1
Tue Dec 12 21:34:47 2017 env_block: add PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Tue Dec 12 21:34:47 2017 Warning: route gateway is not reachable on any active network adapters: 172.16.0.1
Tue Dec 12 21:34:47 2017 env_block: add PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Tue Dec 12 21:34:47 2017 NOTE: Release of DHCP-assigned IP address lease on TAP-Windows adapter failed: An address has not yet been associated with the network endpoint.  (code=1228)
Tue Dec 12 21:34:47 2017 SIGHUP[hard,] received, process restarting
Tue Dec 12 21:34:47 2017 OpenVPN 2.4.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 26 2017
Tue Dec 12 21:34:47 2017 Windows version 6.2 (Windows 8 or greater) 64bit
Tue Dec 12 21:34:47 2017 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.10
Tue Dec 12 21:34:52 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xxx.xxx.xx:1194
Tue Dec 12 21:34:52 2017 UDP link local (bound): [AF_INET][undef]:1194
Tue Dec 12 21:34:52 2017 UDP link remote: [AF_INET]xx.xxx.xxx.xx:1194
Tue Dec 12 21:34:52 2017 [www.safesurf.dk] Peer Connection Initiated with [AF_INET]xx.xxx.xxx.xx:1194
Tue Dec 12 21:34:53 2017 open_tun
Tue Dec 12 21:34:53 2017 TAP-WIN32 device [Ethernet 3] opened: \.\Global{734D00E0-401D-46F7-B1E7-420E4AB1DF67}.tap
Tue Dec 12 21:34:53 2017 Set TAP-Windows TUN subnet mode network/local/netmask = 172.16.0.0/172.16.0.2/255.255.255.0 [SUCCEEDED]
Tue Dec 12 21:34:53 2017 Notified TAP-Windows driver to set a DHCP IP/netmask of 172.16.0.2/255.255.255.0 on interface {734D00E0-401D-46F7-B1E7-420E4AB1DF67} [DHCP-serv: 172.16.0.254, lease-time: 31536000]
Tue Dec 12 21:34:53 2017 Successful ARP Flush on interface [12] {734D00E0-401D-46F7-B1E7-420E4AB1DF67}
Tue Dec 12 21:34:53 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Dec 12 21:35:28 2017 Warning: route gateway is not reachable on any active network adapters: 172.16.0.1
Tue Dec 12 21:35:28 2017 env_block: add PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Tue Dec 12 21:35:28 2017 Warning: route gateway is not reachable on any active network adapters: 172.16.0.1
Tue Dec 12 21:35:28 2017 env_block: add PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
SYSTEM ROUTING TABLE
0.0.0.0 0.0.0.0 10.0.0.1 p=0 i=37 t=4 pr=3 a=4252 h=0 m=25/0/0/0/0
0.0.0.0 0.0.0.0 25.0.0.1 p=0 i=6 t=4 pr=3 a=2213 h=0 m=9256/0/0/0/0
0.0.0.0 128.0.0.0 172.16.0.1 p=0 i=37 t=4 pr=3 a=0 h=0 m=26/0/0/0/0
10.0.0.0 255.255.255.0 10.0.0.17 p=0 i=37 t=3 pr=2 a=4252 h=0 m=281/0/0/0/0
10.0.0.17 255.255.255.255 10.0.0.17 p=0 i=37 t=3 pr=2 a=4252 h=0 m=281/0/0/0/0
10.0.0.255 255.255.255.255 10.0.0.17 p=0 i=37 t=3 pr=2 a=4252 h=0 m=281/0/0/0/0
25.0.0.0 255.0.0.0 25.68.1.73 p=0 i=6 t=3 pr=2 a=2212 h=0 m=9256/0/0/0/0
25.68.1.73 255.255.255.255 25.68.1.73 p=0 i=6 t=3 pr=2 a=2212 h=0 m=9256/0/0/0/0
25.255.255.255 255.255.255.255 25.68.1.73 p=0 i=6 t=3 pr=2 a=2212 h=0 m=9256/0/0/0/0
xx.xxx.xxx.xx 255.255.255.255 10.0.0.1 p=0 i=37 t=4 pr=3 a=0 h=0 m=25/0/0/0/0
127.0.0.0 255.0.0.0 127.0.0.1 p=0 i=1 t=3 pr=2 a=4271 h=0 m=331/0/0/0/0
127.0.0.1 255.255.255.255 127.0.0.1 p=0 i=1 t=3 pr=2 a=4271 h=0 m=331/0/0/0/0
127.255.255.255 255.255.255.255 127.0.0.1 p=0 i=1 t=3 pr=2 a=4271 h=0 m=331/0/0/0/0
128.0.0.0 128.0.0.0 172.16.0.1 p=0 i=37 t=4 pr=3 a=0 h=0 m=26/0/0/0/0
169.254.0.0 255.255.0.0 169.254.225.200 p=0 i=12 t=3 pr=2 a=281 h=0 m=291/0/0/0/0
169.254.225.200 255.255.255.255 169.254.225.200 p=0 i=12 t=3 pr=2 a=281 h=0 m=291/0/0/0/0
169.254.255.255 255.255.255.255 169.254.225.200 p=0 i=12 t=3 pr=2 a=281 h=0 m=291/0/0/0/0
224.0.0.0 240.0.0.0 127.0.0.1 p=0 i=1 t=3 pr=2 a=4271 h=0 m=331/0/0/0/0
224.0.0.0 240.0.0.0 10.0.0.17 p=0 i=37 t=3 pr=2 a=4259 h=0 m=281/0/0/0/0
224.0.0.0 240.0.0.0 25.68.1.73 p=0 i=6 t=3 pr=2 a=2213 h=0 m=9256/0/0/0/0
224.0.0.0 240.0.0.0 169.254.225.200 p=0 i=12 t=3 pr=2 a=378 h=0 m=291/0/0/0/0
255.255.255.255 255.255.255.255 127.0.0.1 p=0 i=1 t=3 pr=2 a=4271 h=0 m=331/0/0/0/0
255.255.255.255 255.255.255.255 10.0.0.17 p=0 i=37 t=3 pr=2 a=4259 h=0 m=281/0/0/0/0
255.255.255.255 255.255.255.255 25.68.1.73 p=0 i=6 t=3 pr=2 a=2213 h=0 m=9256/0/0/0/0
255.255.255.255 255.255.255.255 169.254.225.200 p=0 i=12 t=3 pr=2 a=378 h=0 m=291/0/0/0/0
SYSTEM ADAPTER LIST
Intel(R) 82579V Gigabit Network Connection
  Index = 37
  GUID = {EEFB3D55-B31A-4562-8806-BC209AC7BA0B}
  IP = 10.0.0.17/255.255.255.0
  MAC = 30:85:a9:b2:0f:c9
  GATEWAY = 10.0.0.1/255.255.255.255
  DHCP SERV = 10.0.0.1/255.255.255.255
  DHCP LEASE OBTAINED = Tue Dec 12 17:26:49 2017
  DHCP LEASE EXPIRES  = Wed Dec 13 17:26:49 2017
  DNS SERV = 10.0.0.1/255.255.255.255
LogMeIn Hamachi Virtual Ethernet Adapter
  Index = 6
  GUID = {35D2D616-5D13-422C-B8CC-0FC2AF19B0B2}
  IP = 25.68.1.73/255.0.0.0
  MAC = 7a:79:19:44:01:49
  GATEWAY = 25.0.0.1/255.255.255.255
  DHCP SERV = 25.0.0.1/255.255.255.255
  DHCP LEASE OBTAINED = Tue Dec 12 18:00:49 2017
  DHCP LEASE EXPIRES  = Wed Dec 12 18:00:49 2018
  DNS SERV = 
TAP-Windows Adapter V9
  Index = 12
  GUID = {734D00E0-401D-46F7-B1E7-420E4AB1DF67}
  IP = 169.254.225.200/255.255.0.0
  MAC = 00:ff:73:4d:00:e0
  GATEWAY = 0.0.0.0/255.255.255.255
  DHCP SERV = 0.0.0.0/255.255.255.255
  DHCP LEASE OBTAINED = Tue Dec 12 21:35:28 2017
  DHCP LEASE EXPIRES  = Tue Dec 12 21:35:28 2017
  DNS SERV = 
The Broadcom 802.11 Network Adapter provides wireless local area networking.
  Index = 7
  GUID = {3DA5EF78-91FA-4975-80D1-6A36270A3755}
  IP = 0.0.0.0/0.0.0.0
  MAC = dc:85:de:57:16:90
  GATEWAY = 0.0.0.0/255.255.255.255
  DHCP SERV = 
  DHCP LEASE OBTAINED = Tue Dec 12 21:35:28 2017
  DHCP LEASE EXPIRES  = Tue Dec 12 21:35:28 2017
  DNS SERV = 
Microsoft Hosted Network Virtual Adapter
  Index = 14
  GUID = {5CF15D9A-01CB-491A-8ACB-1DBE80F45FAB}
  IP = 0.0.0.0/0.0.0.0
  MAC = dc:85:de:57:16:90
  GATEWAY = 0.0.0.0/255.255.255.255
  DHCP SERV = 
  DHCP LEASE OBTAINED = Tue Dec 12 21:35:28 2017
  DHCP LEASE EXPIRES  = Tue Dec 12 21:35:28 2017
  DNS SERV = 
Microsoft Wi-Fi Direct Virtual Adapter
  Index = 26
  GUID = {C5DC4ADC-C746-4A0D-98D1-0F604C1DD5F3}
  IP = 0.0.0.0/0.0.0.0
  MAC = de:85:de:57:16:90
  GATEWAY = 0.0.0.0/255.255.255.255
  DHCP SERV = 
  DHCP LEASE OBTAINED = Tue Dec 12 21:35:28 2017
  DHCP LEASE EXPIRES  = Tue Dec 12 21:35:28 2017
  DNS SERV = 
Tue Dec 12 21:35:28 2017 Initialization Sequence Completed With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )

I had this working on my old setup just fine. But now it only works first time.

These are the configs:
http://prntscr.com/hmnk7h
http://prntscr.com/hmnkdi
http://prntscr.com/hmnkmp
http://prntscr.com/hmnkqe

So when the openVPN client is just yellow, I see this in pfsense:
http://prntscr.com/hmnmlb

So it has established some kind of connection. However, I cannot ping PFsense nor anything else.

I would be so happy if someone would lead me a way. I read a other post about this saying something about IP's, but I am unsure what should be wrong here….

Rules on WAN: http://prntscr.com/hmnn8d

The OpenVPN rule is also added.

At last, when trying over 4G connection it fails with:
Tue Dec 12 21:48:12 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Dec 12 21:48:12 2017 TLS Error: TLS handshake failed

great - glad you got it sorted, so you allow for ping then?  I normally run tcp port (443 normally since pretty given will be open anywhere there is internet) along with the udp port for my openvpn.  The gives you options where udp 1194 might not be open from where your at, or if your behind a proxy using tcp on 443 can be bounced off a proxy, etc.

The only rule you need on WAN for OpenVPN is the one on the server side passing the tunnel traffic itself (Default: any to WAN address port UDP/1194)

After that, each site allows traffic in from the OpenVPN tunnel using rules on the OpenVPN tab.

The any rule on WAN should probably be deleted or disabled immediately.

A simple test is if you can ping the pfsense LAN interface address on the other side. If you can ping that, then the tunnel is working.

If you can ping that and NOT something on the LAN you need to check that client for firewalls on it and routing (default route goes back to pfSense).

You may have meant to say something else, but this statement as written is not entirely accurate.  Pings are used to verify basic IP communication between endpoints, however, pings by themselves can't prove or disprove a DNS issue.

I said if you can ping via host name.  That implies DNS is working.  Otherwise you couldn't ping by host name.

Well, the server is 2.3.4. I used a dummy endpoint for tests with 2.3.7 with the same result, so this is a non-issue. Yes, SHA1 is an auth scheme, not an encryption scheme. What makes me wonder is that the dummy endpoint as well as the actual server, when having no auth defined on both sides (hence SHA1 is to be used), the auth works -as expected- but when there' s a config error in encryption or compression, connection breaks -as expected- with an appropriate error message.
In the current config/setup however, no matter how erroneous my encryption config or my compression may be, it doesn't even get to the point of complaining the wrong config. This makes me think that maybe there is something wrong with the auth mechanisms to be used by default by the current pfsense version

Ok, I finally figured it out.  Boy what a reminder on why software drive me insane, its just so imperfect.

So after hours of messing with this and checking and rechecking, i got onto a thread where they mentioned the ROUTING TABLE in Pfsense.  Humm I thought.  So I went there  on my SEVER PF box.

Well look at that, there is some weird IP of 192.168.0.1 attached to my OVPNSRV2 OpenVPN.  So i compare the entries for the server that works and that just is not right…it should be 192.168.2.0/24!

So I DELETE the 2nd server which was from A to C.  Go back to routing table and this entry now refers to" TUN" instead of the deleted OVPNserv2.  What the?

I restart the OPENVPN services, nope still there.

So I had to reboot the Site A PFSENSE box.  THAT go rid of the rouge routing entry!

I re-created my 2nd server at Site A and WA-La!  Its all working!  I can PING away!

Ok, thanks self!

HAve a good day!

Bump!

I too have this same question.

I am using PEER to PEER with preshared key.  A second connection to the server never generates an entry in the server the two seem to hack each other (when on is up the other is down) so I went to a separate Server for each client connection too.

I used different TUNNEL Ip's if that matters, 172.16 /24 and 172.17/24 for the tunnel ips.

Anyway with my multiple Servers at site A, I have established both client connections, to sites B and C.  A to B works fine and I can ping and both directions from A->B and B->A fine.  However I CANNOT do the same for A->C or C->A!!!

Can not figure it out.  All Client settings ate the same except for those specific to the client.

What would cause this?  I can ping from PFSENSE console at site C to ip's at site A, but from any PC at site C I cannot ping anything at site A.

Rules look fine, again everthing is IDENTICAL in Clients/Server settings for B and C.  Cant figure it out!

Thanks,

MP