@deanfourie It looks like you are trying to import Client/Server certificate on the CA page.

Please read https://docs.netgate.com/pfsense/en/latest/certificates/index.html
and watch https://www.netgate.com/resources/videos-certificate-management-on-pfsense-24

@cerberus2022 said in OpenVPN route to remote network:

I am working on deploying PFSense and i will be using it as a openvpn server for remote workers.

Is this the default gateway in the local network or is there another router?

Do you set up an access server for road warriors or a site2site?
You're talking about "remote workers" but also stated a "remote site".

All of the remote sites are set up on a different firewall that they connect to that sits on LAN at 192.168.45.3 .

What does this mean?

@umm12
I was part of the pfsense team before and I using pfsense for about 100 different projects now. But it is not possible to use two way/side SSL for openvpn in this job. You can use a shared certificate for all your clients that if clients do not have that certificate can not enter your service with a username and password.
thanks

@viragomann Yes, that's true. I will experiment with ssh.

Thank you for your help and time!

Here are both firewall rulesServer.png Client.png

Please be note: the client internet connection is 5G router, no static IP

@kom Ahh good point, hadn't thought of that. Thank you for the response. It's much appreciated!!

I'm guessing that there are limitations or bugs when trying to use a TAP interface in a peer to peer setup. Or maybe you have to add in some custom settings to make it work. Either way, I had to go with layer 3 TUN mode and use a dedicated PC client to relay DHCP and bridge the layer 2 traffic via a 2nd VPN connection using remote access. This method doesn't scale well and is a bit over complicated, but it does what I need for now.

Try using Ivacy's Netherlands VPN. I've never came across any of the problems mentioned. I get fast internet speeds with no throttling, be it for torrenting or streaming or any other purpose.

It had to do with cipher differences between the two versions.

https://community.openvpn.net/openvpn/wiki/CipherNegotiation

Had to edit some settings in both server and client side.

I’m having the same scenario. 2 Torgaurd VPN clients, and they end up with the same virtual IP addresses, and traffic through the VPN stops.

A restart of pfsense would previously resolve the issue by assigning different virtual IP’s, but over the last week or so both connections get the same.

Any ideas on how to stop this from happening.

@topogigio
Yes, with TLS auth, only clients with a certificate signed by the CA which is selected in the server settings are allowed to connect.
You can additionally check „strict user CN matching“ to ensure all clients can connect with their own cert.

Effectively, in It support we always have to use imagination for different solution for the dumbest users! :)

I've didn't implement and test the solution, but I'm sur it will works!!!

Thanks all and have a good day!

@marvosa
Here are the configs.
SERVER:
dev ovpns5
verb 1
dev-type tun
dev-node /dev/tun5
writepid /var/run/openvpn_server5.pid
#user nobody
#group nobody
script-security 3
daemon
inactive 300
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 10.0.1.2
ifconfig 10.1.15.1 10.1.15.2
lport 1200
management /var/etc/openvpn/server5/sock unix
route 10.1.11.0 255.255.255.0
secret /var/etc/openvpn/server5/secret
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
data-ciphers-fallback AES-256-CBC
allow-compression no
explicit-exit-notify 1

CLIENT:
dev ovpnc3
verb 1
dev-type tun
dev-node /dev/tun3
writepid /var/run/openvpn_client3.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 10.1.20.2
lport 0
management /var/etc/openvpn/client3/sock unix
remote remote_host.ddns.net 1200 udp4
ifconfig 10.1.15.2 10.1.15.1
route 192.168.1.0 255.255.255.0
secret /var/etc/openvpn/client3/secret
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
data-ciphers-fallback AES-256-CBC
allow-compression no
resolv-retry infinite
explicit-exit-notify 1

@rico it's just a pain in the proverbial behind...

@umm12 said in Problem with discovered local ip in openvpn:

but when i used firefox

See here :

0f42851a-7f5a-45ff-8a81-003f9929a760-image.png

These are the webrtc options.

what all these options mean, I can't tell.
See the manual.

Btw : why asking here ? Firefox support could help you ;)

@kom OK, found the issue, it was basically this: https://forum.netgate.com/topic/82412/pia-openvpn-gateway-offline

the solution was to go into System / Routing / Gateways, and to set the Monitor IP in the VPN gateway to an IP that accepts pings (or to turn off gateway monitoring). Then the status of the gateway switches to online. Then my PC connects to the internet through the VPN.

I just don't understand why the same problem didn't occur on my private switch setup. Perhaps because it is an earlier version of pfsense (2.4.4-p2)

@ctech I fixed it. You need to go to the client-specificScreen Shot 2021-09-07 at 6.50.28 AM.png overrides and add your network as shown: