@davek79 I’d try to kill all states and let Pfsense rebuild the state table. I believe a restart would do the same thing. If that doesn’t resolve it then you’re going to have to start posting info. Your OpenVPN rules and OpenVPN settings.

The same thing happens to me too.
With the previous version of PFSENSE it did not happen, and now with version 2.7.2 when I click on client export it takes a long time to load. It must be some error on the part of the package or the 2.7.2 update.
Yes, it is true that I have many certificates created, but before it did not happen and now it does.

Can Netgate fix this?

@Gertjan

Yeah it been rock solid on 2.6.0, I think it has a year plus uptime before it finally gave away (the disk).

I did see the post you linked, but I can't see how it apply to my config. I have not used shared keys, compression for my setup in 2.6.0
The same config 'migrated' to 2.7.2 as you can see the config in above post.

Is the config version 22.2 (from 2.6.0) incompatible with version 23.3? When installing 2.7.2, it gladly accept it via config.xml.

I did read a post that 2.6.0 was forgiving for 'bad config', but I can't pin point what was wrong in 2.6.0 that 2.7.2 is now enforcing and create the problem.

I guess I'm now experiencing it, sometime works sometime it doesn't. This baffled me 😧

Anyone can help point out what could be the reasons for this inconsistent behavior ?

Thanks in advance

@netgate_user_2024

FYI There seems to be no way to accomplish this. At least according to this thread from 2019.
Not sure if there was ever a feature request submitted for it or not:

https://forums.openvpn.net/viewtopic.php?t=27876

@SteveStone Not me. I have several OpenVPN servers on multiple PfSense boxes, and the logs are correct on all of them.

@dlogan
I had a similar problem. I set the force logoff after x amount of time of no activity.

Here is a pretty good post on the matter.

https://serverfault.com/questions/748890/openvpn-force-maximum-session-length

Another option is to set a variable in the Config files on each workstation - sorry there is no Server setting for this one.

I set my users as follows.

reneg-sec 21600

This equates to every 6 hours

@ariban99
You need a separate route line for each remote subnet.

Also you need a client file for each client, which you want to access a network behind.

Up

A Reboot is needed, yes you need a maintenance Window.

@Snailkhan Sure. Just grab the .msi installer and deploy it with GPO, or like I do with a Powershell script that calls msiexec /qn

$StartTime = Get-Date ############################################################################################# ## Variables ############################################################################################# $PackageName = "OpenVPN Connect" [version]$CurrentVersion = "3.5.0" $InstallerFileName = "openvpn-connect-3.5.0.3818_signed.msi" $MSIPackage = "$PSScriptRoot\$InstallerFileName" $LogDir = "C:\Admin\Logs" $MyDate = Get-Date -Format "MM-dd-yyyy_HHmm" $LogName = $PackageName + "_Install_" + $MyDate + ".txt" $UpdateLogName = $PackageName + "_Update_" + $MyDate + ".txt" $Log = "$LogDir\$LogName" ############################################################################################# ## Function to get software version - just pass it the package name found in registry ############################################################################################# function Get-InstalledSoftwareVersion { Param ( [Parameter(Position=0, Mandatory=$true)] [string]$PackageName ) $InstalledSoftware = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*' | Where-Object {$_.DisplayName -ne $null} | Select-Object DisplayName,Displayversion | Sort-Object -Property DisplayName [version]$PackageInstalledVersion = ($InstalledSoftware | Where-Object {$_.DisplayName -eq "$PackageName"}).DisplayVersion return $PackageInstalledVersion } ############################################################################################# ## Function to install MSI base package ############################################################################################# function Install-MSIPackage { $MSIArguments = @( "/i `"$MSIPackage`"" "/qn" "/L*V `"$Log`"" ) Write-Host "Starting msiexec installation." Write-Host "Start-Process msiexec -ArgumentList $MSIArguments -Wait" Start-Process msiexec -ArgumentList $MSIArguments -Wait } ############################################################################################# ## Main ############################################################################################# #Check if agent is installed and current Write-Host "Checking if $PackageName is installed." [version]$PackageInstalledVersion = Get-InstalledSoftwareVersion -PackageName $PackageName if ($PackageInstalledVersion -eq $null){ Write-Host "$PackageName not found. Running installer." -ForeGroundColor Yellow Install-MSIPackage } elseif ($PackageInstalledVersion -lt $CurrentVersion) { Write-Host "$PackageName $PackageInstalledVersion found but is out of date. Current version is $CurrentVersion" Write-Host "Running installer." Install-MSIPackage } else { Write-Host "Package is up to date, checked against version:$CurrentVersion" -ForegroundColor Green } $EndTime = Get-Date $RunTime = $EndTime - $StartTime Write-Host "Script run time:" $RunTime | Select Hours,Minutes,Seconds,Milliseconds

@johnpoz This is the way

@makazo said in TCP: connect to [AF_INET]192.168.1.86:1194 failed: Unknown error:

How do I open port 1194 from the modem and create a rule in the firewall for this?

When you set up the OpenVPN server on pfSense : use the pfSEnse VPN Wizard, and this will be proposed into the guided setup.

If not, as you've set up manually your server, not complicated neither :
The WAN interface has normally no rules what so ever, so the default "Block all" applies.
You've seen this state before : it was there when you installed pfSense.

For a "port 1194, protocol UDP, VPN server" to be reached from the outside (== the Internet) you ahve to ..... (roll the drums) open (== pass) port 1194, protocol UDP on the WAN interface.

Example : this is what half the planet is using right now :

54a8f239-a867-4825-97c7-bfbfc4b873c2-image.png

@Saymon-Poklad

Is this fixed or still pending ?

@Snailkhan said in OpenVPN default gateway only for certain destination IP's:

S
Snailkhan
about 23 hours ago

Hi
I have deoployed openvpn so all users connect to our openvpn server to have access to some resources that are online avaiblae like AWS . In vpn server settings i have enabled the pfsense vpn as default gateway (i.e. no split tunneling) so all traffic is routed via our pfsense. Now i want only the clients traffic to some destinations live ips say of AWS to be routed by client to vpn server gateway and remaining via their local IP.

Please can someone guide me for below two use cases.

1: only route traffic from vpn clinets to few handful of known public ips via pfsense wan.
2: allow all vpn clients to route all traffic to aws/azure via our pfsense and all remaning via local isp assigned gateway.

Regards.

To achieve your goal, you need to configure policy-based routing and split tunneling in OpenVPN and PfSense. Here's how you can handle both use cases.

1. Route Only Specific Traffic to VPN (PfSense WAN)

You need to implement policy-based routing on the OpenVPN server side (PfSense) and configure OpenVPN client settings to only route traffic to specific AWS public IPs via the VPN tunnel, while other traffic goes directly to the client’s local ISP.

Steps:

On PfSense (VPN Server)

Go to Firewall > Rules > OpenVPN. Add a new rule to allow traffic from the VPN clients to specific AWS IPs. In the Destination field, specify the public IP addresses of your AWS resources. Under Gateway, select the VPN Gateway (PfSense WAN). Save and apply the rules.

On OpenVPN Client Configuration

Edit the client configuration .ovpn file or server-side configuration push:

Add a route for each specific AWS IP you want to go through the VPN:

route <AWS-IP-1> 255.255.255.255 route <AWS-IP-2> 255.255.255.255

This ensures that only traffic destined for those IPs goes through the VPN tunnel, while all other traffic will use the client’s local ISP gateway.

2. Route All AWS/Azure Traffic via VPN and Rest via Local ISP

For this, you want to route all AWS or Azure traffic through the VPN and let the rest of the traffic use the client’s local ISP. This is a form of selective split tunneling.

Steps:

On PfSense (VPN Server)

As with the first use case, go to Firewall > Rules > OpenVPN. Create firewall rules to route all AWS/Azure traffic through the VPN Gateway (PfSense WAN). Use the Destination field to match traffic by AWS or Azure subnets. Under Gateway, select VPN Gateway (PfSense WAN). Save and apply the changes.

On OpenVPN Client Configuration

Push the appropriate routes for AWS or Azure in the client’s OpenVPN configuration:

For AWS:

route 13.0.0.0 255.0.0.0 # Adjust to the correct AWS IP ranges route 52.0.0.0 255.0.0.0

For Azure:

route 20.0.0.0 255.0.0.0 # Adjust to the correct Azure IP ranges

This will route all traffic destined for AWS/Azure through the VPN, while other traffic will continue via the local gateway.

Optional - Use client-config-dir in OpenVPN Server

You can also create per-client specific routes using OpenVPN’s client-config-dir to control routing at the user level.

In the OpenVPN server configuration, specify:client-config-dir /etc/openvpn/ccd In the /etc/openvpn/ccd/<client-name> file, define the routes for AWS/Azure.

@sameerakwc I fixed my issue. I had radcheck setup but not radreply. Once I added the user to both tables, it worked.

@AddleDIT
I'm talking about natting the traffic. I don't expect this to have any impact noticeable on the impact on the performance. Rather bridging does.