@viragomann Thank you! I kept searching for the setting to keep dead routes up. I had no idea it was in the miscellaneous settings area.

With that change, I am having all traffic route properly only on the VPN interface now. When the VPN link goes down, internet stops as desired for clients connected to this pfsense gateway.

I did have to tweak DNS Resolver settings for Outgoing Network Interfaces to only use the VPN interface for DNS queries. By default external DNS lookups were going through the WAN port even though there were no traffic rules set for the LAN to WAN.

With your hints I am up and finally running this VM on a newer version of pfSense.

Thank you again! Have a great day.

Still following the thread I mentioned above, I saw that the eval previously was right before RESULT=.
I have tried to comment the if statement block and move eval, so this way

# eval serial="\$tls_serial_${check_depth}" # if [ -n "$serial" ]; then eval serial="\$tls_serial_${check_depth}" RESULT=$(/usr/local/bin/php-cgi -q /etc/inc/openvpn.tls-verify.php "servercn=$2&depth=$3&certdepth=$4&certsubject=$5&serial=$serial&co nfig=$config") if [ "${RESULT}" = "FAILED" ]; then exit 1 fi # fi

and I don't get anymore the error on the certificate!
I don't know if I need to open an issue about this.

However, now I get the error about the user authentication

SENT CONTROL [spike]: 'AUTH_FAILED' (status=1)

like I was getting when I set "Certificate Depth = Do Not Check".
I looks like I'm not the only one having this issue.

Heyho,
after a lot of digging in my states I found the solution.

Just a update: The VPN Transfernetwork is 192.168.2.0/24 and the virtual NIC on the server got 192.168.10.2/24. After letting a ping happen I saw the state:

192.168.2.1 -> 192.168.0.1

and then it clicked! In this cases it sees teh connection from the transfer net, not the virtual IP. Buildung the correct Floating rules made everything happen like I want it.

But thanks again for the hint with RFC1918! I was soo deep in the subnetting, that I overlooked that :(

@viragomann
Hello,
I finally found the error. The NAT of the local interface on the VPN interface was missing!

@frog Just rename the ovpn file you have at the clients

There is no "central" way of doing this

@rico

The NAT is at the other end. My pfsense has a public address, so no NAT needed at this end.

Here's the rule:

121df6a2-46c0-429d-83b1-be3e7903212f-image.png

As for interfaces, I currently have UDP IPv4 and IPv6 on all interfaces, though I have tried just UDP IPv4 on WAN interface. Either way, it does the same thing.

Still an issue in 22.01 (pfSense+). The same workaround applies i.e. turning off "Extended Query" in LDAP authentication.
Still not ideal since it doesn't allow fine grain control over which AD users are allowed to use OpenVPN service.

Has anybody come up with a better workaround?
Would it make sense to use Client Specific Overrides option for access restriction?

@viragomann ypu are absolutely correct. I'm an idiot. I accidentally configured pfsense to only use 127.0.0.1 as DNS resolver and not as first with fallback to the ISP DNS

@stephenw10

Orz

Dear @viragomann
I checked the two connection while "Duplicate Connection" checked. But I can not connect still with the second user unfortunately.

Regards,
Mucip:)

@thenarc said in pfsense constantly losing connectivity to NordVPN:

So it's not something that would be transparent for sure, but you're saying it just doesn't happen at all no matter how long you wait?

Yes, at least whne it happened yesterday I waited about 5 minutes or so but the status of the gateways stayed the same, and the connection was still down. After I force restarted the Openvpn service, the gateways went back up (albeit 2 of them still screwed up as per screenshot I posted above).

@thenarc said in pfsense constantly losing connectivity to NordVPN:

making them reestablish as well. But maybe worth trying to see if it improves your observed behavior.

I agree with you, that makes sense, it has pretty much the same effect as issuing a force restart on the underlying services (without of course restarting them for real)... But I wonder, can it cause data corruption or other issues with services that are actively communicating, etc? I have in mind, for example, if I am on a VOIP call, will my call be dropped or will I only see a small "hiccup" and nothing else? This is more of a general networking question than a VPN question.....

EDIT: I just realised that my VOIP ATA has been offline for many hours, if not for more than a day hence causing me to miss several phone calls... The ATA couldnt, for some esoteric reasons, establish a connection to the VOIP server even if the FW rules are all in order (and worked for many years before implementing this disaster of vpn). Rebooting pfsense solved it but I dont trust this for long. Will give myself a few days then I'm reverting everything and cancelling nordvpn.

@gertjan said in Access my home server through my phone hotpot.:

@viragomann said in Access my home server through my phone hotpot.:

I started an OpenVPN connection on the iPhone and connected my laptop with the its hotspot. But I was not able to connect to a remote resource with this.
So obviously that's not possible with a recent iOS as well.

I tried just that several days ago.

I use the OpenVPN OpenConnect app on my iPhone
When you use it, and check log files on both sides, you'll see that your iPhone gets one IPv4 - and one IPv6 if you asked for it / set up IPv6.
That"s one IP for one device, the iPhone.

If the hotspot would use the OpenVPN connection, would it use the same attributed IP for the hotspot connected device ?
No, of course not, that would be an error.

If the phone behaves as a NAT home router and successfully masquerades hotspot connected devices over the WAN based VPN tunnel, then I believe you would still only see one VPN client on the pfsense side.
Is this not what many higher end home routers (pfsense included) do? They masquerade LAN connected devices via an VPN client connection. The limitation seems imposed by android's design rather than the underlying Linux kernel/network stack. It appears neither Android or IOS permit NAT of hotspot network over the vpn client 'interface'.
The project I linked to above appears to offer a UI to manipulate iptables to achieve this but requires root.

This means that the iPhone VPN App should behave as a router ? Can't be, as the app (my words) has been created to connect 'a device' to a OpenVPN server, not multiple devices.

I'm pretty sure that what you want, exist.
It will be a dedicated small box, a router, with an AP build in, a 3/4/5G connections, thus a SIM card, and it should have a special case of OpenVPN Client usage so every device connected to the AP will get tunneled to the OpenVPN server.

Yes, and I bet it's quite expensive.

@viragomann perfect now with your directions it works great

I THANK YOU

@viragomann To be honest, you lost me at BTW. I will try to understand your invaluable advice.

Thank you so much.

@netblues

Thank you.

@zoltrix I submitted Issue 13041, but it appears that the issue is actually due to the DNS resolver (unbound) not getting updated when an OpenVPN entry is added (See Issue 12991).

I was able to revert Network Interfaces back to "All", and internal DNS resolution is working.

So for anyone out there experiencing this issue, simply try to restart the DNS resolver, and see if that works.

@hamidsattarrana
Double-check that the CA assigned to the OpenVPN server and the CA the user cert is from are the same and that you selected to correct server in the client export utility.

You can verify the certs in System > Certificate Manager > Certificates, which gives you a good overview of the issuer and the usage.

Thanks for all the help. The OpenVPN server was trying to push DNS to the client and it was the cause of all my troubles.

Anyone else looking for something like this, Wireguard has it and it works great!

@richardeb
No, if you only did the recommended setup you're safe.

However, be careful when you add an OpenVPN server on your pfSense additionally.
The wizard if you run it, will add an allow any rule to the OpenVPN tab. You must consider that the OpenVPN tab is in fact an interface group which includes all the OpenVPN instances, either servers and clients, you're running on pfSense. And rules on an interface group have priority over rules on member interface tabs.

So to stay save when running additional OpenVPN instances, where you must permit inbound access from, either assign an interfaces to each of the instances and define your rules there, while you leave the OpenVPN tab blank, or set the source in the rule so that it is only applied to the concerned VPN clients.

@viragomann Thanks again for you always clear and relevant answers!

Have a good day!

@jarhead
You have to establish an layer 2 connection between server and clients.
L2 between different network interfaces can be achieved with a bridge. So you have to create a bridge at both sites.

I didn't get where your clients and the server are connected to. The concerned interface have to be bridged with the VPN interface.
So at both sites you have to use tap mode OpenVPN and assign an interface to the VPN instance. Then you can bridge these interfaces with the respective server or client interface.

@viragomann Ey, sorry for no reply, i was trying and trying... i can't do more...
The log on the server says "P_CONTROL_HARD_RESET_SERVER_V2" and "P_CONTROL_HARD_RESET_CLIENT_V2".

In the client the first message is "Preserving recently used remote addres: [AF_INET]xxx.xxx.xxx.xxx:xxxx" "UDPv4 link local:(not bound)"

I don't know what can i do 😥

@viragomann

Got it working. Thanks,

@bambos
So we don't know if it still persists in recent versions at all.
I kicked my only one 2.6 installation due to dynamic DNS issues.

I would prescind from reporting a bug in this case.

Any one has any clue ?

@greywolf could this be mtu/mss issue when tje connection is over TCP?

Seems like an ISP issue, but it has resolved itself.

Thank you for the assistance.

@mmercier can you please give me the step by step to get openvpn on the 22.01 release, been trying to configure it and it won’t start. Went by all documentation twice every time and nothing, is there another documentation on configuration for 22.01 release, please and thank you.

@mariof said in PiVPN and pfsense as Client:

my devices on the network

I didnt have to disable gateway monitoring. Got it set up and since the RPI runs PiHole before VPN I use it for DNS and gateway testing.

Do you, by any chance, have two RPIs? I have to VPN servers on two seperate RPIs on two continents (Netflix :-) works) but I am having problems with CAs as common name is the same causing pfSense to get confused.

@drhans Here are screen shots of my client config for a Nord UDP client connection that is up and working as expected. Note that if you want to start out with all traffic being routed through the VPN connection, un-check the "Don't Pull Routes" option that I have checked. The full set of "Custom Options" I have, which is not fully visible in my screen shots, is:

tls-client; remote-random; tun-mtu 1500; tun-mtu-extra 32; mssfix 1450; persist-key; persist-tun; ping 15; ping-restart 0; ping-timer-rem; reneg-sec 0; remote-cert-tls server; auth-nocache; pull-filter ignore "redirect-gateway"; pull-filter ignore "dhcp-option"; auth-retry nointeract;

Note that you will NOT want the line:

pull-filter ignore "redirect-gateway";

if you want all traffic to be routed through the VPN. And in fact I probably don't need it myself with "Don't Pull Routes" enabled. You also may or may not want the line:

pull-filter ignore "dhcp-option";

which prevents the server from pushing DNS servers to use. I have pfSense configured to use unbound but with the outgoing interfaces set to my VPN client interfaces.

Some of the other things I have in my custom options are redundant to options set up by the GUI, but not harmful; it's just been a while since I've cleaned them up, but I know that these work for Nord.

a7263980-045c-4839-8c67-22e0ff199eb7-image.png
51fb8fe1-920c-42a1-89f7-caa871c1ecd6-image.png
a9999673-6e36-44ad-ae68-77d440194da5-image.png
7cfbc770-9ae4-4114-b321-e3840c6aca98-image.png

@circle-0 said in How to route a wifi interface through OpenVPN?:

These describe in various clarity how to set things up for LAN and I thought I could just replace the LAN interface occurences in the guides with the wifi interface/network. No luck however.

Generally it should work this way as described.

Consider that in the outbound NAT rule you have also to replace the source with your wifi network.

If it doesn't work, post more details of your setup.