@sami-mkaddem How do I mark this post as solved?

@viragomann

Both endpoints are running on Verizon Fios. I'll see if can get put in a ticket with Verizon.

@jimp I did also find this but it appears dead. https://redmine.pfsense.org/issues/9970

Thanks btw.

Yup. Changing it to "shared key" seems to have worked. That's bananas! All the systems I was comparing to were also 23.01 and were using peer to peer (SSL/TLS). These are all 7100 1U appliances in HA configuration. Anyway, it's now working and I met my deadline so I'm going to take a break. If anyone has any ideas why share key worked but ssl/tls didn't, I'd love to hear it.

@viragomann
I thought it might create an instance in Firewall Rules when I was connected via the VPN, but when I connect via my home network there are still 2 Open VPN interfaces In the Firewall Rules. When I look at the Status Interface page, as well as my Interface Assignments page, I have only one Open VPN interface.

@dweimer

When you change OpenVPN server settings, you have to re export the OpenVPN client file.
You've done that, right ?

@dbass A public IP can only be used once. If you use NAT then LAN gets a private IP range, and you need NAT port forwarding rules to connect to the server on LAN.

If the server actually needs a public IP then you need to get another IP range from the ISP so they can route the public IP to you.
https://docs.netgate.com/pfsense/en/latest/recipes/route-public-ip-addresses.html

@viragomann Thanks so much for your help, I've just done this and its now all working as it should.

@gertjan
The administrator of the server decided to change something based on my log dumps, and now the connection just works at the first attempt.

Thank you everyone for your help. The only thing I had to change was the syntax of the remote line as mentioned by @viragomann, then the import worked just fine.

@rubens-fontes for dns use 172.16.0.2 , x.x.x.2 is amazons DNS. I usually attach a send Network interface (on the private subnet) to the pfsense and then add that as LAN

Regarding the time difference, it's strange because I've compared both times and they are equal 😲

@viragomann said in How to route LAN traffic thru OVPN:

@ispasoiumircea
In the outbound NAT rule the source has to be your LAN, so 192.168.15.0/24 presumably.

Consider that the policy routing rule on LAN directs all matching packets to the OpenVPN server. Hence it doesn't allow access to any internal destinations like DNS from this device.
This can be done, but you need to use a DNS server on the concerned machine, which is accessible over the VPN. If there is any, you can simply forward DNS requests with a port forwarding rule on pfSense and need nothing to change on the device itself.
Otherwise add an additional rule to pass internal traffic above of the policy routing rule.

The rule on the OpenVPN is only needed for inbound traffic. But I guess, you don't want any, so you can remove it.

Hello,

Thank you. Its worked just adding outbound NAT rule from LAN to VPN.

Good day,

@adrianp918 192.168.1.1/24 is not a network.
192.168.1.0/24 is.

@dimskraft said in What is a correct content setup routing from client to a server?:

server can't know which client is connected to it, so this information should be set on client side;

You can let him know by configure a CSO, however.

If you said it is impossible to push routes from client to server, then why does a client config has the following field

This sets a route on the client, but doesn't push anything to the server.

@guardian said in Can someone please tell me what these messages are about?:

That's really strange as I don't see why there would be that many accesses.

Euh lol.

On my dashboard :

bf998ff4-31e3-4a74-9ae5-6398acb0ab1f-image.png

People like dashboard with most accurate, thus frequent updated info.

Where does the "dashboard page" gets this information from ?
It (PHP + web server) questions (very) frequently the "openvpn" process.
These requests are the ones that are logged.

To stop the logs you are seeing : stop looking at the dashboard, close it 😊

I made a mistake, I can't connect backwards by any means. But I can see ping traffic with packet capture on a client when pining it from server.

@jeffreyn said in No Clients Can Connect To OpenVPN Due to CRL Expiry:

@jimp I applied the patch when it was released. I'm reading the release notes for 23.01 and see Issue #13424 has been addressed in the new version. Do I need to do anything like remove the patch before or after I upgrade? Or does everything take care of itself?

You do not need to do anything with the patch after upgrading. You can delete the entry from the system patches package.

@4632215
If you have a /30 tunnel there can only be two IPs inside, one is the server, the other one is the client. So all is clear.

If the tunnel network is bigger, there can be one server and multiple clients inside. So you have to tell the server, behind which client IP he can find the desired network, you want to send packets to. This can be done by the iroute directive in OpenVPN.
In pfSense you have to create a client specific override to set this, where you have to state the client sides remote network.
But if you only have one client anyway, you can spare this and easily set the tunnel mask to /30.

OMG ... shame on me! Thank you very much @viragomann

@viragomann said in triple site to site working, but 2 pfsenses can only ping the oVPN server site.:

Normally you don't need a route for the tunnel network, because you can as well access the remote firewall by using its LAN address.

No, I couldn't....

The 2 pfsense configured as client were unable to ping anything on the other pfsense.
They can now.

Your OpenVPN should be listing on a WAN type interface.

So it is ... but after a few hours I discovered that pfsense had lost this setting. Set it to "Any", set it back to "WAN" and the problem was solved.

Why would you want do that ?

Virtual Private Networks — OpenVPN — Assigning OpenVPN Interfaces | pfSense Documentation

@travelmore said in OpenVPN not connecting:

to other, whereas in that link the person mentioned changing it to Interface IP address instead of other.

Be careful with this :

cba53f1e-fee1-42d5-8f76-215842ebfc49-image.png

as that a hostname like (RFC1918 like 192.168.0.b) this will be wrong in 99,x % of all cases.

When you are out, somewhere in the wild, surround by the hostile Internet, and you want to connect to 'home' over VPN, you have to connect to your ISP WAN IPv4. Certainly not to your RFC1918 like 192.168.0.x as shown in the image above, which can't be routed over the net.
So : second best choice : the ISP WAN as a host name.
Host name is your tunnel end point, and as the comment says : it could be an IP or a host name. If you shose the latter, it should be resolvable there where you are now. Said differently : it should be resolvable anywhere on the internet.
So : best : set up a DYNDNS so that a known 'hostname' always points to your ISP WAN. This is valid and useful if you have a dynamic IP and/or a static WAN IP.

@huydra I should had TL;DRed the thread... 😆 Got bumped up.

@viragomann That's exactly what I needed.... I made the change and tested...my public ip address matches my home address Thank you soo much!!!

@ikonomn most ISP routers will have a way to forward ports to an internal device (your pfSense) or set one as DMZ to forward all ports.

@mcury Oh, interesting (and sad).

I was able to enable CBC ciphers in the OpenVPN server and choose hw crypto for that as well. Can't tell if it works though. We will test and monitor CPU load etc for a check.

@nicp91-0
(I'm no pro, but...) I'm curious - did you ever try setting the gateway's monitor IP to the IP of the server you're connecting to?

Also, could be that since 9.9.9.9 is a DNS server, and some of these privacy VPNs might try to get you to use their DNSes (for privacy... maybe they block access to public DNSes like 9.9.9.9).

Fo my setup, I pinged the server name that's in the .OVPN file from the privacy VPN server and used that IP address in the gateway's monitor IP.