Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    1. Home
    2. pfSense® Software
    3. OpenVPN
    Log in to post
    • Newest to Oldest
    • Oldest to Newest
    • Most Posts
    • Most Votes
    • Most Views
    • S

      Is Site-to-Site OpenVPN tunnel symmetric?
      • sami.mkaddem

      5
      0
      Votes
      5
      Posts
      246
      Views

      S

      @sami-mkaddem How do I mark this post as solved?

    • D

      Unable to connect to OpenVPN server
      • darnokg

      3
      0
      Votes
      3
      Posts
      201
      Views

      D

      @viragomann

      Both endpoints are running on Verizon Fios. I'll see if can get put in a ticket with Verizon.

    • S

      SAML Support?
      • spasmcc

      4
      0
      Votes
      4
      Posts
      190
      Views

      S

      @jimp I did also find this but it appears dead. https://redmine.pfsense.org/issues/9970

      Thanks btw.

    • T

      No traffic able to cross site-to-site openvpn
      • Troutpocket

      7
      0
      Votes
      7
      Posts
      233
      Views

      T

      Yup. Changing it to "shared key" seems to have worked. That's bananas! All the systems I was comparing to were also 23.01 and were using peer to peer (SSL/TLS). These are all 7100 1U appliances in HA configuration. Anyway, it's now working and I met my deadline so I'm going to take a break. If anyone has any ideas why share key worked but ssl/tls didn't, I'd love to hear it.

    • K

      2 OpenVPN interfaces in FW Rules
      • Kevin 4

      3
      0
      Votes
      3
      Posts
      214
      Views

      K

      @viragomann
      I thought it might create an instance in Firewall Rules when I was connected via the VPN, but when I connect via my home network there are still 2 Open VPN interfaces In the Firewall Rules. When I look at the Status Interface page, as well as my Interface Assignments page, I have only one Open VPN interface.

    • D

      Problem Switching from shared key to SSL/TLS behind NAT
      • dweimer

      4
      0
      Votes
      4
      Posts
      262
      Views

      Gertjan

      @dweimer

      When you change OpenVPN server settings, you have to re export the OpenVPN client file.
      You've done that, right ?

    • D

      VPN and Netgate 1100
      • dbass

      7
      0
      Votes
      7
      Posts
      263
      Views

      S

      @dbass A public IP can only be used once. If you use NAT then LAN gets a private IP range, and you need NAT port forwarding rules to connect to the server on LAN.

      If the server actually needs a public IP then you need to get another IP range from the ISP so they can route the public IP to you.
      https://docs.netgate.com/pfsense/en/latest/recipes/route-public-ip-addresses.html

    • M

      Pia Lan issues
      • Mike123 0

      10
      0
      Votes
      10
      Posts
      450
      Views

      M

      @viragomann Thanks so much for your help, I've just done this and its now all working as it should.

    • G

      openvpn-client-import fails
      • greenturtle

      11
      0
      Votes
      11
      Posts
      358
      Views

      G

      @gertjan
      The administrator of the server decided to change something based on my log dumps, and now the connection just works at the first attempt.

      Thank you everyone for your help. The only thing I had to change was the syntax of the remote line as mentioned by @viragomann, then the import worked just fine.

    • R

      Pfsense openvpn using Route53
      • Rubens Fontes

      2
      0
      Votes
      2
      Posts
      195
      Views

      T

      @rubens-fontes for dns use 172.16.0.2 , x.x.x.2 is amazons DNS. I usually attach a send Network interface (on the private subnet) to the pfsense and then add that as LAN

    • T

      Netgate 2100+PFSense+Surfshark=1/10 to 1/20 of the download speeds? Help
      • ThatGuyMark

      1
      0
      Votes
      1
      Posts
      139
      Views

      No one has replied

    • R

      How to HALT clients from server side?
      • rlgoers

      1
      0
      Votes
      1
      Posts
      156
      Views

      No one has replied

    • M

      Multi-WAN Client OPENVPN not normalizing after gateway restore
      • mttpfsenseadmin

      1
      0
      Votes
      1
      Posts
      158
      Views

      No one has replied

    • F

      Need to edit OpenVPN server config after each reboot
      • fsutter

      10
      0
      Votes
      10
      Posts
      396
      Views

      F

      Regarding the time difference, it's strange because I've compared both times and they are equal 😲

    • L

      Pfsense as ovpn server, Mikrotik as client (site to site)
      • lskarbek

      1
      0
      Votes
      1
      Posts
      153
      Views

      No one has replied

    • S

      [Workaround] openvpn-could-not-be-established-after-upgrade-to-23-01-on-sg-3100
      • steveb53

      1
      1
      Votes
      1
      Posts
      160
      Views

      No one has replied

    • D

      Help connecting from Android phone to PfSense local network.
      • DrStein99

      1
      0
      Votes
      1
      Posts
      151
      Views

      No one has replied

    • I

      How to route LAN traffic thru OVPN
      • ispasoiumircea

      3
      0
      Votes
      3
      Posts
      242
      Views

      I

      @viragomann said in How to route LAN traffic thru OVPN:

      @ispasoiumircea
      In the outbound NAT rule the source has to be your LAN, so 192.168.15.0/24 presumably.

      Consider that the policy routing rule on LAN directs all matching packets to the OpenVPN server. Hence it doesn't allow access to any internal destinations like DNS from this device.
      This can be done, but you need to use a DNS server on the concerned machine, which is accessible over the VPN. If there is any, you can simply forward DNS requests with a port forwarding rule on pfSense and need nothing to change on the device itself.
      Otherwise add an additional rule to pass internal traffic above of the policy routing rule.

      The rule on the OpenVPN is only needed for inbound traffic. But I guess, you don't want any, so you can remove it.

      Hello,

      Thank you. Its worked just adding outbound NAT rule from LAN to VPN.

      Good day,

    • C

      VPN / PIA / Chrome / returns error 403 (forbidden)
      • cometphoton

      1
      0
      Votes
      1
      Posts
      174
      Views

      No one has replied

    • A

      vpn and network setup
      • adrianp918

      4
      0
      Votes
      4
      Posts
      298
      Views

      J

      @adrianp918 192.168.1.1/24 is not a network.
      192.168.1.0/24 is.

    • dimskraft

      What is a correct content setup routing from client to a server?
      • dimskraft

      8
      0
      Votes
      8
      Posts
      293
      Views

      V

      @dimskraft said in What is a correct content setup routing from client to a server?:

      server can't know which client is connected to it, so this information should be set on client side;

      You can let him know by configure a CSO, however.

      If you said it is impossible to push routes from client to server, then why does a client config has the following field

      This sets a route on the client, but doesn't push anything to the server.

    • G

      Can someone please tell me what these messages are about?
      • guardian

      4
      0
      Votes
      4
      Posts
      209
      Views

      Gertjan

      @guardian said in Can someone please tell me what these messages are about?:

      That's really strange as I don't see why there would be that many accesses.

      Euh lol.

      On my dashboard :

      bf998ff4-31e3-4a74-9ae5-6398acb0ab1f-image.png

      People like dashboard with most accurate, thus frequent updated info.

      Where does the "dashboard page" gets this information from ?
      It (PHP + web server) questions (very) frequently the "openvpn" process.
      These requests are the ones that are logged.

      To stop the logs you are seeing : stop looking at the dashboard, close it 😊

    • dimskraft

      Cannot communicate from server to client over OpenVPN S2S connection
      • dimskraft

      2
      0
      Votes
      2
      Posts
      297
      Views

      dimskraft

      I made a mistake, I can't connect backwards by any means. But I can see ping traffic with packet capture on a client when pining it from server.

    • F

      IPv6 route exclusions
      • ferchu

      1
      0
      Votes
      1
      Posts
      170
      Views

      No one has replied

    • M

      No Clients Can Connect To OpenVPN Due to CRL Expiry
      openvpn vpn bug crl openssl • • mmulqueen

      17
      1
      Votes
      17
      Posts
      3489
      Views

      jimp

      @jeffreyn said in No Clients Can Connect To OpenVPN Due to CRL Expiry:

      @jimp I applied the patch when it was released. I'm reading the release notes for 23.01 and see Issue #13424 has been addressed in the new version. Do I need to do anything like remove the patch before or after I upgrade? Or does everything take care of itself?

      You do not need to do anything with the patch after upgrading. You can delete the entry from the system patches package.

    • 4

      Packets disappearing between tun and wan
      • 4632215

      4
      0
      Votes
      4
      Posts
      306
      Views

      V

      @4632215
      If you have a /30 tunnel there can only be two IPs inside, one is the server, the other one is the client. So all is clear.

      If the tunnel network is bigger, there can be one server and multiple clients inside. So you have to tell the server, behind which client IP he can find the desired network, you want to send packets to. This can be done by the iroute directive in OpenVPN.
      In pfSense you have to create a client specific override to set this, where you have to state the client sides remote network.
      But if you only have one client anyway, you can spare this and easily set the tunnel mask to /30.

    • M

      gw2gw OpenVPN, pfsense is not autoconnecting
      • Marcin 2

      1
      0
      Votes
      1
      Posts
      175
      Views

      No one has replied

    • T

      Cannot ping Mikrotik switch through OpenVPN
      • trigg3r

      3
      0
      Votes
      3
      Posts
      262
      Views

      T

      OMG ... shame on me! Thank you very much @viragomann

    • D

      Open vpn
      open vpn • • diegosantos

      1
      0
      Votes
      1
      Posts
      171
      Views

      No one has replied

    • F

      triple site to site working, but 2 pfsenses can only ping the oVPN server site.
      • frater

      6
      0
      Votes
      6
      Posts
      335
      Views

      F

      @viragomann said in triple site to site working, but 2 pfsenses can only ping the oVPN server site.:

      Normally you don't need a route for the tunnel network, because you can as well access the remote firewall by using its LAN address.

      No, I couldn't....

      The 2 pfsense configured as client were unable to ping anything on the other pfsense.
      They can now.

    • K

      Communicate between OpenVPN hosts
      openvpn client openvpn config ovpn • • Kamil 0

      1
      0
      Votes
      1
      Posts
      496
      Views

      No one has replied

    • T

      Unable to establish an OpenVPN connection (bug?)
      openvpn config • • trigg3r

      3
      0
      Votes
      3
      Posts
      273
      Views

      T

      Your OpenVPN should be listing on a WAN type interface.

      So it is ... but after a few hours I discovered that pfsense had lost this setting. Set it to "Any", set it back to "WAN" and the problem was solved.

      Why would you want do that ?

      Virtual Private Networks — OpenVPN — Assigning OpenVPN Interfaces | pfSense Documentation

    • T

      OpenVPN not connecting
      • TravelMore

      8
      0
      Votes
      8
      Posts
      627
      Views

      Gertjan

      @travelmore said in OpenVPN not connecting:

      to other, whereas in that link the person mentioned changing it to Interface IP address instead of other.

      Be careful with this :

      cba53f1e-fee1-42d5-8f76-215842ebfc49-image.png

      as that a hostname like (RFC1918 like 192.168.0.b) this will be wrong in 99,x % of all cases.

      When you are out, somewhere in the wild, surround by the hostile Internet, and you want to connect to 'home' over VPN, you have to connect to your ISP WAN IPv4. Certainly not to your RFC1918 like 192.168.0.x as shown in the image above, which can't be routed over the net.
      So : second best choice : the ISP WAN as a host name.
      Host name is your tunnel end point, and as the comment says : it could be an IP or a host name. If you shose the latter, it should be resolvable there where you are now. Said differently : it should be resolvable anywhere on the internet.
      So : best : set up a DYNDNS so that a known 'hostname' always points to your ISP WAN. This is valid and useful if you have a dynamic IP and/or a static WAN IP.

    • obitori

      CyberGhost openvpn config files for client get mangled by pfdense web
      openvpn config • • obitori

      22
      0
      Votes
      22
      Posts
      3539
      Views

      NightlyShark

      @huydra I should had TL;DRed the thread... 😆 Got bumped up.

    • C

      AD sync as well as MFA.
      • Cal Meacham

      1
      0
      Votes
      1
      Posts
      139
      Views

      No one has replied

    • K

      Public IP Address doesn't change when connected to ovpn
      • khris2fer

      3
      0
      Votes
      3
      Posts
      231
      Views

      K

      @viragomann That's exactly what I needed.... I made the change and tested...my public ip address matches my home address Thank you soo much!!!

    • I

      OpenVpn remote access with pfSense behind the ISP modem router
      • ikonomn

      2
      0
      Votes
      2
      Posts
      233
      Views

      S

      @ikonomn most ISP routers will have a way to forward ports to an internal device (your pfSense) or set one as DMZ to forward all ports.

    • S

      Hardware encryption on Netgate 3100 with pfSense Plus 23.01, using OpenVPN
      • sgw

      5
      0
      Votes
      5
      Posts
      358
      Views

      S

      @mcury Oh, interesting (and sad).

      I was able to enable CBC ciphers in the OpenVPN server and choose hw crypto for that as well. Can't tell if it works though. We will test and monitor CPU load etc for a check.

    • N

      OpenVPN connects for a few minutes, then disconnects
      • NicP91 0

      6
      0
      Votes
      6
      Posts
      438
      Views

      1

      @nicp91-0
      (I'm no pro, but...) I'm curious - did you ever try setting the gateway's monitor IP to the IP of the server you're connecting to?

      Also, could be that since 9.9.9.9 is a DNS server, and some of these privacy VPNs might try to get you to use their DNSes (for privacy... maybe they block access to public DNSes like 9.9.9.9).

      Fo my setup, I pinged the server name that's in the .OVPN file from the privacy VPN server and used that IP address in the gateway's monitor IP.

    • D

      23.01 XG7100U pfsense plus, OpenVPN issues on one of the units.
      • dezore

      1
      0
      Votes
      1
      Posts
      171
      Views

      No one has replied