@vettalex
If it's an SSL/TLS setup check "Dynamic IP" in the server settings.

@ghummantech
Hi, I was able to resole the issue selecting different EC2 instance size, t3 or larger (without bust limit) seems to be resolving the problem. Give it a try and let me know.

@selfjc https://community.synology.com/enu/forum/1/post/140054

I ran a few ookla speedtests, again, graph looks fine but numbers are nonsense. I have a 50mbit/s speed limiter on both pfsense boxes.

pfsense_speedtest_dip.png

Ok, so my application is probably quite a bit different to what most of you are using OpenVPN client for - multiple pfsense clients doing peer to peer to a single pfsense server, carrying a guest network across many sites. But, perhaps my solution will also work for you....

system > routing > tunnel_gw > advanced > use non-local gateway

I already had non-negotiable AES-128-GCM for encryption.

This allows me to continue using gateway monitoring - I'm actually monitoring the far-end IP of the tunnel, ie the server tunnel address.

A little more information.

I can change the monitoring IP address in the routing>gateways>monitoring to the WAN IP address and the gateway reports good (because it is ping status from the WAN interface).

However, the firewall LAN still report Blue Gateway status and no traffic is routing via the LAN rule.

...

@divsys
Haha!
And you are right again. I am not touching it. It works now and I need a break from it. ^_^
Thank you for your advice. It is a valid concern. I left the part not saying why the flag was there at the first place since the entire thing is all my fault. I added it upon suggestions from others and then I forgot. I am pretty sure that this is the only thing I messed up under the hood.

Really appreciate your consideration!

@clhols
I'm not using ExpressVPN anymore on pfSense since my web provider doesn't accept secured smtp traffic over VPN (emails seem to be sent but are never received by the recipient).
So I'm using ExpressVPN on each device (p.c. or smartphone) with a special configuration for Outlook app.
Regards

@mbrossar I've seen that before.

I was able to further trace this to Unbound DNS Resolver. Unbound is frequently stopped, and restarting OpenVPN restarts Unbound. So this is not an OpenVPN issue but is an Unbound issue.

the fix for this is in thread https://forum.netgate.com/topic/161324/openvpn-is-not-working-if-client-is-reconnected-immediately/11

i needed to check the box for "Use a random local source port (lport) for traffic from the client. Without this set, two clients may not run concurrently." on the client export plug-in. this option adds lport 0 to the client config.

@r0okey said in upgraded to pfsense 2.5 and now OpenVPN is broken.:

I have upgraded 2.5 I'm not able to connect from my client

Hi,

Have you ever thought about that? (NCP)... 😉

https://docs.netgate.com/pfsense/en/latest/releases/2-5-0.html

d6125d70-7486-481c-a2bc-8380227950ab-image.png

@high_voltage If you don't have access to the edge router, then you'd have to get your public IP by going to a website like https://whatismyipaddress.com or https://ipchicken.com. You can also do a google search for "what is my IP" and it will tell you.

Once you have the public IP, you would go to the "Client Export" utility, change the Host Name Resolution to "other", enter the public IP and then export your client packages.

Another option is to subscribe to a free DDNS service and enter a hostname instead of an IP.

@jacobisreal said in OpenVPN clients can't ping LAN:

Any suggestions about how to filter internet sites / URLs for users connected via the OpenVPN?

If you haven't "Redirect gateway" checked in the OpenVPN server setting internet traffic is not routed to pfSense normally. You have to consider that the users can add routes by themselves, however.
So you should add rules to the VPN interface to restrict access for your needs.
If you also want to pass internet traffic from the clients over the VPN rules are more complicated. But this depends on your needs.

@jacobisreal said in OpenVPN clients can't ping LAN:

Also, the automatic .ovpn client config file download?

Already talked about that above. There is nothing intended on pfSense. But search the forum, maybe someone has posted a script to aid distributing VPNs.

@behemyth said in What FW Rule do I need to allow users internet access?:

How do I allow a client access to the internet when they are connected to the VPN? I have a rule allowing them to hit the DNS servers, but any rule I make allowing the traffic to WAN NET or WAN address all fail. I dont want to put in a default allow rule to allow any traffic anywhere on my network.

What am I missing?

There are a few different ways to do it:

One option:

Pass - Tunnel Network/DNS server Alias Block - Tunnel Network/LAN net (or alias for multiple networks) Pass - Tunnel Network/any

Another option:

Pass - Tunnel Network/DNS server Alias Pass - Tunnel Network/Invert Match LAN net (or alias for multiple networks)

Also, considering there's no local access... unless there's a reason you want your clients using your DNS server(s), I would actually remove access to DNS altogether and push them Google DNS.

@steamerzone said in pfSense 2.5.0/OpenVPN reconnect failing:

This does need some further testing, and as far as I understand you can't push this setting.

Correct, it can't be pushed since it's too late for it to have any effect -- the client is already sending traffic from its chosen port when it comes time to receive pushed settings.

Clients would need to be redeployed with a new config or edited in-place.

Since it appears to be a bug in OpenVPN it's something they'll need to address, but I'm not sure if anyone has reported it upstream yet.

The link is internal, not broken, but you don't need it.

I linked to comment #11 on that issue which has an attachment that is the patch you need to apply.

@piotres
One option, add the following to the client's config:

auth-user-pass pass.txt

then add a 2 line text file called "pass.txt" in the same folder as the client's config using the following format:

username
password

Another option, create a separate instance for auto-connect users that auth's from certificate only.

Another option, create a service account for auto-connect users, so solutions similar to the above can be deployed without input from the end-user. We did this at my last gig with Cisco AnyConnect.

Another possible option, it looks like the "auth-user-pass" directive can be invoked via the command line, so it may be possible to add something like the following to the parameters section of the service instead of modifying the client config:

--config C:\Program Files\OpenVPN\config\myvpnconfig.ovpn --auth-user-pass "C:\Program Files\OpenVPN\config\pass.txt"

@stan
Glad that it's working now.
Yeah, the outbound NAT often requires rebooting the box to apply the rules. Didn't think of it as well.

Use the following syntax to check the rules:

# pfctl -a openvpn/{OPENVPNSERVERINTERFACE}_{USERNAME}_{REMOTEPORT} -sr

For example:
test1 - username
43256 - remote port from the Status / OpenVPN page:
Screenshot from 2021-02-27 09-49-33.png

ovpns1 - interface name from the Status / Interfaces page (or from the ifconfig output):
Screenshot from 2021-02-27 09-51-21.png

Let's try:

# pfctl -a openvpn/ovpns1_test1_43256 -sr pass in quick on ovpns1 inet proto udp from 3.3.3.3 to 7.7.7.7 port < 566 no state pass in quick on ovpns1 inet proto udp from 3.3.3.3 to 7.7.7.7 port != 899 no state

@noplan I tried that first resulting in "You are only allowed to edit posts for 3600 second(s) after posting". An admin is welcome to update the title to reflect this.

The upgrade wouldn't have changed the gateway, but it's possible the gateway selected by the existing "Automatic" process changed to one that wasn't your preferred WAN.

Setting a specific default (single gateway or failover group) is more reliable, so your suggestion is still a good change to make.

@bcruze Haven't restarted. What do the openvpn logs say?

@spinx
I guess you need to reconfigure the client for no compression.

Sounds like you are using the wrong kind of setup. The addresses you list are from a net30 topology style server setup with one server and many clients. If this is the only client, you don't need a setup like that, just a plain peer to peer setup without the extra server parts.

@jairoav25
Yes in the past I tried to get DNS from them. Their advice was also to use Google or Cloudflare because officially they don't support pfSense. In since have moved away from ExpressVPN. There are beter options out there. Thank you for trying and sharing your experience!

@me-yro
So you want to use a VPN service to access the internet.

For now I cannot see that there is any of these subnets is defined on your pfSense interfaces.

@me-yro said in openvpn connection initailised but no connection go throw it.:

however, when i made the correct configuration for the subnets nothing work ( no internet connection )

Since you don't show it there is no way to verify.

Is your VPN up?
In the VPN settings check "Don't pull routes".

So you can configure your new subnet and let them go out to WAN first.
If all is working add the outbound NAT proper rules to the VPN interfaces and add policy routing rules to direct the traffic out.

If there are issues post more details of your settings.

Happened again this morning, exactly between 7:29 am and 7:30 am. I checked the OpenVPN logs. There is absolutely no activity between 7:31:10 and 7:36:40, which is unusual. Typically someone is reconnecting every few minutes. Then, at 7:36:40, all 13 connected users have an inactivity timeout at the exact same time. After that, all remote users start aggressively connecting, every few seconds. By this point, the CPU is already at 100%. Starting at 8:16:59, the log starts throwing errors that no more IP addresses are available.

@divsys Appreciate the heads up. Gonna wait for a fix for all this. Right now I'm getting by as a Wireguard client.

@sensecanuck said in VPN up Gateway up - No Internet:

Solved in this thread by disabling Data Encryption Negotiation.
https://forum.netgate.com/topic/161040/openvpn-client-showing-100-packetloss-following-2-5-0-upgrade/10

Thank you sir. Just got back to town and this worked. For those who are having this same issue the following two things will fix this issue:

Uncheck "Enable Data Encryption Negotiation"
or Remove "tls-client" from custom option settings in OpenVPN