@jared_ said in Need help routing OpenVPN to another gateway on the LAN:

I have pfSense sitting on a network, the WAN interface is disabled and the LAN (192.168.1.0/24) has OpenVPN (172.16.100.0/24) server listening.

That's not the proper way to connect a VPN server. Youf LAN devices will send response packets to requests from VPN clients to the default gateway instead back to pfSense, since they don't have a proper route for these IPs.

If you want to run the VPN server behind a NAT router either

remove it from LAN and put it into transit network, connected to the router and add a static route for the VPN tunnel network to the router pointing to the VPN server and add static route for the LAN to the VPN server pointing to the router add a static route for the VPN tunnel network pointing to pfSense to each LAN device you want to have access do masquerading on pfSense Lan interface.

@marvosa
I'm sorry, but i don't know exactly what you mean.
If I want to make the WAN Network accessible trough VPN, where the OpenVPN Service is listen, this is currently not possible.
Other OpenVPN Implementations (e.g. untangle) add a direct route to the OpenVPN Server to solve the Problem. I think this should also be possible on PfSense, but i don't know how.. :(
If you need more information, i can provide them to you.

@peter_apiit said in Create OpenVPN client but encounter error:

https://protonvpn.com/support/pfsense-vpn-setup/

Did you asked proton for an update on their https://protonvpn.com/support/pfsense-vpn-setup/ ?
It's based on an old version of OpenVPN, probably the 2.4.x series.
The latest pfSense 2.5.2 uses the last (nearly) version of OpenVPN : 2.5.2 (version numbers are identical, this is purely a coincidence).
The 2.5.2 and 2.4.x (OpenVPN !) are nearly identical. But their are differences. The question is : what does Proton use ?

Btw : I'm not using proton myself.

edit : This is what I would do : if their 'client app' uses OpenVPN, and that clients logs, uses the client log and the it's opvn file - and compare these with the pfSense OpenVPN opvn file and OpenVPN client logs.

@bingo600 said in Open VPN Site to Site and Remote Clients Combination:

Dialin Client ip ranges
@viragomann

Thanks a lot for your advice guys; The dial in tunnel was not added to the Site 2 Site remote networks list, therefore could not be routed.

Thanks again

Yeah domain override would work - just make sure that unbound allows via ACL queries from the other site IP range.

Also keep in mind that if your looking for machineX, which might be machineX.sitea.tld, when it moves and gets a new dhcp lease in site b. You would want to find it via machineX.siteb.tld fqdn

If you setup your machines to use suffix search for both siteA.tld and siteB.tld would be possible for the user to just look for machineX

You can use machine certificates for authentication. Certificates stored in local computer store or slipstreamed into openvpn config file. This makes vpn connection to establish with no authentication prompts.

It was compression issue.

I understood it when looking at server OpenVPN logs and seeing error

IP packet with unknown IP version=15 seen

Some compression was turned ON on client side but any compression was disabled on server side. I was sure this misconfig would be detected automatically

@denndsd , have you tried to disable all mitigation settings?
I had similar problem, which I managed to sort out only with downgrade to 2.4.

@peterlecki said in Remote Access VPN connects but unable to access LAN IPs:

@peterlecki
Is pfSense the default gateway on the destination device?

It was not.

That would be worth to mention.
When request traffic is from outside its subnet the destination device send respond packets to its default gateway.

To get the packets back to pfSense you can remove pfSense from the LAN and put it into a transit network. Then add routes to pfSense for the LANs pointing to the gateway and add a route to the gateway for the VPN tunnel network pointing to pfSense.

Ok, I figured it out.
Lost hours and losing my mind but got it.

The openVPN client assigned IP (10.8.0.x scope) can not be pinged for whatever reason, so gateway was considered down and traffic was defaulting to an alt (default) gateway.

Disabling gateway monitoring or (better) specifying a working IP to monitor (I used 10.8.0.1 which is the openVPN server) fixed it.

@KOM , @marvosa thanks for the feedback, the problem occurred after upgrading from version 2.4 to 2.5.1 of pfsense.

I performed a clean install on both sides with version 2.5.1 and recreated the rules again working correctly, I don't know if due to this update there was some inconsistency in the rules or internal routing of pfsense causing the problem.

@viragomann

Thanks a million! You have done a great job by marking all the places to check. I have used a wrong client.ovpn file. With your help, the hard work of 3 days ended with a success. 😊

Longtime pfSense User here. Sure would be nice, though ::hint:: ::hint::

Can you give us any insight as to whether or not it is on the radar and if so how long it might be? (Given OPNsense has it already) [thanks, Tom!]

@spacebass Move WebGUI to some other port to free up 443?

@jknott I have a productive environment with external networks 10.5.x.0/24 with x=1..253.

For a network 10.5.x.0/24, the corresponding external VPN client uses a tunnel IP 10.8.1.x/24:

E.g., the VPN client for the external network 10.5.1.0/24 has a TAP interface with 10.8.1.1/24, the external network10.5.2.0/24 has a TAP interface with 10.8.1.2/24 and so on.

10.8.1.x with x=1..253 is reserved for external networks. For my setup the VPN server uses the last available IP 10.8.1.254 for the tunnel network because the first one is already in use.

OpenVPNs' --server directive simplifies the setup and sets the server IP to .1. However, there is no reason that it has to be the first available IP and not to use a custom setup.

It's a video, so install Youtube.

Then go to the Netgate channel.
You'll find many OpenVPN video's.
Like this one : Configuring OpenVPN Remote Access in pfSense Software

edit : the video hidden, look :

5b4bce8e-95a0-4636-a4d6-55f2c4da1534-image.png

It's on the first link proposed !!!!!!