@cmos_battery said in Unable to connect:

I port forwarded the OpenVPN 1194 UDP port to the IP address of my WAN connection on the pfSense box

At that moment, when you try to connect to your WAN IP, using port 1149 protocol UDP? you see the counter is going upwards. You'll know the NAT of the device in front of pfSense is set up correctly.

577ebd43-997e-4452-9f48-41fc9ceddadb-image.png

For a basic OpenVPN set up, see the recent and less recent video's here.

@kom Never mind on my last post, I didn't realize that the Allow Compression settings disappear with the refuse setting you recommended is set. I'll give that a try. Thanks!

@nogbadthebad Yep thats what it needed, god damit :( looked over it so often

@viragomann hi, ivt is already configured, however, the local network cannot communicate with the remote network, only the firewall can communicate.
It worked after adding the route
45365c70-f55e-433c-938a-a5abef8b1251-image.png

No route:
ping pfSense A to Host B: ok
ping Host A to Host B: failed

69cf9b74-f170-4c44-b7c2-9f5ca3426732-image.png

With route:
ping pfSense A to Host B: ok
ping Host A to Host B: ok
cb394d7c-33b7-4ffd-8740-0c554c772483-image.png

@bingo600 what are you talking about?

I know it goes down, because the VPN stops working?

The VPN stops working immediately.

What does unbound or any other service have to do with pinging a router over a VPN?

@spudnet The real solution would be to bite the bullet and renumber one of the networks which is no small undertaking. Such a bizarre decision to make both a /8 unless they really do need to have 16 million clients on the same network.

@erfanxp
Ah, so even NM.
Here on OpenSUSE 15.2 NM OpenVPN is working flawlessly after importing the config. However, I had this issue as well with earlier versions.
Of course it doesn't work if your local networks are overlapping with the remote networks.

If that isn't the case, you can configure the routing manually:
Edit the connection. Select the IPv4 or v6 tab, whatever routes you need. Click "Routes..." at the right bottom, in the opening window check "ignore pulled routes", hit "Add" and enter the remote network and mask (in your example 10.10.184.0, 255.255.254.0). Leave the gateway blank and save all.

Worked well for me in earlier NM versions.

@chefdeski It depends. Policy routing mean using firewall rules to direct which gateway traffic goes out. I have a rule on LAN that directs one client out my Mullvad VPN, and another rule for my desktop so that any access to 10.10.0.0/16 goes out my work tunnel. I just have to disable a rule to switch the VPN "off" even though it's still up & running fine as an interface.

On my side, same watching.
Since I upgrade my pfSense to 2.5.x, I encounter a deep & blocking bug with OpenVPN server.
My VPN clients are regularly unable to reach LAN.

I've detailed the entire issue here

@kom Hi,
I think if it would be the encryption issue, I woud't be able to connect at all I guess.

@viragomann said in Backup tunnel with overlapping routes:

@ddbnj

You can use policy routes instead of OpenVPN added ones if you want that. So you can use both VPNs for different purposes and additionally set up a fail-over gateway of both for common use.

If you want to this, you have to remove the remote networks from the OpenVPN settings, so that both connections can be established without interfere.
Then create a gateway group with both VPNs.
Now you can add policy routing rules using either the gateway group or only one VPN gateway.
You will have to check the "skip filter rules if gateway down" option in the advanced settings to avoid skipping a rule and use another gateway.

I think I got this working using policy routing.

Thank you!

@thatguy
Probably you meant 'fellymar is using mismatched versions'.
I've only one version that is 2.5.1-RELEASE (amd64)

@clhols This only killed my internet connection.

Hi John

Thanks again for your help here, I have found your older thread where you were discussing this and developing your ideas for this script, that is a damn fine thread btw and I'm a bit embarassed I didnt find it before... https://forum.netgate.com/topic/157520/openvpn-client-cascade/46 for anyone else reading (who is also an idiot who cant use search), its a very solid description of the process for manually setting up a nested VPN.

I will have to look into this script a bit more, it seems to automate the later steps nicely but im not sure I understand all the details, especially the "Don't pull routes" settings, more research required. All the best mate

@jeangirgis said in V21.02 openvpn not working Netgate SG-2440:

OpenVPN clients do not work

Hi,
Exactly where?
The client installed on NGFW? (for example to a VPN provider's server)

Can you elaborate on this? 😉

I finally solved it.

The LAN subnet on both sites must not be identical.

After changing the LAN subnet on one of the two sites (so they differ) it works like a charme.

Further reading:

https://blog.matrixpost.net/pfsense-site-to-site-ipsec-vpn-same-subnet-on-each-site/