@mbrossar I've seen that before.

I was able to further trace this to Unbound DNS Resolver. Unbound is frequently stopped, and restarting OpenVPN restarts Unbound. So this is not an OpenVPN issue but is an Unbound issue.

the fix for this is in thread https://forum.netgate.com/topic/161324/openvpn-is-not-working-if-client-is-reconnected-immediately/11

i needed to check the box for "Use a random local source port (lport) for traffic from the client. Without this set, two clients may not run concurrently." on the client export plug-in. this option adds lport 0 to the client config.

@r0okey said in upgraded to pfsense 2.5 and now OpenVPN is broken.:

I have upgraded 2.5 I'm not able to connect from my client

Hi,

Have you ever thought about that? (NCP)... 😉

https://docs.netgate.com/pfsense/en/latest/releases/2-5-0.html

d6125d70-7486-481c-a2bc-8380227950ab-image.png

@high_voltage If you don't have access to the edge router, then you'd have to get your public IP by going to a website like https://whatismyipaddress.com or https://ipchicken.com. You can also do a google search for "what is my IP" and it will tell you.

Once you have the public IP, you would go to the "Client Export" utility, change the Host Name Resolution to "other", enter the public IP and then export your client packages.

Another option is to subscribe to a free DDNS service and enter a hostname instead of an IP.

@jacobisreal said in OpenVPN clients can't ping LAN:

Any suggestions about how to filter internet sites / URLs for users connected via the OpenVPN?

If you haven't "Redirect gateway" checked in the OpenVPN server setting internet traffic is not routed to pfSense normally. You have to consider that the users can add routes by themselves, however.
So you should add rules to the VPN interface to restrict access for your needs.
If you also want to pass internet traffic from the clients over the VPN rules are more complicated. But this depends on your needs.

@jacobisreal said in OpenVPN clients can't ping LAN:

Also, the automatic .ovpn client config file download?

Already talked about that above. There is nothing intended on pfSense. But search the forum, maybe someone has posted a script to aid distributing VPNs.

@behemyth said in What FW Rule do I need to allow users internet access?:

How do I allow a client access to the internet when they are connected to the VPN? I have a rule allowing them to hit the DNS servers, but any rule I make allowing the traffic to WAN NET or WAN address all fail. I dont want to put in a default allow rule to allow any traffic anywhere on my network.

What am I missing?

There are a few different ways to do it:

One option:

Pass - Tunnel Network/DNS server Alias Block - Tunnel Network/LAN net (or alias for multiple networks) Pass - Tunnel Network/any

Another option:

Pass - Tunnel Network/DNS server Alias Pass - Tunnel Network/Invert Match LAN net (or alias for multiple networks)

Also, considering there's no local access... unless there's a reason you want your clients using your DNS server(s), I would actually remove access to DNS altogether and push them Google DNS.

@steamerzone said in pfSense 2.5.0/OpenVPN reconnect failing:

This does need some further testing, and as far as I understand you can't push this setting.

Correct, it can't be pushed since it's too late for it to have any effect -- the client is already sending traffic from its chosen port when it comes time to receive pushed settings.

Clients would need to be redeployed with a new config or edited in-place.

Since it appears to be a bug in OpenVPN it's something they'll need to address, but I'm not sure if anyone has reported it upstream yet.

The link is internal, not broken, but you don't need it.

I linked to comment #11 on that issue which has an attachment that is the patch you need to apply.

@piotres
One option, add the following to the client's config:

auth-user-pass pass.txt

then add a 2 line text file called "pass.txt" in the same folder as the client's config using the following format:

username
password

Another option, create a separate instance for auto-connect users that auth's from certificate only.

Another option, create a service account for auto-connect users, so solutions similar to the above can be deployed without input from the end-user. We did this at my last gig with Cisco AnyConnect.

Another possible option, it looks like the "auth-user-pass" directive can be invoked via the command line, so it may be possible to add something like the following to the parameters section of the service instead of modifying the client config:

--config C:\Program Files\OpenVPN\config\myvpnconfig.ovpn --auth-user-pass "C:\Program Files\OpenVPN\config\pass.txt"

@stan
Glad that it's working now.
Yeah, the outbound NAT often requires rebooting the box to apply the rules. Didn't think of it as well.

Use the following syntax to check the rules:

# pfctl -a openvpn/{OPENVPNSERVERINTERFACE}_{USERNAME}_{REMOTEPORT} -sr

For example:
test1 - username
43256 - remote port from the Status / OpenVPN page:
Screenshot from 2021-02-27 09-49-33.png

ovpns1 - interface name from the Status / Interfaces page (or from the ifconfig output):
Screenshot from 2021-02-27 09-51-21.png

Let's try:

# pfctl -a openvpn/ovpns1_test1_43256 -sr pass in quick on ovpns1 inet proto udp from 3.3.3.3 to 7.7.7.7 port < 566 no state pass in quick on ovpns1 inet proto udp from 3.3.3.3 to 7.7.7.7 port != 899 no state

@noplan I tried that first resulting in "You are only allowed to edit posts for 3600 second(s) after posting". An admin is welcome to update the title to reflect this.

The upgrade wouldn't have changed the gateway, but it's possible the gateway selected by the existing "Automatic" process changed to one that wasn't your preferred WAN.

Setting a specific default (single gateway or failover group) is more reliable, so your suggestion is still a good change to make.