@munson
What do you mean by "unencrypted traffic"?
It's on the web browser to request traffic unencrypted (http) or encrypted (https). pfSense has no impact on this as long as you don't run a proxy.

Generally to force all upstream traffic from the client over the VPN, check "Redirect IPvX Gateway" in the server settings.

Then ensure, that there is an outbound NAT rule in place for the OpenVPN tunnel network.
If not switch the outbound NAT into hybrid mode and enter a rule for the source of the tunnel network to WAN.

@ontzuevanhussen said in Can't access client LANs from servers on DigitalOcean private cloud network behind OpenVPN on pfSense:

Anda memiliki kasus yang sama dengan saya, saya juga mengalami hal demikian dan sampai sekarang saya belum menemukan solusinya. Ketika VPN (wireguard) saya aktifkan, saya dapat menjangkau web app di server digital ocean. Namun ketikan tanpa aktifkan VPN, saya kembali tidak dapat mengakses website saya.

Hi @ontzuevanhussen, I ended up working around it by setting up an OpenVPN server on each location's router, and initiating the connection for each from the server I needed to be able to have access to those networks. For whatever reason it works as an outgoing connection from DigitalOcean but not an incoming one. I think DigitalOcean's must just be dropping the traffic. Anyway, it works this way and I am able to run my ansible playbooks from my server on systems on these locations' LANs. Somewhat annoying but it works.

@adamw If you export pfSense logs to a syslog server, you can start filtering information about connections and disconnections via:

grep -E 'Peer Connection Initiated|new connection by client|Inactivity timeout' openvpn.log

It's possible to make a shell script to parse the information to make a report and send by email.

@viragomann said in Site-to-site tunnel, remote dont have route but can ping network:

Yes, of course, if the tunnel goes (routes cleared) down traffic destined to the remote site will go out to the default gateway.

You can circumvent this by adding a floating Quick block rule to WAN for outgoing traffic to RFC1918 destinations.
RFC1918 is an alias containing all private network ranges. You have to create it before.

Thanks!

@netgatech said in OpenVPN assigning interface not working:

thanks but can you go on internet from clients using the vpn ?

I'm answering this post with my phone. The phone uses OpenVPN connect, and is a OpenVPN client.
I'm connected to the pfSense VPN server shown above.
So, yes 😊

@TYz your apps can not get to the internet, or you can not get to your apps from the internet?

For me for example to get to your docker you would need to forward to that port 30050 at 192.168.1.200 on pfsense.

I would then go to your actual public IP.. pfsense would forward it to 192.168.1.200, which in turn would be sent to your docker 172.16 address.

@SteveITS

My own hardware.

I did select QAT but it still shows as "No" on the dashboard so I guess it is not available.

@zeca
ive got same problem
i ask google for help and found this topic https://redmine.pfsense.org/issues/7240?tab=history
after snort uninstall my openvpn client could connect with no issues

Hard set your MTU on the interface you dial into your VPN on and also set MSS
Example:
Screenshot 2024-07-17 at 14.24.58.png

Hard setting this helped my speed drastically as it will fragment on some ISPs

Apparently ESXi vSwitch was blocking the bridge interface on the LAN and only the VPN clients were getting IPs I disabled all the security features on the vSwitch and LAN, and it's all working now.

Thank you, @viragomann

@gbitglenn

Let's make a list.
Check the OpenVPN server version : is it the same ? If, for example, Openfense uses a way older OpenVPN server version, settings change, so client settings will change anyway in a near future, so game over anyway, as changes for every client will be need when Openfense changes it OpenVPN server version.

If the OpenVPN is somewhat the same :
If you can export the main openvpn CA certificate from OpenSense, and the certificate itself, you could import them both into pfSense. And all the 25 user certificates.
Actually, this must work, and is easy to test for just one user. Just take an old sub 10 $, old PC with 2 NICs, install pfSense and do whats said above.

@gbitglenn said in Migrating from OPNSense OpenVPN To PFSense:

Is this even possible or am I screwed?

Is that modern phrasing ?
Before, it was "Is this even possible or do I have some work to do ?" 😊

I have the interval set to 60 minutes as a test and sure enough I'm getting these logs every hour.
But is this an indication that there is a fault? If the pings were going through would it even need to authenticate?

Jul 16 09:37:23 openvpn 90300 user 'UserName' authenticated Jul 16 09:37:23 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_SSO=openurl,webauth,crtext Jul 16 09:37:23 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_GUI_VER=OpenVPN_GUI_11 Jul 16 09:37:23 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_COMP_STUBv2=1 Jul 16 09:37:23 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_COMP_STUB=1 Jul 16 09:37:23 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_LZO_STUB=1 Jul 16 09:37:23 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_PROTO=990 Jul 16 09:37:23 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC Jul 16 09:37:23 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_NCP=2 Jul 16 09:37:23 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_MTU=1600 Jul 16 09:37:23 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_TCPNL=1 Jul 16 09:37:23 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_PLAT=win Jul 16 09:37:23 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_VER=2.6.5 Jul 16 08:38:08 openvpn 90300 user 'UserName' authenticated Jul 16 08:38:08 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_SSO=openurl,webauth,crtext Jul 16 08:38:08 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_GUI_VER=OpenVPN_GUI_11 Jul 16 08:38:08 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_COMP_STUBv2=1 Jul 16 08:38:08 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_COMP_STUB=1 Jul 16 08:38:08 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_LZO_STUB=1 Jul 16 08:38:08 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_PROTO=990 Jul 16 08:38:08 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC Jul 16 08:38:08 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_NCP=2 Jul 16 08:38:08 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_MTU=1600 Jul 16 08:38:08 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_TCPNL=1 Jul 16 08:38:08 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_PLAT=win Jul 16 08:38:08 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_VER=2.6.5

@McMurphy said in DCO unable to connect (unsolvable):

data-ciphers AES-256-GCM
data-ciphers-fallback AES-256-GCM

This is not really meaningful, and apart from this it differs from the Windows settings, where AES-256-CBC is used.

@Gertjan said in OpenVPN questions (DNS, Speed, Reliability etc):

I'll say it upfront : not sure if it's wise to have identical domain names on two different location.

It is definitely not wise and the logic says I should switch to an another domain name for one of the sites but it is just too troublesome. The only way I can think of to have an unified DNS is to manually set up the DNS entries on both sites which is too ugly and clearly not a standard approach.

@lsw793237040 36a995b0-1e40-4d22-83a0-2bf543c2940c-image.png