That is interesting and something I hadnt thought about,
Assigning user groups per subnet,
As they all have already been applied and distributed that will take some work,
But it is a solution
Thank you

I get that now, I am going to try the routing from the IPSec to the OpenVPN subnet

@mcfly9 said in OpenVPN quits on WAN IP change:

Honestly, it does not.

I don't know, how knows that 😉

the "watchdog" is a forced solution, it means something that you fear(ed) will not work properly

yes it has already been described by "@Gertjan "

the end will be, if you are a serious provider, buy fixed IP, hihihihihhi 😉

BTW:
there are pfSense instances in our park, that only need to be restarted, ... on updates... (OS, FW, or etc.)

and / or if OpenVPN does not pick up the IP(s) it's a joke...(:

they work for months (pfSense + Open VPN servers / clients) without any problems, in this regrettable situation when our employees work from home...

the OpenVPN + pfSense works with more than 450 -550 users (in 4 countries, on 28 radio stations)

@Gertjan Everyone knows that Google collects data wherever it can ... I would like to know if it makes a difference while connected to a VPN...

@Bob-Dig

I'd say this is the gateway monitoring status (the packet loss)
The gateway prob doesnt answer to pings

Tune here , or disable

System --> Routing --> Gateways

4a4e1053-1070-4054-879c-528cd40ec1e9-image.png

Yes, you were right about the state issue. Being kind of new to this, I did not understand what was happening in the state table. If I physically do not allow LAN traffic prior to bootup and VPN starting, I see no issue.
The real solution is to reset the state table: Diagnostics > States> Reset States > Reset "when the dust settles", which will remove all these types of issues. This does not normally happen on start up, so the filtering rule hack accomplishes the task by not allowing these very few traffic types from creating states that allow them to continue.

Thanks for the hint and the small lesson on firewall operation.
I consider this issue resolved. It was my error due to ignorance.

@a527408965

Yes, though, as I mentioned, it might cause problems with Windows. The original thought behind a /30 was you needed 2 addresses for the end points and 1 each for broadcast and network, but neither of the latter is needed for a point to point link.

@viragomann
Thank you for replying to this post. Yes i can access WAN just fine though the openvpn. It’s just the local network that im having problem with. I wasn’t able to find any hop with overlapping private address with traceroute. Also my public ip on my mobile lte network is ipv6 only. Could this be a problem?

And yes I have selective routing setup as described in the nguvu guide. Any traffic not directed to LAN networks would route via VPN gateway and all the traffic directed to LAN network would route via default gateway and looks like thats not happening.

Thanks,

Finally I found the issue, it was the promiscuous mode which was disabled on the OVH network interface of the site A.

@Gertjan Yes, its works! Thanx again!!

I am testing udp-proxy-2020 at the moment, but it seems that it doesn't work with site2site OpenVPN. It works locally between LANs, but when testing with the OpenVPN-interface it says it doesn't detect any clients. Probably works with a "road warrior" setup (according to the documentation), but need it to work with site2site.

Has anyone tested udp-proxy-2020 and managed to make it work over site2site OpenVPN?

What is the point of running an encrypted tunnel through another encrypted tunnel - if you don't care about hiding the source IP from the destination IP.

Not like your ISP can see what your sending down the vpn..

Your shooting yourself in the foot for why??

@jimp said in Best method to update pfSense OpenVPN Clients:

that's up to the remote client system administrator, not the firewall.

Could not agree more! What software, and upgrades to said software of users systems would and should be managed by that system.. If your trying to pull that info from your firewall - your doing it wrong ;)

How are you making sure their antivirus is up to date? What about their os and patches? Software xyz they use to do their jobs, etc. Same system you use to manage that would also be used to manage their vpn client software.

If your a small shop, maybe your the only IT guy - I would look how to best monitor your remote devices software and settings, and then leverage that to manage the version of vpn software on the box. Are you a MS shop? If so this is very common

https://en.wikipedia.org/wiki/Microsoft_System_Center_Configuration_Manager

Packet capture the pfSense WAN Interface to check if the OpenVPN traffic even hit pfSense or not.
Your problem could be completely upstream (ISP related), you should check this first.

-Rico

B Configuration for an automatic cascade start.

Original configuration can be found here:

https://github.com/ddowse/pf-tunnelactive

1 Interface Configuration (OpenVPN Client)

Select "any" as interface in the OpenVPN client. Only at the last hop "wan" interface remains. Activate "Don't add/remove routes" everywhere except in the OpenVPN client that goes online. Add the following line to "Custom options" and change the IP for "NEXT_VPNSERVER_IP": route-up "/root/pf-tunnelactive/addroute.sh NEXT_VPNSERVER_IP"

Example configuration:
VPN1:

"Don't add/remove routes" Custom options: route-up command not necessary

VPN2:

"Don't add/remove routes" Custom options: route-up "/root/pf-tunnelactive/addroute.sh 85.17.28.145"

VPN3:

"Don't add/remove routes" Custom options: route-up "/root/pf-tunnelactive/addroute.sh 82.199.134.162"

Screenshot_2020-11-21 pfSense localdomain - VPN OpenVPN Clients.png

Make sure that first all OpenVPN clients are running correctly (Status/OpenVPN).

Please note that Firewall Rules are strictly optional but of course NAT Rules are mandatory.

2 Firewall Floating Rules

Create a rule in “Firewall/Rules/Floating“
o Action: Block
o Interface: WAN
o Address Family: IPv4
o Protocol: Any
o Source: LAN net (For example: Local Network)

Screenshot_2020-11-21 pfSense localdomain - Firewall Rules Floating.png

3 Firewall LAN Rules

Important: Gateway configuration for LAN rules not necessary!

Screenshot_2020-11-21 pfSense localdomain - Firewall Rules LAN.png

4 NAT configuration (Firewall/NAT/Outbound)

Create a rule for each OpenVPN interface. Last 2 rules are also important

Screenshot_2020-11-21 pfSense localdomain - Firewall NAT Outbound.png

5 Script configuration

Follow the steps under "Installation" and "Usage":
https://github.com/ddowse/pf-tunnelactive

All other steps like restarting OpenVPN clients and monitoring are done by the script.

6 Optional: Shellcmd Package

If the script works, you can add this command to Shellscript Package:

nohup php /root/pf-tunnelactive/tunnelactive.php 10 3 >> /var/log/tunnelactive.log &

After that the script will be loaded on every restart.