@ramses-sevilla said in Upstream very low compared with downstream traffic with OpenVPN Client.:

Can you tell me where is the text OpenVPN Server config file in pfSense?

The info you entered on the GUI config is used to create this OpenVPN server config file(s).
So, you know what's in it ;) Bcause you entered that info - or accepted default values.

Look here :

/var/etc/openvpn/

You'll find serverx.* files where x is the OpenVPN server number, typically 1.

tried this?

push "dhcp-option PROXY_AUTO_CONFIG_URL http://www.openvpn.net/proxy.pac"

info on how to setup the wpad/pac stuff
https://docs.netgate.com/pfsense/en/latest/recipes/http-client-proxy-wpad.html?highlight=wpad

Thank you very much! Your solution fixed my problem! I missed to add the tunnel network to the remote networks on site B.

Dear @dotdash
That's typically what I did when faced the problem.

@Orwi said in PFsense as OpenVPN Client - Networks can't be reached:

A Site-To-Site OpenVPN connection
IPv4 Tunnel Network: 192.168.250.0/24
Concurrent connections: 1

If it is a site to site vpn and only 1 connection is allowed, why using a /24 tunnel. Set it to /30.

Advanced configuration
tun-mtu 1500
mssfix 1500

Be careful with these settings.

@Orwi said in PFsense as OpenVPN Client - Networks can't be reached:

except my forwarded packages enters as expected and reach the destination BUT leaves via WAN instead of VPN**.

** which is also a gateway for policy based routing for other clients. Could this be a/the problem?

No.

So you have already assigned interfaces to the OpenVPN instances?

Ensure to add a firewall rule allowing the desired access to that interface on the incoming site and that this rule is applied.
There must not be a rule on the OpenVPN or on floating tab which matches to that traffic!

If you're unsure which rule is applied enable logging and check the logs after testing.

@Orwi said in PFsense as OpenVPN Client - Networks can't be reached:

Also the documentation is flawed: https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-tls.html
It may be a minor mistake, still IPv4 Remote Network is addressed twice.

??

The service names here are just for info based on the standard ports.
If you need to allow a non-standard port, just select "other" and enter the desired port next to the drop-town.

@kiokoman said in Problem connecting pfsense 2.5 to OpenVPN AS Server:

more log output is needed
I can post log from pfsense - which loglevel is needed?
udp or tcp
udp
key-direction
pfsense is client = key direction 1 and openvpn as is server = direction 0
wrong cipher
not that I know - used cipher AES-256-CBC
wrong ca/cert
no, tripple checked and the .ovpn file where ca, cert and key was taken from working fine with my vpn client

regards Robert

OMG I've found it.

For testing purpose, the "WAN" interface on which the OpenVPN client connects to was in a LAN subnet. And this very specific LAN subnet was also included on the subnets I was trying to tunnel...

That issue was driving me crazy and the solution was right in front of me 😅

Thanks anyway for your quick replies !

@Rico I think I got it thanks for all the help!

Check the OpenVPN as a WAN hangout (official Netgate documentation): https://www.youtube.com/watch?v=lp3mtR4j3Lw

-Rico

@johnpoz Thank you for pointing me in the right direction - "To me pfsense WAN saw traffic to 192.168.0.255 on port 1194... Why that would be??"

That was the catalyst, when I checked the 1:1 mapping there was a reference there which said WAN so I'd mistakenly transposed that for the new default WAN IP address - when it should have been the 'new' external IP for the Unifi Video - once I'd checked back over the 'old' addresses I could see that the wrong external WAN IP address was being used and so OpenVPN requests were being 1:1 translated to that LAN. Once this was corrected the OpenVPN connections are now working fine.

Thanks very much for your help.

Problem you run into is how will site B box Y know you moved 192.168.18.X to the other site, if Y wants to talk to X.. He will think its local, and never send to its gateway.

And as you move X over to A, how will X know that box Y is still over at site B..

Easier solution would be to use a different network say 192.168.19 or 172.16.18 as you migration network.. So you move 192.168.18.X to site A and change its IP to 172.16.18.X.. Changing any dns you need to at each site to reflect the fqdn new IP on the new site.

Once you have everything moved over - you can change the 172.16.18 back to your 192.168.18 network.. And change all your dns to reflecting the correct address.

I spent hours digging into the ldaps connection issues I had through the GUI on pfsense. I used openssl s_client in the shell to determine where the issue was with the verification of the CA.

openssl s_client -CAfile /etc/ssl/file.pem hostnamehere:636

Anytime I specified the CA file location openssl returned no errors... so I was perplexed why it wasn't working in the GUI. I eventually ran across this post and I am very grateful:

https://forum.netgate.com/topic/145578/ldaps-ad-bind/21

Essentially after changing the LDAP authentication server to LDAPS on port 636 you MUST restart php-fpm. I did this by running option 16 in the console.

I am currently on 2.4.5

I hope this post helps someone else if they find themselves in this situation.

@MBTPf said in Service stops randomly:

OpenVPN service will randomly stop

Hi,

Is the OpenVPN service shutting down? (although I have never experienced this before)
-or you lose the connection, say in the client

For the first case, may be a solution the "service watchdog"

with the loss of the connection, - f.e. this:

OpenVPN client "Custom options":
;auth-retry nointeract