@ValP said in OpenVPN with OPP, resets after 1 hour:

users list is in RADIUS. any user without OTP

and I'm using login with certs. And Client override wasn't doing what I expected neither.
What did work was this :

1b8bac01-b4b5-4a17-be3f-7e55758465de-image.png

Adding "reneg-sec 3600" in "Additional configuration options" on the Client export page, and save it as a default.

Then the exported opvn files will contain

... reneg-sec 3600

Keep in mind : maybe you're searching in the wrong direction.
A DHCP leased used locally, or upstream, or on the other side, times out, the related IP on that interface gets renewed, processes get restarted, VPN client, server (?) and the connection is rebuild.
You should crank up, and inspect, the VPN log details on both sides and check for details.

@viragomann said in OpenVPN remove client:

@bingo600 said in OpenVPN remove client:

Would that not prevent the user to login again ?

Sure, it does, when the server is in a "User auth" mode.

You can also revoke a user cert temporarily. After removing from the CRL it is accepted again by the server.

Also consider, when "Strict User-CN Matching" in the server settings is not checked it will be possible for a user to use another ones cert for authentication.

I'm using this (SSL/TLS + User auth)
d81e0a60-2b25-420c-87bb-1f6f1175dad9-image.png

And have
9a07cda2-d9ab-4b29-9a92-883ca7b7cdee-image.png

Thanx for the confirmation

/Bingo

I have had the same issue i think.
My Roadwarriors couldn't use the OVPN interface for DNS lokup.

I cheated and gave my pihole as DNS instead.

But i have a feeling it might be something w. Unbound and acceslists (for the RoadWarroir Client networks).

I'll be following this one

/Bingo

I have several OVPN Lan2Lan tunnels , and i never experience that the client does not keep trying to connect to the server.

I do have the package service_watchdog installed on both pfsense's , and have added all openvpn instances to the service watchdog.

8ad5a862-54f7-434a-9d39-4cdc20e84991-image.png

I occationally see service watchdog , starting unbound or ntopng.
Can't remember if i have seen it start an openvpn instance.

If you're talking about a RoadWarrior (dialin) OpenVPN client.
I have not used a connection long enough to see it fail a connection.

But i suppose you mean a L2L/S2S connection

Edit:
What i often see is that the "Dashboard" indicates the OpenVPN tunnel isn't up (Red down arrow) , but that is some kind of "Status mismatch" , because i can mostly connect to the remote site , even if the status says otherwise.

That would be nice to get the "status arrows" fixed, so they reflect connectivity , instead of "whatever they use now"

The same mismatch occurs on the Status -> OpenVPN page

/Bingo

Yes. I have use $ instead £ and it works. Some copiers we have doesn't like £ sign on the password. Something to do with £ .

Thanks for your clarification & much appreciated.

I will remove £ from keyboards. :) :) :) :)

@johnpoz OK, I will put my problem to them and see what they say.
Regards

You need to have the same CA as Issuer for the Server and Client Cert.

-Rico

Try this guide. It might be easier when new to vpn server stuff. Configure OpenVPN for pfSense 2.4

The Netgate guide is more comprehensive, but sometimes overwhelming for newbies.

Wow, this "feature wish" was opened 5 (five) years ago. I would call it bug fix. So sad that dual stack is not understood as default for any node.

Thanks kiokoman for the link.

Thanks! Cheers!

@jasmantle
So you will either need static routes for the OpenVPN network on the LAN devices pointing to the OpenVPN server to direct response packets back, or do a workaround with masqerading on pfSense.

However, the masqerading (s-NAT) solution can only be recommended if the VPN is for your own purposes, but not for multiple users. You won't be able to determine the real user on the destination device.

Just tried on two test firewalls.

Hint: Apply on client first , then on server.

1:
I applied the fix on the client , then the server , client disconnected then reconnected and came up.

2:
I applied the fix on server , then client disconnected and was "lost"
I saw these on the server

Oct 14 08:43:01 openvpn 10921 FRAG_IN error flags=0xfb00001d: bad fragment size Oct 14 08:43:00 openvpn 10921 FRAG_IN error flags=0xfb00001d: bad fragment size

Came up after i did a HTTPS to Outside , and applied the client fix.

I'd recommend to have a HTTPS access to the "Outside ip" (NON VPN based) , just in case ...
Or you prob could remove the server fix , and do it in reverse order.

/Bingo

@Sergio-Procopio

From Google Translate:

*Good afternoon everyone,

I am in need of help where I have an IPSEC situation with OpenVpn.

I have two company customers that use IpSec VPN.
With this pandemic, our consultants are unable to access the network of these two clients via OpenVpn.
I have tried to ask customers to allow my 10.10.10.0/24 network in their rules to be accessed remotely.

Can anybody help me?*

If those customers are using IPSec and the consultants OpenVPN, they'll never be able to connect. You need the same VPN type at both ends. It has nothing to do with the network address. Once you connect, using one VPN or the other, it's just a matter of routing and rules. The only caution is that you don't use the same network address at both ends.

Se esses clientes estiverem usando IPSec e os consultores OpenVPN, eles nunca conseguirão se conectar. Você precisa do mesmo tipo de VPN em ambas as extremidades. Não tem nada a ver com o endereço de rede. Depois de se conectar, usando uma VPN ou outra, é apenas uma questão de roteamento e regras. O único cuidado é que você não use o mesmo endereço de rede nas duas extremidades.

server1.conf.txt Even though this post is 2 years old, I thought should reply to it as is still relevant today and helped me fix the same problem I had in 2020.

As like the original post, I too couldn't access any local network resources while my pfSense is set up in a local XCP-ng VM using only one WAN port. I was able to access the internet and local pfSense IP but couldn't ping any other LAN IP/resources. Oddly, the local Xen Orchestra website loaded without any images, only the login page with just text but couldn't access all the other local resources, NAS, Plex server, local servers, etc.

Thanks to viragomann advice on setting up the Firewall NAT Outbound rule, everything works. I was able to access all LAN resources from my work!!

My router IP is 192.168.2.1 so I setup the NAT Outbound rule as followed:
Interface: WAN
Source: Any
Destination: Network 192.168.2.0/24
Screenshot 2020-10-11 112553.png

I haven't set up the Dynamic DNS through pfSense as it was set up through my home router.

ALSO, DON'T FORGET TO SET UP PORT FORWARDING to port 1194 through the home router, otherwise, you won't be able to access the VPN server.

I followed this instruction to set up the VM:
https://xcp-ng.org/blog/2019/08/20/how-to-install-pfsense-in-a-vm/

I followed this video to set up pfSense on local XCP-ng VM:
https://www.youtube.com/watch?v=fsdm5uc_LsU

I followed these videos to set up the OpenVPN on pfSense:
https://www.youtube.com/watch?v=dBOQnApxzzQ
https://www.youtube.com/watch?v=PgielyUFGeQ

[0_1602430059510_server1.conf](Uploading 100%)

You were right, an entry on the routing table was off, for some reason, after deleting the ovpn client, user and custom client configs and re-doing them all, it worked fine. Thanks.

Eureka, i founded it.
Thanks viragoman, you pushed me in the good direction.

Now the vpn icon becomes green and i recieved a ip in the range of 10.0.x.y. on my pc.

What was wrong?

The "modem" of my ISP is more an AP (with dhcp functionality) then a real modem. It has 1 wan port and 4 lan ports.
If you want to connect your own router ehind it, then the ISP router has to be configured with a "passtrough" function .
The ip adres from the wan site will be pushed to a lan-port on wich my own pfsense router is connected.
So the wan port of pfsense would receive the external isp ip.
I my case i saw that my wan ip adres was in the range of the dhcp range of ISP router instead of the external ip.
I put the mac adres of my wan port in the configuration .... and it was solved.

Thanks a lot

Now just i have still to make the test with the iphone and ipad.

@marcor
Huh!

@marcor said in Site-to-site between pfsense(server) and dd-wrt:

LAN_B:
Network 192.168.8.0/22

@marcor said in Site-to-site between pfsense(server) and dd-wrt:

GATEWAY_B (dd-wrt)
$ route
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.8.0 * 255.255.248.0 U 0 0 0 br0

These doesn't match the LAN network mask you stated above.

@marcor said in Site-to-site between pfsense(server) and dd-wrt:

LAN_B cannot communicate with Gateway_B

Really???

@marcor said in Site-to-site between pfsense(server) and dd-wrt:

with openVpn client 192.168.129.2/24

Since it is a site-to-site (2 hosts), why setting a /24 mask? Better to use /30 network.

@marcor said in Site-to-site between pfsense(server) and dd-wrt:

---- OpenVPN CONFIG ----
On pfsense, I've configured these overrides:

SERVER commands:

push "route 192.168.32.0 255.255.252.0 192.168.129.1"; route 192.168.8.0 255.255.255.252 192.168.129.2

CLIENT override commands (for LAN_B)

push "route 192.168.32.0 255.255.252.0 192.168.129.1";iroute 192.168.8.0 255.255.252.0;

Same case, since it is an S2S, there is no need for pushing routes.
On pfSense just enter the the remote LAN into the "Remote Networks" box. That's all you need, and don't use Advanced options for that!

On the client just use the route option to add the route for the remote network.

Additional question: is the DDWRT the default gateway in LAN B?