Yeah.. That would do it! Glad you got it sorted.

Do all VPNs bypass the pfsense DNS Resolver?
The setup for Nord VPN seems so...

@anwoke8204 said in VPN can't connect after fresh install:

packet capture came back empty

Well then how you would you connect!

If pfsense does not see the traffic!! Mean you have something in front of pfsense that blocking 1194 UDP if you did not see any traffic on pfsense wan.

Hi,
Sorry I forgot indeed. Here's what I have on the server:

proto udp6 port 1194 dev tunudp1194 keepalive 10 60 persist-key persist-tun topology subnet verb 3 # CERTS duplicate-cn key /etc/openvpn/easy-rsa/keys/myvpn.key cert /etc/openvpn/easy-rsa/keys/myvpn.crt ca /etc/openvpn/easy-rsa/keys/ca.crt dh /etc/openvpn/easy-rsa/keys/dh2048.pem # hardening remote-cert-tls client tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 crl-verify /etc/openvpn/easy-rsa/keys/crl.pem tls-version-min 1.2 cipher AES-256-CBC auth SHA256 reneg-sec 60 server 10.x.y.z 255.255.255.0

For now I'm using an image generated by scaleway: https://github.com/scaleway-community/scaleway-openvpn.
The idea is to run OpenVPN in Remote Access since I don't want the remote site to connect back to the pfSense box.

I guess finding a bug is sometimes a good thing. I was using TCP for years. After switching to UDP, it does indeed seem faster. I wonder if this isn't as uncommon as you might think. I'm pretty sure that I followed a tutorial years back and the protocol was 'TCP'. I would also like to suggest that if someone is tries switching from TCP to UDP, don't forget to also change your firewall rule protocol as well! It's easy to overlook when you are trying to figure things out in a hurry.

@Netgate-Steve can you take a look at this and tell me if it warrants a bug report, please.

@viragomann So I basically need only client override settings for this right?
If i'm doing this with unknown clients that only indentify by cert (CN) (SSL/TLS) I just need P2P mode and Client Override Setting pointing to each remote network so that server knows where to route (iRoute)?
So... I don't need any static routes anywhere right, since only GW I can create is interface of server itself (10.10.250.1)? If I use persistent routes on windows machine, it ignores anything I write there and just goes by default route every time.

I know this setting is confusing, but also this FW is setup so WAN is on differen public IP (different network subnet) and LAN is also public IP which is routed through FW (it's not NAT). On switch I have route that pointing to that LAN network through WAN interface. Maybe that's creating issues... I'm very unsure...

maybe should upgrade openssl to 1.1.1+

nobody ever experienced this issue?

Syslog and feed it into Splunk or Elastic Search.

https://docs.splunk.com/Documentation/Splunk/8.0.5/Viz/IplocationChoropleth

https://www.elastic.co/blog/geoip-in-the-elastic-stack

Never done it, but if I was I'd use one of the two above.

Your server firewall looks fine.
Use the VPN Export package (install it on the server) and create a VPN user, if you already don't have one.
Export the user, and install it on a PC/Mac/Phone device, and connect that way.
When you have this 'road warrior' setup working, proceed to the next step : treat your Client (home) pfSense as a VPN client, using the VPN client.

Btw : for the home pfSense, that needs to become a VPN client, no need for a '1194' firewall rule on WAN. The client isn't 'listening' on port 1194, WAN. It initiates a connection to your server, port 1194.

Also : as soon as the Client VPN is up, it's pretty useless.
You'll have to visit the Interfaces > Interface Assignments menu, Add an interface (an interface called ovpncx (Your VPN name) will be available). This one has to be added.
See more info here.

From my testing it appears OpenVPN is not at all tolerant of packet loss and will restart the tunnel every time during it. I switched to IPsec and it maintains its connection through brief packet loss without any problems.

@oldlock
Not directly by user basis, but you can set up a client specific override to assign specific IP addresses to these users. Then you can control the users access by firewall rules.
https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/configuring-a-single-multi-purpose-openvpn-instance.html#openvpn-client-specific-overrides

I have been having this EXACT same problem for the past year. I haven't been able to figure out why the pfsense machine won't curl out the interface using the VPN.

I suspect this is an NAT Outbound issue... but nothing I do there has fixed it so far. I have manual rules setup for my Outbound NAT.

This whole issue prevents my script running on pfsense using curl to utilize my VPN. It's very annoying. For a while I simply used the pull routes option from the VPN and then my script worked but everything then went out the VPN from my shell that wasn't specifically setup otherwise. I had DNS going out the VPN so much though that I eventually reverted and decided to stick with the more secure crippled version.

I put something into Visio to help explain
openvpn-client-pfsense.png