https://www.netgate.com/resources/videos/openvpn-as-a-wan-on-pfsense.html

-Rico

Thank you, johnpoz. I screwed up with the OpenVPN IP address. I will replace the Untangle router with the pfsense SG-3100.

Thanks for your help.

I always use AES-256-GCM.
You don‘t need to export Certs again, but the client Config need to match the cipher.

-Rico

@arndtw said in Connect Snom Phone with openVPN:

Openvpn Log shows TLS Error: TLS key negotiation failed to occur within 60 seconds

Mostly when you get this, the client can't basically access the server on the given port and protocol.

So ensure that the clients packets are arriving on the servers public side interface.
You can use Diagnostic > Packet capture for investigation.

Also that's on OpenVPNs roadmap:

We are moving to MSI installers in OpenVPN 2.5, but OpenVPN 2.4.x will remain NSIS-only.
https://openvpn.net/community-downloads/

Also I'd handle rollout of OpenVPN client on clients separate from client configuration, at it's easier to automate the client config and so no one needs nested-exe-installations to install the client and config afterwards. Client config IMHO can be automated pretty good and you can more easily roll out newer versions/updates of OVPN client that way, too.

I'd use the official documentation, there is a lot of really good stuff around for Remote Access VPNs.
https://docs.netgate.com/pfsense/en/latest/book/openvpn/using-the-openvpn-server-wizard-for-remote-access.html
https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/openvpn-remote-access-server.html
https://www.netgate.com/resources/videos/remote-access-vpns-on-pfsense.html
https://www.netgate.com/resources/videos/remote-access-vpns-on-pfsense-part-2.html

-Rico

@JeGr Thanks. I have a user access vpn on the "server" side now and was thinking of putting the same on the "client" side as well for traveling didn't have to connect to A to get to B. I will be traveling to the other site tomorrow to finish the setup. Thanks all for the info

@yanafig

You welcome 👍

@Strive2Learn said in OpenVPN Credentials Manual Console Input During PFSense Bootup?:

creating a rule for Amazon to not go through the VPN!

GLWT

@JeGr Thanks a lot! I'll be trying.

Just try to do it as written here:

https://medium.com/@gmanual/pfsense-mikrotik-openvpn-site-to-site-b001c105843c

OSPF advertises remote network because you redistribute pfSense Kernel Routes. right?

if yes try:
option1 : uncheck pfSense Kernel Routes to stop redistributing it.

Correct, when this is unchecked, OSPF does not learn about the route. It will work when pfsense1 is up and its link works because it is the default gateway. Once it loses its connection, it no longer works because the remote site traffic arrives on pfsense2 over the VPN but tries to return via pfsense1 (the default route).

then OSPF in your local network will know about the next hob only which is pfSense 1 or 2 and nothing after them. once the traffic reach one of them it will follow openvpn routes.

This is exactly the issue. Somehow, I need the local network to learn that pfsense2 is now the gateway for the remote site VPN traffic.

still looking how to stop adding route when openvpn is down

This would be great as it would mean everything would work.

Look at the OpenVPN logs they will tell you why it was failing to start.

resolved by adding the remote client subnets to the remote lan list on each end of the site to site config.

Push all LANs to the remote access client by adding them all to the "Local networks" in the access server settings.
Additionally you have to add the remote access tunnel network 10.111.0.0/24 to each remote server by adding it to the "Remote Networks".

Got it!

NAT was the key, vs modifying rules manually. I have now deleted the extra interface and all firewall rules and all is good. The .10 network no longer exists, I changed up the scheme (mentioned that above but probably wasn't clear). Thanks!