Perfect, thanks :-)

Thanks for the link, will be looking to try the phone thing as the remote site is several hundred miles away. I did solve the first issue. Seems the ISP can (and did) turn off bridge mode on my modem, without telling me of course. I have a couple of good vids on the setup and can vpn in with tablet if I need to change things remotely. So I am fairly confident I should be able to set the site2site now that I can actually connect to my box. If cables are not too expensive I might test before my next trip.

You are better off making a fresh set with unique subjects. Trying to use them when they overlap in that way is going to lead to nothing but confusion down the road.

@Rico

f*';= /me toooo slow ;)
thx ;)

Well, I haven't made any changes since I made the original post, however it all seems to be working quite well now. Perhaps something needed to propagate out or clear out of memory or something, but I don't see how since I restarted both machines and manually cleared the state tables multiple times before making that post. Since I doubt that I will be able to find the source of an issue that is currently absent I will simply make a note of what I have found in answer to the latest questions in the hopes that it might help someone in the future. I will keep an eye out for any suggestions that people make for future reference and come back with an update if things stop working again.

Yes, all the states triggering on the LAN interface seem to be going to the WAN at least for now.

The rules for the Rokus and the media PC do allow all ports including udp.

I have not seem any traffic from any of these 3 devices going out to the VPN.

I do not have any static routes set up for anything, however every LANside device on the network does have a static IP address if you think that might be a factor. (This is a home network, so only 25 devices currently connected) I have IPs 192.168.10.100-250 for transients like guest cellphones to be assigned as needed through DHCP.

If the problems return I will try disabling other LAN rules as my next troubleshooting step, but I don't think it would be a productive diagnostic step while everything seems to be working.

One last piece of information that might be useful for others who come across this: The last thing I did before making the original post (and so the most likely factor in things starting to work if it was in fact just something that needed time to propagate) was to switch the outbound NAT mode from manual to hybrid. It does not appear that PfSense made any changes when I did that, but perhaps I missed something there.

Anyway, thanks for the help. Fingers crossed that it is actually fixed and not just temporarily working.

This is the result uploading data from my pfSense to the other:

Bild Text

The other direction (downloading from the other pfSense) the speed is fine. So it's just that one direction. But why?

You should see something in the logs why it's not starting.

-Rico

Did you walk through the troubleshooting guide?
https://docs.netgate.com/pfsense/en/latest/book/openvpn/troubleshooting-openvpn.html

-Rico

i think its a probleme of that use his internal ip . but i dont have an idea how to fix it

I was able to solve it ... it was a problem with the Public IP. Greetings and thanks for the answers.

@bjk002 said in OpenVPN routing issue with LAN:

tun mode.

Under OpenVPN, Client Export Utility, Advanced, Additional Configuration Options, add a line as such:

push "route 192.168.10.0 255.255.255.0"

,where 192.168.10.0 is the network you want to allow clients access..

Apologies if I used improper terminology but this was actually LAN hosts that were routed through the OpenVPN Client tunnel could not connect to other devices on the VLAN/LAN. My solution is posted above :)

Hi,

You tried option 12 ?
You'll be dealing with some sort of PHP shell scripting.
See the GUI (source) how CA's and certs are generated, and then use these PHP functions to do it 'manually'.

It's just an idea.

Plan B : use the usual "openssl" commands as usual, and then just use PHP (see option 12) examples how to stiore them into the config.xml file so they waill be aviable to the GUI => show up over there and can get sued elsewhere in the GUI).

@viragomann and @JKnott , thanks for the repply, but I already solved the issue. The problem was wrong firewall rules in the other side of the ipsec tunel.

@Gertjan I am running OpenSSL on my Windows development machine, not using the version on pfSense. I set up my CA long before I owned a NetGate box. I have OpenSSL 1.1.1g 21 Apr 2020, though I've been running my private CA since OpenSSL 1.01. Lots of fixes since 1.0.2.

I am using my Root CA cert to sign an Intermediate CA Cert. It is the Intermediate CA Cert that signed the pfSense cert/key. Attributes from my pfSense cert:

Version V3
Signature algorithm SHA512 RSA
Issuer : (me - I don't think you need these details... but if you do let me know)
Valid from:‎ Saturday, ‎June ‎6, ‎2020 5:21:31 PM
Valid to: ‎Sunday, ‎August ‎20, ‎2023 5:21:31 PM
Subject: E = (obscured), CN = (the DNS name of my pfSense), O = (me), S = WA, C = US
Public key: RSA (2048 bits)
Subject & Authority Key identifier: (let me know if you need these)
Public key params: 05 00
Basic Constraints:Subject Type=End Entity, Path Length Constraint=None
CRL Distribution Points: lists 1 URL on my website
EKU: Server Authentication (1.3.6.1.5.5.7.3.1), IP security IKE intermediate (1.3.6.1.5.5.8.2.2)
Netscape Comment: OpenSSL Generated Server Certificate
Netscape Cert Type: SSL Server Authentication (40)
Subject Alternative Name: (my external DNS for VPN), (repeat of CN from subject), and 2 IP addresses for the Netgate on my internal network
Key Usage: Digital Signature, Key Encipherment, Key Agreement (a8)
Thumbprint: (not clear you need this)

That should be all you need to try to duplicate. Start with a CA key and a self-signed Cert. Then use that to sign an Intermediate cert (these are what I called CA #2 in my post). Then create a key/cert and sign it with the above attributes.

Before installing on pfSense, use the GUI to generate a self-signed CA pair (CA #1 in my post).. Then create a VPN key and sign with the pfSense CA pair. Use this signed cert + key for VPN. Export client, and the router Cert should contain the CA#1 cert.

Next install the CA #2 onto pfSense. I did that as a chained certificate as per pfSense docs (see: link text). Here is the relevant text from that doc page:

Importing a Chained or Nested Certificate Authority
If the CA has been signed by an intermediary and not directly by a root CA, it may be necessary to import both the root and the intermediate CA together in one entry, such as:

-----BEGIN CERTIFICATE----- [Subordinate/Intermediate CA certificate text] -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- [Root CA certificate text] -----END CERTIFICATE-----

If you would like to save yourself the trouble of creating a CA, post a CSR in PEM format as:

-----BEGIN CERTIFICATE REQUEST----- ... encoded data here ... -----END CERTIFICATE REQUEST-----

... and I'll sign the key, valid for 30 days, for you to test with.

Let me know if you need anymore information to try to repro.

And why didn't you put all the suggestions into practice or ask how to do before? You're going to waste our time here, dude!

Don't know what's difficult here?
Add the access servers tunnel network to the "Remote Networks".

As you stated, the access servers tunnel network: 10.0.3.0/24

So the networks given as you stated above:
@yashiharu said in How to connect to one of the VPN site then access to its other VPN sites?:

mainSiteA: 192.168.1.0/24 (3 OpenVPN server)
SiteB: 192.168.0.0/24 (1 OVPN client)
SiteC: 192.168.2.0/24 (1 OVPN client)

on site B the "IPv4 Remote Networks" box should contain

192.168.1.0/24,192.168.2.0/24,10.0.3.0/24

on site C the "IPv4 Remote Networks" box should contain

192.168.1.0/24,192.168.0.0/24,10.0.3.0/24

That's the magic.

I was mistaken on the log, I assigned a static ip adress through DHCP server but I must have made a mistake. I have now set up the correct ip adress for my phone and it's now connecting through vpn. Thanks a lot for your help!

yes using the same pfsense as a client peer to peer shared key with tls
you told me what needs to be created but i am lost, is there a tutorial on how to do what you mentioned?
thank you

@ReneMG said in [SOLVED] OpenVPN do not connect when Authentication + Encryption mode is set:

and then, finally, checking the parameters on the client side and setting the AES-CBC Cipher

Or use the pfSense openvpn-client-export package so you can export the config based on the current server setup.