• OpenVPN routing question

    5
    0 Votes
    5 Posts
    574 Views
    T

    I use CSO already.

    Site A has a route entry for the remote site, rest is set by CSO

    route 172.16.254.0 255.255.255.0;

    Site B does not have any routes they are set by CSO

    Server has this:

    route 172.16.254.0 255.255.255.0 192.168.98.2; route 172.16.0.0 255.255.254.0 192.168.98.3;

    I need this, to get the packets back to the OpenVPN interface

    CSO for Site A on server is this:

    iroute 172.16.0.0 255.255.254.0; ifconfig-push 192.168.98.2 255.255.254.0;

    i need to set static IP's for the route entry in the previous step

    CSO for Site B on server is this:

    iroute 172.16.254.0 255.255.255.0; push "route 172.16.0.0 255.255.254.0"; ifconfig-push 192.168.98.3 255.255.254.0;

    reason for the difference of site A and B is that Site A have the Option "don't pull routes enabled". So instead of a push route in CSO, i have the route option on the client directly.

    It is working like this.

    However, I have the feeling that it should be possible without setting static tunel IP's.

    If i use the remote network box, the routes that are added are then pointing all to the same tunnel.

    Btw. is there any way to show the learned OpenVPN iroutes. The only way i found was via the logs which is a pain if you miss the correct moment.

  • LAN through Open VPN not accesible

    4
    0 Votes
    4 Posts
    457 Views
    ReneMGR

    @jimp

    Hi again!
    I have been checking some points like LAN router NAT, and server configs and through the packet capture on pfsense I've found this capturing OpenPVN packets:
    15:01:08.596584 IP 192.168.168.2.51978 > 192.168.168.10.3389: tcp 0
    15:01:08.596607 IP 192.168.168.2.51978 > 192.168.168.10.3389: tcp 0
    15:01:08.596617 IP 192.168.168.1 > 192.168.168.2: ICMP redirect 192.168.168.10 to host 192.168.168.2, length 72

    where 192.168.168.2 its a wan connection over Open VPN(my phone) and 192.168.168.10 is the remote machine with RDP (WS2019), 192.168.168.1 is the LAN router. Look at the TCP 0??? What means?

    With firewall always disabled to test connections and no AV's and after 2 days testing several things, I've found 3 different scenarios:

    RDP from LAN to LAN works on any computer. (W10Pro and WS 2019) RDP from WAN to LAN works in a W10Pro but not in a WS2019 Datacenter only with Remote access (NO RDS) and same ip or network than W10Pro directly by default port 3389. Tested with a PC the error reported is: "internal Error" and tested with my phone the error is: 0x4 or 0x104
    3.RDP from WAN to LAN over OpenVPn doesn't work in any computer at default port 3389, same errors.

    Note the different OS behavior!!.

    CONFIGS:
    OPEN VPN
    WAN UDP4 / 1194 192.168.168.0/27
    Crypto: AES-256-GCM/SHA512
    D-H Params: 4096 bits OPEN VPN (tun3)
    IPv4 Tunnel Network 192.168.168.0/27

    OUTBOUND NAT MODE:
     WAN 127.0.0.0/8 ::1/128 172.16.16.0/24 192.168.168.0/27 * * 500 WAN address *  Auto created rule for ISAKMP
     WAN 127.0.0.0/8 ::1/128 172.16.16.0/24 192.168.168.0/27 * * * WAN address *  Auto created rule

    PORT FORWARD:
    WAN TCP * * WAN address 3389 (MS RDP) 172.16.16.1 3389 (MS RDP) RDP

    OPEN VPN RULES:
    IPv4 * * * * * * none OpenVPN OPEN VPN wizard

    WAN RULES:
    IPv4 UDP * * 10.10.10.11 1194 (OpenVPN) * none OPEN VPN

    Any idea? Do you need some specific info?
    Thank you very much!!

  • Add Subnet Ipsec To OpenVpn

    6
    0 Votes
    6 Posts
    679 Views
    D

    On the Zyxel side do I have to add routes?

  • pfSense + OpenVPN - Need to export client after restart server

    3
    0 Votes
    3 Posts
    322 Views
    T

    Thank you so much, jimp!
    So I was looking for the solution in the wrong place. I'm sorry for the mistake.

  • OpenVPN Round Warriror - User connection notification

    3
    0 Votes
    3 Posts
    302 Views
    V

    Thanks I'm following this post and I also sent a doamnda, thank you very much :)

  • Firewall blocks connections it shouldn't

    2
    0 Votes
    2 Posts
    455 Views
    johnpozJ

    FA, that is a fin,ack - would be out of state - yes those would be blocked.

    https://docs.netgate.com/pfsense/en/latest/firewall/troubleshooting-blocked-log-entries-for-legitimate-connection-packets.html

  • OpenVPN Disconnection issue

    2
    0 Votes
    2 Posts
    159 Views
    A

    @jcubio can you try adding this paramaters on the

    Advance Configuration > Custome options

    reneg-sec 36000

    looks like the session is restarting.

  • Client not getting /32 route to pfSense

    10
    0 Votes
    10 Posts
    895 Views
    JKnottJ

    @4xTroy

    My OpenVPN tunnel works fine without doing that. I only have "push "route 0.0.0.0 0.0.0.0";push "route-ipv6 ::/0"" in Additional configuration options.

  • OpenVPN interface assignment

    2
    0 Votes
    2 Posts
    827 Views
    RicoR

    The interface used by the firewall to originate this OpenVPN client connection
    so typically this would be WAN.
    In my case for some Sites it is not directly WAN but some Gateway Group containing different WANs.
    I've never thought about switching it to any internal Interface like LAN or OPT...why did you do that? Just leave it as default.

    -Rico

  • pfSense 2.4.5 with OpenVPN and an external Radius Server with 2FA TOTP

    2
    0 Votes
    2 Posts
    514 Views
    N

    Your problem looks like the one "reneg-sec 0" solves. Is this option in the client's config too?

  • 0 Votes
    21 Posts
    2k Views
    S

    @Rico sadly doesn't seem to solve the issue.

    I deployed the OpenVPN on ubuntu behind the firewall and forwarded the port, now I got it working.
    I am not sure why it's not working, to be honest, but the fact that it worked for a while and that its very slow without using any resources makes me believe something is unstable there, possibly with how my hosting solution manages VM's.

    Anyway thank you for all the help.

  • push dns record?

    3
    0 Votes
    3 Posts
    1k Views
    noplanN

    workin with a splitt tunnel too ?
    not yet tested (tomorrow on the toDo list)
    mybe some time for coffee can be safed

    #staySafe

  • Client device filtering

    20
    0 Votes
    20 Posts
    1k Views
    noplanN

    hey folks i'm the one who is not willing to pay for useless fancy stuff that
    keeps me off work when i need it cuz i have not patched my OS and
    a fancy tool is keepin / shuttin me off the vpn

    airports are not that lovely when u travel a lot !

  • Don't understand the 10.0.8.2 route in Diagnostics -> Routes

    9
    0 Votes
    9 Posts
    877 Views
    PippinP

    Ok, fired up a virtual box and topology subnet for pfS shows

    inet 172.16.25.1 --> 172.16.25.2

    while on Linux

    inet 172.16.25.1 --> 172.16.25.1

    .
    Then I remembered something about topology in FreeBSD and found it:
    "Repair topology subnet on FreeBSD 11"
    https://sourceforge.net/p/openvpn/mailman/message/35478475/
    So I guess it's related to that for why it's different.

    But don't know it's related to OPs

    "the user can't access the 192.168.5.0 ressources if the OpenVPN roadwarrior DHCP gives the 10.0.8.2"

  • Using Internal CA / Self-Signed Certificate for OpenVPN client

    4
    0 Votes
    4 Posts
    446 Views
    jimpJ

    You're confusing site-to-site/remote access VPNs on pfSense (servers) with VPN service clients.

    A VPN server on pfSense would use a server certificate from a self-signed internal CA as its server certificate.

    A VPN client on pfSense would use a certificate provided by the server. If that's a VPN provider, the VPN provider would give you a certificate. (If it's something like PIA, that's up to them. If you are connecting to another pfSense, it would be a user certificate made on that remote pfSense server).

  • OpenVPN Routing Not working

    1
    0 Votes
    1 Posts
    241 Views
    No one has replied
  • pfSsh.php playback not stopping clients

    3
    0 Votes
    3 Posts
    402 Views
    A

    @kiokoman said in pfSsh.php playback not stopping clients:

    op OpenVPN client #

    Thank you so much! Works now.

  • 0 Votes
    2 Posts
    326 Views
    W

    @derekmarch said in Is it possible to setup a gateway group of VPN connections that will only connect when needed:

    Can I somehow configure it so if a VPN server drops below the configured threshold it connects me to a different server, verifies that it meets the threshold requirements, connects me through that server then disconnects the original server?

    I am also interested in a solution for this problem. Does anybody know, how to set up the system for that?

  • DNS issue while connected to OpenVPN

    43
    0 Votes
    43 Posts
    8k Views
    A

    @Gertjan yup thats true.. thats why i switch straight away..

  • OpenVPN client specific override Error?

    13
    0 Votes
    13 Posts
    2k Views
    noplanN

    @Rico
    word! i do not need to unserstand why i would do this ;)
    CSO local networks but here in ausrtia a lot of things are possible ;)

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.