I use CSO already.

Site A has a route entry for the remote site, rest is set by CSO

route 172.16.254.0 255.255.255.0;

Site B does not have any routes they are set by CSO

Server has this:

route 172.16.254.0 255.255.255.0 192.168.98.2; route 172.16.0.0 255.255.254.0 192.168.98.3;

I need this, to get the packets back to the OpenVPN interface

CSO for Site A on server is this:

iroute 172.16.0.0 255.255.254.0; ifconfig-push 192.168.98.2 255.255.254.0;

i need to set static IP's for the route entry in the previous step

CSO for Site B on server is this:

iroute 172.16.254.0 255.255.255.0; push "route 172.16.0.0 255.255.254.0"; ifconfig-push 192.168.98.3 255.255.254.0;

reason for the difference of site A and B is that Site A have the Option "don't pull routes enabled". So instead of a push route in CSO, i have the route option on the client directly.

It is working like this.

However, I have the feeling that it should be possible without setting static tunel IP's.

If i use the remote network box, the routes that are added are then pointing all to the same tunnel.

Btw. is there any way to show the learned OpenVPN iroutes. The only way i found was via the logs which is a pain if you miss the correct moment.

@jimp

Hi again!
I have been checking some points like LAN router NAT, and server configs and through the packet capture on pfsense I've found this capturing OpenPVN packets:
15:01:08.596584 IP 192.168.168.2.51978 > 192.168.168.10.3389: tcp 0
15:01:08.596607 IP 192.168.168.2.51978 > 192.168.168.10.3389: tcp 0
15:01:08.596617 IP 192.168.168.1 > 192.168.168.2: ICMP redirect 192.168.168.10 to host 192.168.168.2, length 72

where 192.168.168.2 its a wan connection over Open VPN(my phone) and 192.168.168.10 is the remote machine with RDP (WS2019), 192.168.168.1 is the LAN router. Look at the TCP 0??? What means?

With firewall always disabled to test connections and no AV's and after 2 days testing several things, I've found 3 different scenarios:

RDP from LAN to LAN works on any computer. (W10Pro and WS 2019) RDP from WAN to LAN works in a W10Pro but not in a WS2019 Datacenter only with Remote access (NO RDS) and same ip or network than W10Pro directly by default port 3389. Tested with a PC the error reported is: "internal Error" and tested with my phone the error is: 0x4 or 0x104
3.RDP from WAN to LAN over OpenVPn doesn't work in any computer at default port 3389, same errors.

Note the different OS behavior!!.

CONFIGS:
OPEN VPN
WAN UDP4 / 1194 192.168.168.0/27
Crypto: AES-256-GCM/SHA512
D-H Params: 4096 bits OPEN VPN (tun3)
IPv4 Tunnel Network 192.168.168.0/27

OUTBOUND NAT MODE:
 WAN 127.0.0.0/8 ::1/128 172.16.16.0/24 192.168.168.0/27 * * 500 WAN address *  Auto created rule for ISAKMP
 WAN 127.0.0.0/8 ::1/128 172.16.16.0/24 192.168.168.0/27 * * * WAN address *  Auto created rule

PORT FORWARD:
WAN TCP * * WAN address 3389 (MS RDP) 172.16.16.1 3389 (MS RDP) RDP

OPEN VPN RULES:
IPv4 * * * * * * none OpenVPN OPEN VPN wizard

WAN RULES:
IPv4 UDP * * 10.10.10.11 1194 (OpenVPN) * none OPEN VPN

Any idea? Do you need some specific info?
Thank you very much!!

On the Zyxel side do I have to add routes?

Thank you so much, jimp!
So I was looking for the solution in the wrong place. I'm sorry for the mistake.

Thanks I'm following this post and I also sent a doamnda, thank you very much :)

FA, that is a fin,ack - would be out of state - yes those would be blocked.

https://docs.netgate.com/pfsense/en/latest/firewall/troubleshooting-blocked-log-entries-for-legitimate-connection-packets.html

@jcubio can you try adding this paramaters on the

Advance Configuration > Custome options

reneg-sec 36000

looks like the session is restarting.

@4xTroy

My OpenVPN tunnel works fine without doing that. I only have "push "route 0.0.0.0 0.0.0.0";push "route-ipv6 ::/0"" in Additional configuration options.

The interface used by the firewall to originate this OpenVPN client connection
so typically this would be WAN.
In my case for some Sites it is not directly WAN but some Gateway Group containing different WANs.
I've never thought about switching it to any internal Interface like LAN or OPT...why did you do that? Just leave it as default.

-Rico

Your problem looks like the one "reneg-sec 0" solves. Is this option in the client's config too?

@Rico sadly doesn't seem to solve the issue.

I deployed the OpenVPN on ubuntu behind the firewall and forwarded the port, now I got it working.
I am not sure why it's not working, to be honest, but the fact that it worked for a while and that its very slow without using any resources makes me believe something is unstable there, possibly with how my hosting solution manages VM's.

Anyway thank you for all the help.

workin with a splitt tunnel too ?
not yet tested (tomorrow on the toDo list)
mybe some time for coffee can be safed

#staySafe

hey folks i'm the one who is not willing to pay for useless fancy stuff that
keeps me off work when i need it cuz i have not patched my OS and
a fancy tool is keepin / shuttin me off the vpn

airports are not that lovely when u travel a lot !

Ok, fired up a virtual box and topology subnet for pfS shows

inet 172.16.25.1 --> 172.16.25.2

while on Linux

inet 172.16.25.1 --> 172.16.25.1

.
Then I remembered something about topology in FreeBSD and found it:
"Repair topology subnet on FreeBSD 11"
https://sourceforge.net/p/openvpn/mailman/message/35478475/
So I guess it's related to that for why it's different.

But don't know it's related to OPs

"the user can't access the 192.168.5.0 ressources if the OpenVPN roadwarrior DHCP gives the 10.0.8.2"

You're confusing site-to-site/remote access VPNs on pfSense (servers) with VPN service clients.

A VPN server on pfSense would use a server certificate from a self-signed internal CA as its server certificate.

A VPN client on pfSense would use a certificate provided by the server. If that's a VPN provider, the VPN provider would give you a certificate. (If it's something like PIA, that's up to them. If you are connecting to another pfSense, it would be a user certificate made on that remote pfSense server).

@kiokoman said in pfSsh.php playback not stopping clients:

op OpenVPN client #

Thank you so much! Works now.

@derekmarch said in Is it possible to setup a gateway group of VPN connections that will only connect when needed:

Can I somehow configure it so if a VPN server drops below the configured threshold it connects me to a different server, verifies that it meets the threshold requirements, connects me through that server then disconnects the original server?

I am also interested in a solution for this problem. Does anybody know, how to set up the system for that?

@Gertjan yup thats true.. thats why i switch straight away..

@Rico
word! i do not need to unserstand why i would do this ;)
CSO local networks but here in ausrtia a lot of things are possible ;)