Hello, thank you all for your help, it now works with a route from site 2 to OpenVPN and a push route from openvpn to site 2. It seems that IPsec needed à restart.

@rjmead said in Cant install openvpn-client-export on 2.3.5:

but 2.3.5 is configured to point at a repository holding incompatible packages -

I don't recall, but was there not an option for 2.3.5 to be 32 or 64 bits ?
You can't mix them, That's for sure.

@rjmead said in Cant install openvpn-client-export on 2.3.5:

.... work under these fairly exceptional circumstances.

I know.
Where I live (France) we have to stay at home.
And because it France, they created as many exceptions as there are French people, which guarantees that this new law applies to every one (better : I'm not joking here - this is France).
So, because our government also doesn't want to kill the economy (=read : so that our phones are still ringing, that we can eat, Netflix still works etc) they allow 'needed' people to go home<-> work But no kisses, no hugs (......)
So, I'm at work, I take care of my pfSense company box, among others. So that other can VPN-in and do their jobs at home (room maids, the kitchen people, waitresses etc - I work at a hotel).

The thing is : VPN settings and maintenance can't really be done from the outside. The smallest mistake in a setting and your pfSense shuts down the connecting, locking everybody out.

Any local firewall running on that 10.1.90.5 machine?
You could share your config and firewall rules so we can check...

-Rico

These are the logs in the lab side, where the pfSense has been migrated:

Mar 24 16:54:30 openvpn 11712 UDPv4 link remote: [AF_UNSPEC]
Mar 24 16:54:30 openvpn 11712 UDPv4 link local (bound): [AF_INET]192.168.0.66:1196
Mar 24 16:54:30 openvpn 11712 /usr/local/sbin/ovpn-linkup ovpns3 1500 1560 192.168.170.1 192.168.170.2 init
Mar 24 16:54:30 openvpn 11712 /sbin/ifconfig ovpns3 192.168.170.1 192.168.170.2 mtu 1500 netmask 255.255.255.255 up
Mar 24 16:54:30 openvpn 11712 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mar 24 16:54:30 openvpn 11712 ioctl(TUNSIFMODE): Device busy (errno=16)
Mar 24 16:54:30 openvpn 11712 TUN/TAP device /dev/tun3 opened
Mar 24 16:54:30 openvpn 11712 TUN/TAP device ovpns3 exists previously, keep at program end
Mar 24 16:54:30 openvpn 11712 GDG: problem writing to routing socket
Mar 24 16:54:30 openvpn 11712 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

And these are the logs in the client side, the pfSense that is not touched ("client"):

Mar 24 15:57:52 openvpn 11694 UDPv4 link remote: [AF_INET]81.184.114.108:1196
Mar 24 15:57:52 openvpn 11694 UDPv4 link local (bound): [AF_INET]163.172.30.171:1196
Mar 24 15:57:52 openvpn 11694 Preserving previous TUN/TAP instance: ovpnc1
Mar 24 15:57:52 openvpn 11694 Re-using pre-shared static key
Mar 24 15:57:52 openvpn 11694 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mar 24 15:57:50 openvpn 11694 SIGUSR1[soft,ping-restart] received, process restarting
Mar 24 15:57:50 openvpn 11694 Inactivity timeout (--ping-restart), restarting

This is the network configuration of the interfaces. ABCloud01 is the failing one.

563a4050-e9bb-455b-bd40-c86dd253ed71-image.png

Thanks

For information:
https://github.com/OpenVPN/openvpn/blob/master/doc/management-notes.txt

Which VPN service are you using? Almost all mainstream providers offer a split tunneling feature that allows you to choose which data to send through the VPN and which not. I use PureVPN but many others like ExpressVPN offer the same with their apps.

Thank you,
I will try and keep you updated.

-Yannik

.... and when starting OpenVPN server, you can see it's binding to the incoming port :

ef73a74d-f1b3-419f-8c51-f78a7a21bd73-image.png

which matches :

76d6db6f-1e65-417d-9012-2e10c82c220c-image.png

@Gertjan

I watched the video you linked. this is pretty much exactly what I ultimately want to do. I have 2 of the cards he used in the first attempt on the way. and my GPON module is the same as the one he has (nokia). apparently, there is a pin on the module that needs to be held to ground. They recommend soldering the test pad for "pin 4" (i think) on the back of the card to ground. I suspect if he did this it would have worked for him.

any way pretty cool

Uhhh I almost forgot to tell you there is an awesome hangout by Jim covering OpenVPN with Multi-WAN. ☺
https://www.netgate.com/resources/videos/advanced-openvpn-on-pfsense-24.html
Multi-WAN Tactics starting at ~40:08... but the whole hangout is worth watching. 👍

-Rico

@Gertjan but thats different right? i use syslog and not direct php on the pfsense system

@viragomann thanks for the tip! It worked!

I am just a little bit confused, since I am nearly 100% sure, that I tried this exact set-up before. But who knows what I had hanging around wit me trying to solve this via "push route (...)".

@Bob-Dig said in OVPN-Server in - OVPN-Client out?:

only learning by doing, not by studying or understanding.

Ah the click random shit and hope it does what you want methodology of networking ;)

@jfish
Your computer is in your LAN, same as 192.168.1.1. So if your computer sends a packet to 192.168.1.1, the packet goes directly to the destination machine, without passing pfSense. Only packets for IP addresses outside your LAN subnet are sent to the default gateway (pfSense).
So pfSense is not able to route these packets to anywhere, cause it doesn't get them at all.

I got rid of this error by adding "remote-cert-tls server" in the additional configuration options field. But I did not understand why this is necessary.

@amateur its an option inside the TP-Link Access Point , after i enabled it, i now can manage the ap trough the VPN.

I have 2 other AP with no "RemoteAccess" Checkmark, that i cant manage

@sisterpfsense

A domain controller is something like Microsoft's Active Directory. It's what you log into and in turn, displays the available resources. A domain controller is typically used on large networks, such as in a business.

Also, there are a few ways to map a drive, but the easiest would be to go into the This PC folder and click on Map Network Drive. Select Map Network Drive and go from there.

@xalex1977

Take a look at... Not the perfect solution but a work around

https://forum.netgate.com/topic/151351/email-notification-openvpn-client-connect-common-name/28