@tompark said in OpenVPN and NAT from External IP:

Does anyone have any suggestions on what I have missed?

🤔 You didn't mention, what's your problem.

@Rico said in Help With OpenVPN Client Export:

I did....but seems I misunderstood. Thought you have one box running 2.4.4 and working with your andoid and another box with 2.3.5 throwing that error.

-Rico

Ah, I see. I still do have the 2.3.5 box running (not in production, just to fiddle with) but it will be turned into a NAS box shortly.

I edited the file and for some reason the export from the 2.4.4 version is not putting my WAN IP in it. Once I added the IP, I was able to import it with no errors.

Thanks

@kiokoman thanks for the tip, I have configured a bridge with linux tools (brctl) and I'm using virt-io and I thought that would be enough but it is in fact very reasonable that it would actually introduce limitations and weird behaviors like what I'm seeing, I will dig further the issue

I just wanted to post a follow-up in case someone in the future has the same problem and comes across this thread. We were able to determine that the service account we were using to bind to AD was unable to properly access the entire directory structure (still not sure why not, but that doesn't matter). I could see it make a connection to the domain controller and then attempt to check each of the containers defined in the pfSense authentication server, but it would return "0 users found" in the LDAP query even though the account to be authenticated was there in that container.

What fixed it was to add that account we use for directory binding to the Built-In "Account Operators" group. After that everything has worked perfectly.

Okay, I believe all is working now. When you write things out as I did in this post, you realize what you're missing. I needed the gateway on my OPT1 interface to the 192.168.1.1 router we have. Now, I can see all.

https://www.netgate.com/resources/videos/openvpn-as-a-wan-on-pfsense.html

-Rico

Bumping this and adding more specifics...

According a post on the Pi-hole forum, the correct config is:

Add the Pi-Hole IP address to pfSense > Services > DHCP Server > DNS Servers. Do not enable DNS Forwarder. Do not enable DNS Resolver. Do not add a DNS entry in the System > General Setup > DNS Server Settings.

The last setting seems to be causing an issue -- the router is unable to connect to my VPN provider if no entry is made in System > General Setup > DNS Server Settings. It's also unable to connect if the Pi-Hole IP address is entered there.

Specifying a public DNS, such as Clouldflare, does work -- but then I am not sure if all DNS queries are going through the Pi-hole?

Well the only thing that can talk over the tunnel - is your vpn clients.. But sure you can limit what your vpn clients can access if you want/desire to do so.

The automatic acls should prob be updated to auto allow tunnel networks to be honest.. But anyone that understands how the acls work, would know that they need to adjust them, etc.

Glad you got it sorted..

That is a tab created when the firewall as any OpenVPN clients or servers defined. It's an interface group tab for firewall rules which apply to all OpenVPN interfaces.

If you have assigned your OpenVPN instance(s) and use rules on the per-interface tabs then you won't need to do anything with the OpenVPN tab.

Some people don't assign the OpenVPN clients or servers as interfaces and just manage rules on the OpenVPN tab.

I'd look at using Freeradius as external auth (Radius) server, if needing something like that

/Bingo

Glad you have it working now. 👍

-Rico

No, I have PFSense server on one side. My server connects as OpenVPN user cert/user/pass. I gave it static IP via push ifconfig, then on firewall i have made rules that cover this communication.

So, my server connects as a OpenVPN user.

@bingo600 said in Q: OpenVPN RoadWarrior Certificate Expired , what to do:

1: Delete the expired certificate
2: Under user manager , edit user -> "User Cartificates" -> "+Add" , create a new certificate with the same CA name ?
That would be easier if working.

That should be fine

Though strictly speaking you probably want to setup a separate VPN for vendors than for your typical remote access users, to be sure they can be isolated more strictly. So a different CA, server cert, OpenVPN server, etc.

I actually made 3 servers : ADM + INT + EXT , and made "interfaces" for all 3.
All 3 have separate CA-Roots + Server /24.
That way i can do firewalling based on the Client types.

Sounds good

Hmm...you realize this is the pfSense forum?

-Rico