@splinny

Is that 192.168.1.0 actually from your ISP? If so, then you are behind NAT and a VPN will never work.

OpenVPN Connect for Windows is beta and aimed at OpenVPN Access Server.

Either download from pfSense GUI or use the download from @Rico

No idea what you are showing there...just a port forward like it is mentioned in your VDSL Router user manual. ;-)

-Rico

The wizard sets the firewall rules automatically which are needed to access the server and also for anything else over the VPN.

What you have to check is the "Redirect gateway" check in the server settings. But I think, this is set by the wizard as well.

@hyposera said in OpenVPN Remote acces server on VPS without LAN:

I would like to set up the pfsense openvpn remote access server on VPS and connect my local pfsense box as a client.

I assume, you aim to direct any upstream traffic from the network behind your local box over the VPN.
So you have to add an outbound NAT rule for that traffic. If your outbound NAT works in automatic mode switch to hybrid mode and save that setting.
Add a rule like this:
interface: OpenVPN
source: any (or restict it to your LANs)
destination: any
Translation: interface address

I assume, you're running only that one OpenVPN instance (client or server) here. If you run multiple, assign an interface to the client instance and use that one in the NAT rule.

On the remote pfSense, you also to add an outbound NAT rule like the above one, but to the WAN interface.

https://docs.netgate.com/pfsense/en/latest/book/openvpn/index.html

-Rico

I got my Roarwarrior OpenVPN servers up & running.
And it was as easy/elegant as i hoped, after the answer above.

Just create the server , and "dig into" the available "unassigned" interfaces.
Enable and name it , and "voila" you have gotten an interface to make your rules on.

No need to have any rules at all under the "OpenVPN" interface.

Thanx for this feature Netgate

/Bingo

Edit: This page was inspirational
https://turbofuture.com/computers/How-to-Setup-a-Remote-Access-VPN-Using-pfSense-and-OpenVPN

You can have as many OpenVPN Clients and Servers as you want, just set it up.

-Rico

If you change the status in the GUI and save, it would always be immediately reflected in config.xml.

Unless your disk is doing something really funky with caching writes, it should be there as soon as the config is written.

Sorry to bump, but I have made some progress.

Although it's still only the wireless AP that seems to be affected which I can't quite my head around, it may well be a routing issue.

I found if I turn off my OpenVPN client on the pfsense box, then the OpenVPN server doesn't break net access for the wireless AP. Reading up on people having similar issues trying to run a client/server at same time, it seems the key is to check "don't pull routes". The issue then is how do I set up the routing manually to push out everything on the LAN via the VPN client. I'm guessing a combo of firewall and NAT?

OMG, the stupidity, it burns!

I had a rule only allowing DNS requests only to the firewall itself. I readded the internal VPN DNS servers with their respective VPN gateway to System>General and made a rule allowing the VPN clients to use DNS only with the internal VPN DNS servers, above the other rule. Fixed.

Sorry for cluttering up the forum with stupidity :(

I got my issue resolved and feel quite relieved - but also kind of embarassed for taking so long to find the problem. In the hope that it will save someone else from digging around for days, here is what I found.

Problem was: private IPs will not be routed. All my 192.168.xx.yy/24 networks are private networks and I force-routed the a little way but could not get them through all the way.

Solution was: set an outgoing NAT rule:
c274d0d7-6f2c-4f73-8f12-75283e7ab6a9-grafik.png

Again: router A is the openVPN server, it has subnet 192.168.225.0/24. The above setting is for router B, which has subnet 192.168.245.0/24 for LAN. This permits a host in B's subnet to reach a host in A's subnet. A corresponding NAT rule will be required on A for the opposite direction.

I my case server A will assign an interface address to B, so the NAT address needs to be B's openVPN interface address.

What else did I learn?

For one thing, Apple's version of ping supports some really helpful options:

-A will make a sound for each outgoing packet -a will make a sound for each incoming response -f will flood the target with ICMP packets. On an otherwise quiet system, this permitted me to see where my packets were going just by looking at pfSense's traffic graphs on the dashboard.

Another thing is, it took me ages to get to the solution but I feel that all the failures I have been through taught me more than I ever wanted to know ☺ 🎓 Keep working on your problems, eventually you will master them!

@Rico Great, thanks for your advice
👍

If you see nothing on WAN for 1194, and the IP address and port are correct in the client log, then it is being blocked before it reaches pfSense. Either by a CPE/Modem/Router in front of pfSense or by the ISP itself.

i've tried various vpn providers. MOST get your regular ISP speeds

Nord was a provider i tried twice and NEVER got 25% of my actual ISP speeds. i ran from them quickly

if your wanting to torrent much better options out there based overseas

For comparison sake i setup wireguard between the two networks. Wireguard starts with an MTU of 1420, and it reaches almost the line-speed in both forward and reverse directions.

# wg-quick up wg0 [#] ip link add wg0 type wireguard [#] wg setconf wg0 /dev/fd/63 [#] ip -4 address add 10.0.0.2/32 dev wg0 [#] ip link set mtu 1420 up dev wg0 [#] ip -4 route add 10.0.0.0/24 dev wg0 root@wireguard:/etc/wireguard# iperf3 -c 10.0.0.1 Connecting to host 10.0.0.1, port 5201 [ 4] local 10.0.0.2 port 34842 connected to 10.0.0.1 port 5201 [ ID] Interval Transfer Bandwidth Retr Cwnd [ 4] 0.00-1.00 sec 14.8 MBytes 124 Mbits/sec 0 1.74 MBytes [ 4] 1.00-2.00 sec 16.8 MBytes 141 Mbits/sec 0 2.58 MBytes [ 4] 2.00-3.00 sec 17.0 MBytes 142 Mbits/sec 3 2.96 MBytes [ 4] 3.00-4.00 sec 16.0 MBytes 134 Mbits/sec 1 2.07 MBytes [ 4] 4.00-5.00 sec 16.7 MBytes 140 Mbits/sec 1 1.52 MBytes [ 4] 5.00-6.00 sec 17.0 MBytes 142 Mbits/sec 0 1.62 MBytes [ 4] 6.00-7.00 sec 16.9 MBytes 142 Mbits/sec 0 1.70 MBytes [ 4] 7.00-8.00 sec 16.8 MBytes 141 Mbits/sec 0 1.75 MBytes [ 4] 8.00-9.00 sec 16.9 MBytes 142 Mbits/sec 0 1.79 MBytes [ 4] 9.00-10.00 sec 17.0 MBytes 142 Mbits/sec 2 920 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bandwidth Retr [ 4] 0.00-10.00 sec 166 MBytes 139 Mbits/sec 7 sender [ 4] 0.00-10.00 sec 163 MBytes 137 Mbits/sec receiver iperf Done. root@wireguard:/etc/wireguard# iperf3 -c 10.0.0.1 -R Connecting to host 10.0.0.1, port 5201 Reverse mode, remote host 10.0.0.1 is sending [ 4] local 10.0.0.2 port 35042 connected to 10.0.0.1 port 5201 [ ID] Interval Transfer Bandwidth [ 4] 0.00-1.00 sec 13.0 MBytes 109 Mbits/sec [ 4] 1.00-2.00 sec 16.9 MBytes 141 Mbits/sec [ 4] 2.00-3.00 sec 16.9 MBytes 142 Mbits/sec [ 4] 3.00-4.00 sec 16.9 MBytes 142 Mbits/sec [ 4] 4.00-5.00 sec 16.9 MBytes 142 Mbits/sec [ 4] 5.00-6.00 sec 16.9 MBytes 142 Mbits/sec [ 4] 6.00-7.00 sec 16.9 MBytes 142 Mbits/sec [ 4] 7.00-8.00 sec 16.9 MBytes 141 Mbits/sec [ 4] 8.00-9.00 sec 16.9 MBytes 142 Mbits/sec [ 4] 9.00-10.00 sec 16.9 MBytes 142 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bandwidth Retr [ 4] 0.00-10.00 sec 168 MBytes 141 Mbits/sec 3 sender [ 4] 0.00-10.00 sec 168 MBytes 141 Mbits/sec receiver