Hello,

Over the past few days i've been doing a lot of research trying to remediate this issue and it seems there are a dozen or more threads for this same issue, is anybody from the development team investigating this?

@akkiz

Not got express vpn, but sounds like phill simply re-created or selected his openvpn certificates and downloaded a fresh copy and used them instead.

pfsense can be tricky one wrong setting or one wrong copy and paste of a set of certifcation and it won't work, always best to take your time and re-read the guides and double check your settings, am still making mistakes time to time.

Hi this probably won't be as much help but I did try Astrill VPN a few months ago, did ask tech support but they told me pfsense was not supported and they had no future plans to do so.

Instead they support merlin firmwares on Asus routers like the Asus 86u (just make sure you access it via 192.168.1.1 router address and not their asus logging website!)

Astrill have a applet which works on Asus router (merlin supported) which support port forwarding. It does work stable and well imo.

If you are good enough with networking and pfsense you could download the openvpn files and open the files via notepad and see the server addresses and ports and details and perhaps use this in pfsense.

I do not have astrill anymore and did not try this when I had it though but was going to use mullvad or nordvpns pfsense guide and just input astrills server address and port number and use astrill certs and files instead.

Its a shame Astrill does not support pfsense properly, but I guess they wished to go via commerical routers like Asus and netgear instead.

10MB is a lot? How much memory does your system have?

@JeGr said in Question on OpenVPN restricting IPs:

Actually that's one point why I'm propagating the use of FreeRadius together with pfSense' OpenVPN in RAS scenarios, as it's much easier to handle than creating CSOs based on the CN of certificates. Also it minimizes the probability to make configuration errors that would allow VPN users to access pfSense WebUI with their only-for-VPN user when using internal authorization.

Yeah it's just a bit of a pain adding the users by hand, I did pop a redmine in for a copy function in the Freeradius package a couple of years ago.

https://redmine.pfsense.org/issues/8031

Forget everything- even though the remote networks field was entered and displayed properly I re-typed the values there on both sides.

And -whooops- network connected proerply.

Just for reference.

/KNEBB

@careymichael I am having this same issue. When you said you had a static route pointed to the LAN interface, are you meaning in the firewall rules?

@viragomann

Hi,

Let me clarify again. Like I said, if I initiate a session directly to HTTPS from VPN client, there's no issue at all, working as I expected perfectly. The problem here is, when I initiate a session from my VPN client to HTTP, the redirection is not happening. I can see packets are going but no return packets. This can be confirmed on pfSense packet capture.

I've tested from another host in the LAN and redirection works. That's why I am wondering if I missed something on pfSense. Hope I explained the situation clearly. Thanks a lot.

Eoin

@Gertjan 2.jpg

so i activated one more network (my pf sense has 4 nic) and added another router running ddrt and it worked but when i run open vpn on pf sense it shows connection up but disconnects in 20 secs... i will look

@viragomann said in Unable to connect to mutiplied pfsense based openvpn server:

lport is the local port, the OpenVPN client instance binds to. It should default any if it's not stated, but maybe that doesn't work in your set up.

lport 0

sets the port to any, which means OpenVPN should select the next free port. So you may give it a try.

I haven't seen this as default in any config for openvpn that I work with but it connects and I can ping so far it's working thank you @viragomann

Hello.

I want to specify the IPv6 rule for OpenVPN.

Which source IP do I have to enter for IPv6 as shown in the picture?

IPv6.png

Best regards

Axel

Are your WAN interfaces configured automatically by DHCP or PPPoE on both, office and home?
If yes, the issue may be in the ISPs network and you should consult him again.

Don't forget also you dest box your trying to rdp too, more than likely his firewall not going to allow traffic from vpn tunnel IP your remote client would be using.

So the host firewall need to be adjusted to allow the traffic.

@viragomann UDP is about 10/8 ishhh....

Forgot to post an update when I fixed this, for people who might have this issue later. Check the client output settings, make sure it is set on the version 2.4+ and it points to either your domain/wan IP address. I will admit that me being a newbie I never looked at that and just went for the client output. I still get a keys out of sync error but that is because the internet drops a packet or 2 on connection, what do you expect from free wifi though.

Hey guys,

I have to admit, I thought this issue was solved. However, it is not!

At Local Site:
When a connection is initiated from inside (e.g. I am trying to access google.de using Chrome) then my complete traffic gets routed via VPN tunnel. Back and Forth! Everything! Good!

However, when a connection is initiated from outside (e.g. someone is trying to access a service) then the traffic from the outside gets routed from Remote Site to Local Site. There, the service "answers" the requests from outside, however the local pfsense just does not send this packets again through the tunnel. All packets want to leave WAN at local site - not at remote site! However, they should leave at remote site ! and not at local site!

I can see this clearly when looking at packet capture.

Following example:
I visit https://www.yougetsignal.com/tools/open-ports/
I enter the host address of remote site and the port, which gets forwarded through the tunnel.
I click "check"

Then I go to pfsense -> Packet Capture at Local Site and monitor.

I can clearly see that all answer-packets leave at WAN interface! However, they should get routed through the VPN tunnel and leave the WAN interface of the remote site!

I have clearly defined a firewall rule at local site:
Unbenannt.JPG

At remote site I have configured Outbound NAT. But I think the problem right now is local site, because there the packets want to leave via WAN interface. However, they should get sent into the tunnel.

Does anyone have an idea what's the problem?

Check your floating rules, and check Status > Filter Reload to make sure your ruleset is loading properly.

And are you certain you are hitting your own nginx? Is the logged by nginx on the firewall? Does it show in a packet capture?