@heper Dear heper, I have followed the steps as your guidance, but nothing is showing in packet capture while constantly pinging the host (192.168.1.19) from vpn client.

Capture7.JPG

Thank you!
That's what it was, Windows firewall was blocking it. I was able to ping 2 Windows Server 2019 machines but not 2 Windows 10 machines.
In case someone is looking for the same info here's how to allow it on Windows https://superuser.com/questions/1106907/windows-firewall-doesnot-allow-to-connect-from-vpn

I just set range from 10.0.0.0 - 10.0.0.254

@viragomann Hello, thanks for the answer. I do get the public IP.

@kiokoman It WORKS!!! I am so happy. Many thanks. I deactivated the DMZ settings and I changed the NAT rules to 192.168.3.1 in place of 192.168.1.1 and it just works... Stupid mistakes are sometimes the most difficult ones to find.
Many thanks to you, Viragomann & Kiokoman. I really appreciate!

@jwsi said in Automatically Restarting OpenVPN Client:

@guardian This is interesting. If you're using the directive redirect-gateway def1 (route all IPv4 traffic via VPN). This is likely not reconnecting because if the server IP address is changing and you're routing all traffic via the VPN, it could struggle to reconnect because the default route to establish a new VPN connection (via a changed server IP) will be via the now broken VPN tunnel. In any case, if this is the issue, it should be fairly easy to solve after looking at the routing table.

Do you notice a loss of Internet connectivity when the VPN dies?

I have never noticed a significant loss of Internet connectivity on the main WAN, just on the guest WiFi network. I use the VPN to route all my guest WiFi network traffic though -- most traffic goes straight out. I have a website pinger that checks the startus of my shared host every 5 minutes and as part of the code it does a quick UDP socket connection to about a half dozen differnt public DNS servers. If for some reason none of them connect, then this is logged and the test is skipped. I get between 1 and 10 of these / day. I suspect it might be a temporary loss of cable modem connectivity, (could also be an intermittent NIC interface) and it might also be some sort of bug in my program.

I also experience some slow DNS resolution and occasional failed attempts that need to be retried (web page not found -- hit the enter key again, and it comes up - and occasional messages in terminal about temporary address resolution failure).

Here is the config file with appropriate redactions:

dev ovpnc1 verb 3 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_client1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp4 cipher AES-256-GCM auth SHA256 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local xxx.xxx.xxx.xxx tls-client client lport 0 management /var/etc/openvpn/client1.sock unix remote vvvvvvvvvvvvvvvvvvvvvvvvvvvv 1197 auth-user-pass /var/etc/openvpn/client1.up auth-retry nointeract ca /var/etc/openvpn/client1.ca ncp-disable comp-lzo adaptive resolv-retry infinite route-nopull route-noexec persist-key persist-tun remote-cert-tls server reneg-sec 0

@Gertjan said in Firewall blocking OpenVPN port:

Hummmmm.

Try this : change the "Destination" in your rule(s) from "WAN address" to "any".

Ok so today without doing anything for the past 4 days, I didn't check the configs, didn't restart the router or anything. today when i tried to connect to the VPN it just worked🤦

Hey viragomann,

thanks for your answer.

I also tried "route 10.2.66.30 255.255.255.255" but when doing so, Windows PC 10.2.66.30 has no internet access anymore. Is it possible to route single IPs or is it only possible to route whole subnets?

Thank you!

EDIT: Problem solved, see: https://forum.netgate.com/topic/149934/redirect-gateway-def1-routing-traffic-from-subnet-through-openvpn

so the solution was to take ips from this list
https://openvpn.net/community-resources/configuring-client-specific-rules-and-access-policies/
[ 1, 2] [ 5, 6] [ 9, 10] [ 13, 14] [ 17, 18]
[ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38]
[ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58]
[ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78]
[ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98]
[101,102] [105,106] [109,110] [113,114] [117,118]
[121,122] [125,126] [129,130] [133,134] [137,138]
[141,142] [145,146] [149,150] [153,154] [157,158]
[161,162] [165,166] [169,170] [173,174] [177,178]
[181,182] [185,186] [189,190] [193,194] [197,198]
[201,202] [205,206] [209,210] [213,214] [217,218]
[221,222] [225,226] [229,230] [233,234] [237,238]
[241,242] [245,246] [249,250] [253,254]

@viragomann I understand, but this was set since the beginning as I wrote in my first post about the config:

DNS Server 1: 192.168.1.14 (pfSense, I use pfSense as DNS server with pfBlockerNg)

but I tried to add it also manually before to the config by this line, but actually did not change anything:

push "dhcp-option DNS 192.168.1.14"

What was interesting, I also saw connections earlier from the phone to the pfSense IP on port 53 based on states
(Firewall > Rules > OpenVPN, then clicked traffic data in the States column)

but something was not good as the DNS server actually not responded to the queries from the phone. At the moment I have that only idea the DNS server service was not in a good condition.

Anyway, thanks a lot for your help, I really appreciate your prompt feedbacks!

@Pippin said in OpenVPN logs:

Set verbosity to 4 on the server and while viewing log close the dashboard.

Thank you very much for your response, now I see more detail. Regards!

Martin

@marvosa Thanks man, it wasn't easy, almost gave up.
That was kind of my last attempt... opened a beer to celebrate lol

Give the diagram provided, I see 8 home users connected to modems that need to connect to servers behind Router 1.

For this, you would configure a remote access solution (client to site)

@ltxda Got it figured out and working. Thanks to anyone that saw this and was going to jump in to help.

@bcruze
Hi, thanks for advice. Very useful. I set up VPN, actually I have 2VPNs for wifi, and one for landline. Yes for general DNS tab, deleted everything but cloudFlare DNS records. VPN-specific DNS servers were configured on Services->DHCP server->xyz interface (assuming Services-.DNS resolver-general settings: "DNS Query Forwarding" is checked. Killswitch was set up on NAT by deleting appropriate WAN-related records - interestingly nobody mentions that NAT entries for outbound port 500 are irrelevant and can be deleted, if one is not using anything but OpenVPN. Works perfectly well. The best simple video user guide was this: https://www.youtube.com/watch?v=8jYibgeAV0Y.

When OpenVPN is disconnected, it can take up to a minute to notice. What is probably happening is your connection was cut off in some way -- either loss of connectivity, or another client with the same cert/username connected and bumped yours off -- and it takes a minute to realize it needs to reconnect.

@skwaler said in Muliple OpenVPN servers each with different gateway:

How can i set a different gateway for each VPN?

Just configure your outbound NAT accordingly and map them to the external IPs you want.

you could use a remote directory, apply different groups to each server