@sianand said in Need OpenVPN on a pfSense behind NAT Router:

pfSense isn't doing NAT

That's probably a dont care.
The destination isn't NATted by pfSense, because the end destination is pfSense itself.
A
870c2b81-2e35-48c9-80d1-0d07f9b12c35-image.png
on your WAN interface will do (if you use UDP on port 1193 - this rule will be created by the OpenVPN wizard if you used that wizard).

The upstream router - if any - has to have a 'real' NAT rule of course.

I solved the VPN-disconnects by putting some commands to the advanced config in Open-VPN:

on the server site:
keepalive 10 120
reneg-sec 43200

on the client site:
keepalive 10 120
reneg-sec 0

The time differences still exist, but that doesn't bother me at the moment.

@Pippin said in suddendly I get a "bad source address from client" on OpenVPN, yet everything is working:

From info given you don't really need the iroute.

exactly, and it's plain wrong as well, in fact it wasn't set up with the unnecessary iroute and I had no such message in the logs, afaik nothing major changed on my side of things.
I am connecting from a home connection which is actually a 4G router, no adsl reaches where I live, and the carrier did change something because their NAT address definitely changed before this happened, but I can't fathom how that would cause that message on my logs.

luckily this is just a VPN connection I use to admin the firewall from my laptop from remote locations and from home if needed, so nothing critical, the critical VPNs this box handles are untouched by this issue and the logs are clean.

I should have avoided common subnets from the beginning, guess it's time to do that now and see if that has any impact, it's good practice anyways.

@Derelict I think i got it to work. After i set the default gateway manually to the VPN and not automatic and saw that it worked,
i transfered the Flowing Rule i made for the outbound traffic to the Lan interface.
With the new knowledge of your help and the help of viragomann i changed some tiny things in the firewall rule.
After that i changed the default gateway back to automatic and know the outbound traffic takes the vpn and everything works.
I even rebootet the firewall to get lost of the states but everything still functions as it seems.

Thank you so very much for your dedication and your help.

@marvosa Perfect, I did get it with Policy Route VPN. I was trying to do this before, but I was missing the gateway, I had already created it for my VLAN, but didn't realize I also needed one for this VPN. Once added that and configured everything it all worked!!!

@viragomann Thank you SO mutch.

It wass the : Don't add or remove routes automatically
Do not execute operating system commands to install routes. Instead, pass routes to --route-up script using environmental variables. that did all the messing up.

All working flawlessley :-)

@marvosa said in OpenVPN site to site for IP Phone:

Unless you have (or want) super restrictive outgoing firewall rules on the LAN interface, there should be a LAN net/any rule for the LAN interface on both ends by default.

A LAN net/any rule means all outgoing traffic is allowed. More specifically, it's a rule that allows traffic sourced from the LAN subnet and destined to any IP, any interface, any port using any protocol.

Thank you very much for trying help me. I did what you asked but still no go. Probably, I am still doing something wrong. So, I would like to present my situation in a more detailed way.

This is schematic of my Office and Home network:
https://imgur.com/DMVPBxL

These are from office pfSense:
https://imgur.com/pXR7l7o
https://imgur.com/dIHoC0v

These are from home pfSense:
https://imgur.com/Wl0X39a
https://imgur.com/pGPpAc5

OpenVPN interfaces are from configuring through OpenVPN wizard.

Still, FreePBX on 10.10.1.20 is not registering the IP phone (192.168.2.51) at home.

Do you see anything wrong with this setup?

Thanks. Still hoping for any guidance on the original question.

Get back here :
https://forum.netgate.com/topic/148959/connection-with-remote-server-not-established-because-of-a-server-verification-method-error/33

and do that test.
It resolves, or not ?
Also, describe your DNS settings.

I exported the "inline configurations" configuration and now it's ok !
Thanks.

That would be up to the RADIUS server. Capture and check requests from each OpenVPN instance and look for attributes that are unique there which it could use to distinguish between the two (e.g. Calling-Station-Id). Or setup two Authentication Server entries on pfSense pointing to the same server but with different RADIUS NAS IP Attribute settings.

Then in your RADIUS config you should be able to tell it to only authorize a user if they match along with whatever other attribute you decide to use.

@MrGlasspoole said in Dynamic DNS not working - fixed IP works:

What do you mean?
My web hoster is a well known company in Germany.
And you can select it in the pfSense DDNS settings.

Hummm.
What has the web host to do with this ?
They - the web host - have a static IP - ....

@MrGlasspoole said in Dynamic DNS not working - fixed IP works:

And as i wrote. The IP updating to the DDNS server is working.
....
And i get back the IP from my website.

So, it's not working - it shouldn't not return the IP of this web host / web site - it should return the IP of your WAN at that moment.

Example : I have a dedicated server on the Internet - and a hand full of domain names.
One is "test-domaine.fr".
Check out :

root@ns311465:~# dig test-domaine.fr A +short 5.196.43.182

So, 5.196.43.182 is an IP4v of this dedicated server.
"www" is the same :

root@ns311465:~# dig www.test-domaine.fr A +short 5.196.43.182

But I have also an "URL" that points to my pfSense / WAN IP :

root@ns311465:~# dig br*t.test-domaine.fr A +short 82.127.*4.254

and that's correct, that IP is my WAN IP right now.
So, I can use "br*t.test-domaine.fr" as an URL that conenctes me to my .... OpenVPN running on my pfSense.

When my WAN IP changes, pfSense will take care of updating the A record for br*t.test-domaine.fr using DYNDNS (actually, its RFC2136 based, using my own 'bind' master domain server, running on that server).

Again : show us your logs ...

You will need to write something that loops through the /cf/conf/config.xml and extracts the certificates, runs them through a base64 decode, and saves the results in a format that makes sense to you.

@PrashantRai said in OpenVPN (Site-to-Site) unable to ping/access from SiteA(Server) to SiteB(Client) LAN from Local Machine:

also how to know if IP's are overlapping!!!!

You don't understand network masks, ie subnetting - but your setting up the firewall and site to site vpn? How is this?

So you rust randomly picking a mask? Where did you come up with the /12? I can understand the /8 somewhat since this is whole network for 10..

I would highly suggest you do a bit of research.
https://www.ittsystems.com/introduction-to-subnetting/

Came up on google like first hit, looks basic enough to get you started.

Hello
thank you very much, that's exactly what i want
best regards