I am not ignoring this - I just broke everything quite badly - so am having to recover :-( Sean

@DangerMouseUK said in Possible to use directly a .ovpn file without GUI ?: Hi Guys, Didn't want to start a new thread on this one. OVPN config importing would be really handy for me setting up multiple SG appliances quickly. Is this still on the roadmap? Thanks DM why not use the backup and restore function already built in?

Try watching this. https://www.youtube.com/watch?v=7rQ-Tgt3L18

Most of us just run it open. OpenVPN discards any packets that are not using the correct TLS key. Remote Access VPN is almost always passed from source address any.

Which options box are you referring to? If its Custom options, then that is empty. https://i.gyazo.com/36d58311d84723b4b998b90743b1a433.png How can I check that I have the right instance? I believe I only have one. Where is the local config? Maybe in cases like this it is better to start over with the OpenVPN? Is there a way to wipe all this OpenVPN settings away completely? Update: I have attempted to remove all traces (one trace that does remain and I can't seem to remove it is the User certificate from the original OpenVPN setup) of my initial OpenVPN setup and start anew. I have followed the link as suggested in your earlier post to setup OpenVPN. When trying to do the Client Export utility, no client executables appear in the OpenVPN Clients section of the Client Export Utility page. There is this note next to it: "If a client is missing from the list it is likely due to a CA mismatch between the OpenVPN server instance and the client certificate, the client certificate does not exist on this firewall, or a user certificate is not associated with a user when local database authentication is enabled." Update2: I managed to remove the original user cert after I removed it from someplace else, the delete/trash can symbol appeared. The Client Export executables were not showing up b/c I had not created a new user cert. Now I can ping the pingable devices behind the pfsense firewall. I can also create a mapped network drive to those devices. However, I need to use their private IP addr. instead of their Windows name. Is it possible to use the computer names for creating network drives? And is it possible to make network drives to these devices with their firewalls enabled? Also, is it possible to restrict connections to the vpn by MAC addresses that I specify? If so, how?

Tried drips the srv does not respond. My machine neither. The weirdest point clock responds to. And the 3 equipments are in the same range https://uploaddeimagens.com.br/imagens/captura_de_tela_2019-10-25_as_11-13-57-png https://uploaddeimagens.com.br/imagens/captura_de_tela_2019-10-25_as_11-11-41-png

@sonnyboy said in Can connect to VPN from LAN but not from WAN: rules yes, i think its firewall rule issue only with wan interface in new 3p update of pfsense, there was no issue in previews update, i have practiced and implemented more than 10 time before this update, but now i am not able to get successed with same steps and documents which i was following before, i tried more than 10 time with 3p patched update of pfsense but no luck!, again i am searching and practicing to find the issue.

Probably the server isn't reachable from the client with the given IP/port.

Op did hear the news the NordVPN encryptions keys have been stolen? https://techcrunch.com/2019/10/21/nordvpn-confirms-it-was-hacked/

the routing table now is the same ? maybe it was something else on the configuration

Hello ated19, This is not specifically site to site VPN connection, what you have described is more a "road warrior" configuration. The configuration you are looking for is very much easy to do with pfsense. Things to configure (assuming IPv4): Redirect IPv4 Gateway -> Check Force all client-generated IPv4 traffic through the tunnel IPv4 Local Networks -> Networks that need access behind the firewall (ie non-routeable IPs) although I'm not sure if this is needed if all traffic is going through the VPN. Topology -> Net30 Do not use common non-routable IPs for your OpenVPN Server (ie.. 192.168.0.1 or the likes). As this will give issues when people are connecting in coffee shops or other areas where wifi is available. Use a IP address that is not common. On number 3 above (Net30) not sure why you would need this, if your concern is inter network communications between OpenVPN users, the check box Inter-client communications should be unchecked. This will prevent OpenVPN users from seeing each other on their VPN connection. Then setup NAT and WAN for the new OpenVPN Server. Clients would have to download OpenVPN (Windows) or Viscosity (MacOS) and you will have to send them the profile files so they can connect. There is also a package that will automatically generate the profile files for you within pfSense (openvpn-client-export). Regarding all traffic sent through the tunnel. I prefer to have a split tunnel, in that only networks that they need access to are routed through the VPN tunnel and all other access is through the local wifi. RHLinux

Well yeah its going to be embedded in a lot of links as of late.. That news is all over the net.. And yet people still hand over money to these services thinking they are getting something other than slow internet and problems accessing their other services they pay for.. So that their isp doesn't know they went to xyz.com -- makes zero sense to me ;)

Why do you use a /24 net for a site-2-site. A /30 will be the better choice here. @Cricco95 said in OpenVPN site2site not working: Trying to ping VPN server interface on 10.8.0.1: You did the ping from WAN IP. Don't know what your WAN is, but you may miss the route. What it you do a ping from LAN? If it works, try a ping from LAN to the remote LAN IP of the server.

This has come up before. You need to push a route for the remote LAN subnet to your OpenVPN clients and also configure a phase 2 for the OpenVPN tunnel network on each side of the IPsec tunnel.

@bthoven no prob

I guess, you are missing the route to your network on the server side. However, if the VPN connection is for your own purposes, I assume you can also do a workaround with NAT.

Made another test to see if pfsense behaves different. Downloaded a testfile on a machine with additional 250ms delay configured. All machines on a local LAN with Gigabit switches in-between: Downloading on a Linux machine gives around 12Mbyte per second: $ curl http://172.16.34.206/testfile.img --output testfile.img % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 4 3320M 4 155M 0 0 9.8M 0 0:05:36 0:00:15 0:05:21 12.0M^C Download on the pfsense machine, gives only around 6.5Mbyte per second: : curl http://172.16.34.206/testfile.img --output testfile.img % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 3 3320M 3 118M 0 0 6125k 0 0:09:15 0:00:19 0:08:56 6578k^C However, it's not that the pfsense machine is generally slower, when removing the artificial latency, the download on the pfsense reaches the expected >100Mbyte/s on a gigabit network: : curl http://172.16.34.206/testfile.img --output testfile.img % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 9 3320M 9 318M 0 0 111M 0 0:00:29 0:00:02 0:00:27 111M^C

When you connect to a VPN server it gives you a gateway address. If you connect to servers that give you the same gateway you will have the problems you are seeing because you can't have two interfaces with the same subnet/gateway on them. Choosing different access points from the same provider, or different providers, should solve it.

@fulail It should work fine. I do it. You should assign the DDNS address to the public IP. Can you ping the DDNS host by name? The line in your config file should be remote yourDDNSname yourport yourprotocol