https://www.netgate.com/resources/videos/advanced-openvpn-on-pfsense-24.html
Multi-WAN Tactics starting at around 40:05min.

-Rico

Is your pfSense WAN address RFC1918?
So there is any ISP upstream router? Did you forward your OpenVPN port from this router to pfSense?

-Rico

@jacotec said in OpenVPN server via stunnel @pfsense - routing not working:

What did I miss?

You might have some "fun" getting through the Great Firewall of China. Using an unauthorized VPN is illegal there. A fried of mine worked in China for a while and couldn't get a firewall to work.

@rhoekstra thank you very much for the info. It does makes sense. I follow most of it :)
I currently already have an ovpn setup which requires a unique cert per user. As you said it is more work, but I prefer this since I do have users which travel. If a user cert is compromised, I can revoke that specific cert and it won't affect other users. I have more homework to do on the radius part. I have not configured that yet.

Thanks again.
Raffi

@Tjh said in StrongVPN:

TLS Warning: no data channel

sounds like you have tls enabled. but strongvpn does not support it?

open the opvn files and setup the tunnel with what is displayed... alot of times you have to remove a few things in the opvn file to get it to connect. no idea there since i never tried that provider

resolved. changed browsers . chrome to firefox.

Thank you so much, trying Edge worked and I was ale to save the setting and finish the setup.
P.S. for anyone reading this... this error appeared to be part of of a deeper issue so what I did was backup the configuration and rebuilt the system from scratch (Not a Reset to Factory default) as I tried that first and it didn't resolve anything, but a full re-install the os and applied the backup. This was the greatest fix and resolve other "glitches" as well.
Thank you for your help.
Cheers

THANK YOU

this worked perfectly. I figured it was something involving the gateway, being that I wasn't using the default gateway.

I got it working, after setting up the port forward I had to go to firewall - rules - lan and move up the new rule so that vpn dns grabs before the dns resolver.
Annotation 2019-03-27 033736.jpg
Annotation 2019-03-27 033910.jpg

granted this is with mullvad but I also got it working with expressvpn. Since express doesn't give out their dns and it can't be found in the ovpn config; easiest solution is running their client on your desktop and using cmd commands to find the dns address being used inside the tunnel.

I found this guide, do you think it can work? Its some years old.

https://nguvu.org/pfsense/pfsense-multi-vpn-wan/

Thank you.

@MathiasMa said in OpenVPN fails to start:

But does it really matter?

No, as long as you keep it in mind and don't add another subnet to pfSense which overlaps it, it doesn't.

On the server-side (if that's the right config), looks like it's set up as a remote access server, which isn't what you want. You need to change the server mode to one of the Peer to Peer options and configure the server for either a shared key or PKI setup.

On the client-side, the client is not routing any networks over the tunnel.

So, there appear to be several issues:

The server-side needs to be reconfigured for Peer to Peer mode The client-side is not routing any networks over the tunnel.
a. If the objective was shared key, here's one of your issues
b. If the objective was PKI, the server-side will need iroute statements for the client's network(s) in the CSO section The client override screenshot posted in your OP is missing an entry in the "IPv4 Remote Network/s", which will autogenerate the iroute statements needed for the server to reach the client's network behind this connection. Assuming you went with a PKI setup. This is unlikely, but the client-side is double NAT'd behind an edge device, so if basic end-to-end IP communication still isn't working after making your corrections, it's possible that the client may need a static route on the edge device for the tunnel network.

@althaf said in Connection Change issue:

tls key negotiation failed to occur within 60 seconds

That error simply means the server did not respond. So either it is unable to reach the server via that connection or the server is blocking connections from that IP address.

Steve

In the OpenVPN RAS Advanced Client Settings push your pfSense IP as DNS again together with Force DNS cache update:
pfSense_Push-OpenVPN-DNS-Server.png

You also need a Firewall Rule for the OpenVPN Client to reach pfSense DNS. For testing best practice is to put some any-any Rule in the OpenVPN Firewall tab. Once you have everything working tighten your Rules.

-Rico

The closest thing I can find there is --show-gateway, which lists the IP of the gateway interface that OpenVPN uses to make its connections. I don't see any commands that give me the remote host information shown on status_openvpn.php in webconfigurator.

edit: Success! I accomplished what I wanted by using the following:

INTERFACEIP=`dig @resolver1.opendns.com ovpnc1 myip.opendns.com +short`

Some VPN providers offer port forwarding.
Search Cyberghost's help/faq if they offer that.

I'd recommend you to change one sides subnet and run OpenVPN in default and recommended tun mode.

-Rico