@vidarne77 said in Openvpn site to site Problem: Reason for the Manual nat/was as for at main site it is needed for getting the right clients and servers over the proper vpns and vlans, atm you are right it is not needed for the basic setup so is at the offsite. (old habits setting it to manual) Glad it's working. Although just to throw it out there again, if you have access to both firewalls you don't need any NAT's for communication. All you need is routing and the firewall rules to allow the traffic. If you needed to add NAT's to get traffic flowing that tells me there are routes missing. By NATing, you lose granular auditing functionality, which may or may not be a concern for you. Personally, I always like to know exactly what is connecting to what. If you post your configs, we can offer more targeted info.

Trying to understand your problem here - your saying if you route traffic out a vpn, you can not load that site? What does that have to do with pfsense? They prob just block your vpn service.. Just like forums here blocks many vpn IPs.. What IP are you getting when you route through a vpn.. Is prob on a shitton of black lists..

@johnpoz I am certainly not an expert with pfnonsense... I solved my issue by moving to a 2.4.4 release. I was running on an old piece of hardware (32bit/2.3.x). I was trying to use OpenVPN client on PFSense to connect to ExpressVPN. It was clear in the logs that SSL3 was being used in the negotiation and the cert verify was failing as a result. Not an issue on 2.4.4. I am used to enterprise networking products where there is a clear documented way to control those settings client or server. I assume you are talking about OpenVPN server custom settings. I am not running OpenVPN server. Thanks!

Glad you have it working. -Rico

Glad you have it working again. -Rico

@derelict said in Dual routing from OpenVPN server to Client Internet: Negative. The moment you assign the interface the VPN breaks. THEN you have to stop and start the server process. Client or server. Does the same thing. Show me in the manual where it says not to assign an interface to an OpenVPN server. You are right. It worked. Many thanks.

Yes, if you have checked "Don't pull routes" like it is shown in the tutorial, just add a firewall rule for that traffic (source = the two laptops) and leave the gateway setting at its default. Place this rule to the top of the rule set, so that it matches first.

grateful, but it does not help me yet. I just want to get the cadastral information of my openvpn clients. the suggestion given brings everything (usable and revoked) and would have to be done one by one. Understood ?

@philip2019 I'm not sure, finally it worked. It can't be test in the Lan inner in my situation, I can't ping my Wan public IP address from inner lan PC when it set a DMZ, I have to use another Internet connection to ping the Modem ip address. because the modem(router, Bell hub 2000), set a inner PC as DMZ, so in this pfSense server (as DMZ PC in Bell router), should allow ping in Wan interface, it's a simple firewall ruler, this help me know only another Internet connection can easy get the DMZ. other thing almost same with some guide in Youtube or web article, the only change is configuration will show the DMZ pfSense server Wan ip address as remote address(it also a Lan ip address), it impossible be visited for the Lan ip reason, change this IP to public IP address can be OK.

No there were not. I have deleted everything related to the RoadWarrior Server now and recreated it with another cipher, but same settings/TunnelNetwork/Buffer/Rules. It seems to work now. Could it be that pfSense sometimes doesn't activate rules unless you recreate them? It felt like that, though I dont really know why it didn't work and now works.

changed my working split tunnel... turned on "Force all client-generated IPv4 traffic through the tunnel." and no web traffic traffic to LAN works but nothing webwise

@marvosa said in Side effect of OpenVPN: Per the "redirect-gateway def1" option in your config, all of your traffic is being routed over the tunnel when it's enabled. It appears that you are right, many thanks! After replacing "redirect-gateway def1" with "route-nopull" the games stopped misbehaving while VPN-enabling rules (based on IP) still work. I'll do a bit more testing but it looks like your advice was spot on. Thanks a million! It appears that IRC "redirect-gateway def1" option changes the default gateway to VPN while pfSense still reports non-VPN gateway as default - this is quite confusing.

Here's the CA config: [image: 1552493751078-e723bfb8-e9c0-455c-b3f2-942ac30cbce9-image-resized.png] Here's the certs: [image: 1552493855358-cd999b63-9e85-42db-a14d-f155fc22a745-image-resized.png] OpenVPN config: [image: 1552493956713-a5e29c1c-0640-48a7-8874-ca2fd4c6e2c5-image-resized.png] [image: 1552493985854-7f24c244-8bd3-4323-a500-6c0f5b254e1a-image-resized.png] [image: 1552494016489-7ed90863-b4a5-4516-875f-93e93ef73ff7-image-resized.png] [image: 1552494045078-88cce4ac-b899-44d2-8e47-7dd7bcbe02de-image-resized.png] [image: 1552494073960-4bd514f7-62ee-44b7-9652-7b60bac57014-image-resized.png] [image: 1552494107068-1ba37b41-5a6d-4dac-9264-25713bf576fb-image-resized.png] Interface assignment: [image: 1552494377283-d1724e7c-e13d-4605-89ab-a87cb53f3958-image-resized.png] Gateway config: [image: 1552494448317-69bb04c3-c843-4da1-b2d8-4b3da3a73a76-image-resized.png] Firewall rules for RW_VPN: [image: 1552494510672-b15e4d2f-5a59-491d-ad31-5f888e56020a-image-resized.png] Even added this for the OpenVPN just in case: [image: 1552494546555-79c2b5fa-f6f7-4b75-a74b-eaab0eac7601-image-resized.png] Firewall rules for WAN: [image: 1552494654870-6b8c3780-63e9-4646-b2be-ab778336fc30-image-resized.png] Added the RW_VPN interface to DNS resolver: [image: 1552494748902-569abb4c-ae5a-4199-91a1-33590902ac89-image-resized.png] Added outbound NAT for the new VLAN: [image: 1552494882670-82fe6e41-9301-4c3d-855d-0f81161919dc-image-resized.png] Updated my aliases: [image: 1552495004938-0d745260-6d3e-44f8-93c7-6b6c89a09fc7-image-resized.png] Client Export Config: [image: 1552495080963-fac4b5ef-81fa-4216-9d4a-59ab4308f8ef-image-resized.png] [image: 1552495123399-9c5770e1-1bad-46b1-8b36-65ac0e93f61a-image-resized.png] The OpenVPN client log shows: [image: 1552495341773-52ae1f7a-2645-4728-9763-92fc7c2ae833-image-resized.png] The logs in the pfSense GUI show: [image: 1552495410910-94aa4c2d-c508-4f30-9d90-8e6b8d52f4f0-image-resized.png] The log file shows the same thing: Mar 13 12:40:12 pfSense openvpn[5481]: 205.128.239.51:20640 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Mar 13 12:40:12 pfSense openvpn[5481]: 205.128.239.51:20640 TLS Error: TLS handshake failed Mar 13 12:41:16 pfSense openvpn[5481]: 205.128.239.51:25518 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Mar 13 12:41:16 pfSense openvpn[5481]: 205.128.239.51:25518 TLS Error: TLS handshake failed I'm going to guess to get some more verbose logs I need to change the Verbosity level to 5 or higher?

Cool, glad you got it working. Steve

Hello. Thank you very much. Let me see if I got it right.. The forum is blocked because i am redirecting all my traffic viabAirVPN and i should create a bypass rule? If that's the thing, how I do that? I was able to setup my system following guides butnI might lack a lot of theory... About advanced networking i am a newbie. Thank you

Glad you have it working now. -Rico