@Gertjan
Thanks for the update
Still driving me crazy!
Trouble is ping is fine from all the interfaces in the box but there’s no internet on the vlan WiFi nor Ethernet
As you said working before and not after password/namechange
Trouble is I can’t see anything thing in any of the. Logs to suggest where exactly it’s getting “blocked “
There’s obviously udp/tcp connection to the interface insider pfsense to the remote server or ping would fail
Also support at Nord is not very supportive

@viragomann

Thank you. It worked following your indication.

For the benefit of others I add that I did this.

On the server - which is Site B in the schema - I added the CIDR of the client remote access VPN tunnel (10.10.10.0/24).

Then in VPN / OpenVPN / edit the VPN Server and
add 10.10.10.0/24 in IPv4 Remote network(s)

Then, in VPN / OpenVPN / Client Specific Overrides I had to add the exact same thing in (10.10.10./24 IPv4 Remote Network/s)

If I had added the tunnel route only in the server configuration or only in Client Specific Overrides I saw that it didn't work.

thank you very much

@viragomann said in Is it possible to use the VPN on the same LAN network as the OpenVPN server?:

Connect to the OpenVPN server from inside the LAN makes no sense at all anyway.

But it does work, at least here it does. However, that would depend on how you configure the server and what interfaces it listens to. Since I wanted to be able to connect via both IPv4 and IPv6, I had to choose the multihome connection.

@viragomann I finally got it to work. It's something to do with the server certificate I had selected to use which was self-signed. I chose another and the wizard worked.

@McMurphy

This has since been resolved.

I have disabled the SSL/TLS VPN and re-activated the Shared Key. Traffic was slow (e.g. to open the web interface of the remote pfsense) - CPU usage was under 10%. I had to restore the configuration backed up before the SSL/TLS configuration added from the guide on both the devices and now it works again.
I will try to reconfigure it later during the day, and see. I suspect there was some conflict with routing, but not sure.

@AWeidner
To answer myself:

openssl speed -elapsed -evp aes-128[256]-gcm (we use AES-256-GCM) ... type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes AES-128-GCM 72691.83k 150891.86k 222610.26k 254092.97k 263097.25k 265530.03k ... type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes AES-256-GCM 67697.40k 132661.67k 188492.12k 212024.45k 219474.60k 219228.84k

vs. AES-256-CBC (which we don't use)

type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes AES-256-CBC 98913.39k 159960.60k 197932.39k 211052.54k 214461.10k 214832.47k

And as far as i can tell, the block size used for VPN connections via openssl is 128 Bit (16 Bytes). The CPU is the limiting factor it seems.

@stephenw10 the commands however in pfSense shell do not show use also in 23.09

@viragomann Its now works, thank you so much for you help.

@viragomann I see. Yeah I can't seem to find a more specific set of instructions.

Basically we just want anyone who is connected to VPN to route traffic over the VPN when going to a specific site, which we have the IPs for added into an alias.

I did not change anything on the server settings because I am not 100% sure on the steps and this is in production.

@michmoor Yep. :)

It's a shame.

Business customers exist because, somewhere along this path, there were non-business customers who contributed to the project.

Stripping CE of this kind of functionality will do nothing more than make people consider other alternative projects.

Good idea- thx

@viragomann - thanks for the response, I really appreciate it. Can you elaborate what you meant by this:

@viragomann said in [Solved] OpenVPN Multiple WAN Asymmetric Routing Issue:

@tman222
I cannot see any benefit at all in directing upstream traffic from VPN clients out on the interface, where the VPN connection comes in.
...

Why would there be no benefit?

Also, a more general question: What is the overall advantage then of going with the port forward / localhost method for multiwan if the interface on the OpenVPN server can setup using the gateway (failover) group? Is the port forward / localhost method a more robust failover method for OpenVPN compared to using the gateway group?

Thanks again for your help.

@frog

Click here :

25a4fba8-25c8-4cbd-a033-8299c3ce8cc8-image.png

I pre entred the needed search termes already.
"openvpn notify"

You'll find some old threads where OpenVPN notifying was created.
Be aware : these were the days of OpenVPN 2.4.x or 2.5.x
Its of course not guaranteed that these instruction still work today - current pfSense version uses OpenVPN 2.6.x.

The good news : OpenVPN is opensource freeware etc, so all you need is the manual ^^

@Cryux

Turned out I had a firewall rule on the client lan that passed any/any but specified the gateway... Removing the gateway specification, setting to default, cleared up all my problems...