You can put it on any unused port you want. Just choose Other and specify the port number.

I also find this under Status / System Logs / System / DNS Resolver: using nameserver X.Y.Z.11#53 for domain qwerty.se .11 = the old DC that is out of the picture. This should be .37. Looking at Services / DNS Resolver / General Settings .37 is stated in domain override for qwerty.se (the internal domain). Pontus

I've got a really stupid question but have you rebooted your pfSense box (on both ends if it's site-to-site). I had some trouble last week getting an OpenVPN connection set up. I've done it so many times I can't remember. I even wrote myself a step by step tutorial a few months ago just in case. But no matter how many times I reset everything and started over I couldn't ping the other side. Even tried resetting the firewall states after re-configuring. I rebooted the pfSense boxes on both ends and BAM! It worked fine. Last thought, you've got the firewall rules in pfSense, right?

No. You are asking about limiting access based on routes that already exist. That is accomplished with firewall rules passing the desired traffic. How to route the traffic in the first place is a different question.

On my side, I have the same setup as you explain but I use RCDevs OpenOTP (MFA authentication server) instead of DUO security products. RCDevs provides a custom OpenVPN package who can be installed and configured very quickly. Active Directory and OpenOTP works very well together and are very easy to setup. I worked with DUO 2 years ago, but pricing for enterprise company are more interesting with RCDevs products and support/dev teams are great !! I asked for a special feature and they added it in 1 day !!! And for small company the product is free up to 40 users. Wonderfull product and team. I advise you OpenOTP and RCdevs company ... James

Didn't even know that the OpenVPN app for iOS 11.4.1 was updated .... I was always using the exported config from the Client Export package. I switched the slider, and was connected without any issues.

PIA on pfSense

@jknott Yes!

@soarin said in NAT OpenVPN Client Traffic: @johnpoz @Derelict Oh man, if you saw the horrors of other ranges and configurations I had setup trying to get this to work you would have to read a pfSense bible to try to forget what you would've seen. I still fail to see a valid reason to stray from RFC1918.

I have no DNS set up on the VPN server. I searched the internet for a long time and found this series of commands that solved the problem,I hope it works for you too. Greetings

@profit said in Where's my Mapped Network DRIVE!?: @jknott yes, I can ping, but nothing else. Well, fire up Wireshark (or Packet Capture if you must) to see what's happening. Once we know what's happening to the packets, we're in a better position to advise.

Thanks Jimp for the update, I will work on this project, thanks!!!

I wouldn't worry about it. Any Internet-facing port that's opened is going to be continually "under attack." But that's largely why things like OpenVPN exist. If you're getting these connection attempts non-stop, then yes I might worry that you are being specifically targeted. But odds are it's just the constant, random scanning for open ports with unsecured services behind them. I run an OpenVPN server on pfSense too and get connection attempts like these relatively frequently too.

@derelict said in Routing OpenVPN not working: Not sure what you want when you're using an ancient version like 2.1.5. Not a lot of people want to spend time chasing long-fixed bugs and problems. You should consider upgrading and seeing if the issue is fixed. I wrote earlyer, upgrade is in my plans, but NOW I can't do it so fast, so I need solve this question. I understand your answer, thanks

No. But you can set your OpenVPN server to authenticate against the LDAP or RADIUS server of your choice.

@derelict Had nothing to do with SoftEtherVPN and moreso to do with the underlying SSL package they were using. That said, I do now see how old this is. That part of your comment was at least somewhat helpful.

Hah, nevermind, rebooted pfsense, fixed...

first, it's port 5060 not 560. Second, I could not get that server to respond. It came right up using this: # Cryptostorm.is config optimized for Tunnelblick/Viscosity OSX and OpenVPN iOS client dev tun resolv-retry 16 nobind float #txqueuelen 686 remote-random remote linux-cryptofree.cryptostorm.net 443 udp remote linux-cryptofree.cryptostorm.org 443 udp remote linux-cryptofree.cryptokens.ca 443 udp remote linux-cryptofree.cstorm.pw 443 udp remote linux-cryptofree.cryptostorm.nu 443 udp comp-lzo down-pre allow-pull-fqdn explicit-exit-notify 3 hand-window 37 mssfix 1400 auth-user-pass <ca> -----BEGIN CERTIFICATE----- MIIFIDCCBAigAwIBAgIJAKekpGXxXvhbMA0GCSqGSIb3DQEBCwUAMIG6MQswCQYD VQQGEwJDQTELMAkGA1UECBMCUUMxETAPBgNVBAcTCE1vbnRyZWFsMTYwNAYDVQQK FC1LYXRhbmEgSG9sZGluZ3MgTGltaXRlIC8gIGNyeXB0b3N0b3JtX2RhcmtuZXQx ETAPBgNVBAsTCFRlY2ggT3BzMRcwFQYDVQQDFA5jcnlwdG9zdG9ybV9pczEnMCUG CSqGSIb3DQEJARYYY2VydGFkbWluQGNyeXB0b3N0b3JtLmlzMCAXDTE3MTIxNjA3 NTk0MloYDzIwNjcxMjE2MDc1OTQyWjCBujELMAkGA1UEBhMCQ0ExCzAJBgNVBAgT AlFDMREwDwYDVQQHEwhNb250cmVhbDE2MDQGA1UEChQtS2F0YW5hIEhvbGRpbmdz IExpbWl0ZSAvICBjcnlwdG9zdG9ybV9kYXJrbmV0MREwDwYDVQQLEwhUZWNoIE9w czEXMBUGA1UEAxQOY3J5cHRvc3Rvcm1faXMxJzAlBgkqhkiG9w0BCQEWGGNlcnRh ZG1pbkBjcnlwdG9zdG9ybS5pczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBAMlo5Jghf+yb7j86QKDIA9gH9U+MOj1gFz7POcobF3UXx8CR6py4+kY0LEwE s66YuwF3Et1Haymkrxy72RjHqD58FRC1KGg6PzhDr6foXgOpuOweUvBTLS6WR5Ba TW+8oqSkFWIZUWxnk4N1npxonZRjYLjU4AJNB1uUKpp5uwtC+n9UYpNZ2H1SwZDc tpJNzG3Q+ySqkaJYRR44YbeYoTQpbK/G3o7H2Kz1BsNck5h2SVBo9f3JS4gjTcaP fGb6+Lqra/MPlXKY55MzKTLsZ5q1t3ZTjn0vDO7+D7xXoRCXyq9atcRJf9ldm80b xABw5dTiS00E6hm3CzpPOSelAXcCAwEAAaOCASMwggEfMAwGA1UdEwQFMAMBAf8w HQYDVR0OBBYEFDhY4fdfMy+L0fMdat75Kep6cFElMIHvBgNVHSMEgecwgeSAFDhY 4fdfMy+L0fMdat75Kep6cFEloYHApIG9MIG6MQswCQYDVQQGEwJDQTELMAkGA1UE CBMCUUMxETAPBgNVBAcTCE1vbnRyZWFsMTYwNAYDVQQKFC1LYXRhbmEgSG9sZGlu Z3MgTGltaXRlIC8gIGNyeXB0b3N0b3JtX2RhcmtuZXQxETAPBgNVBAsTCFRlY2gg T3BzMRcwFQYDVQQDFA5jcnlwdG9zdG9ybV9pczEnMCUGCSqGSIb3DQEJARYYY2Vy dGFkbWluQGNyeXB0b3N0b3JtLmlzggkAp6SkZfFe+FswDQYJKoZIhvcNAQELBQAD ggEBABrPLmFpugICgUKyJ+6q5h8ZKfoV3S0RtTfrwtobNSFf7H4ZQvCXF2bOuhyc g00ffreEGZN2uwtiLh38ncB/BFhHfgkITfTe88m08pJ45PkrpeBfrFbZ+ckXVhV/ aCnUKkIZgmCNKnn1RIbUt4mzTzggwtN3GamoTzSWqSwCEO9Ig1AJKi5Ms/5Awtdz nr95qaqI0ih0NGnfC/yIGYvt1Yay0hCil3jIUT9Ogdw6DW6RqUdJaPrwm58fTwIR U33KzBqGs8r3UEIMWXuIGc6eXOm2Br08iFgOsUPGqp1ulvD52pFH1o1vT21v3aXl D9Ier/83JLMnBGctT1Kzs9OP/U0= -----END CERTIFICATE----- </ca> ns-cert-type server auth SHA512 cipher AES-256-CBC replay-window 128 30 tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA tls-client key-method 2 # uncomment the line below to enable TrackerSmacker, # our DNS-based intrusive ad/tracker blocking service #dhcp-option DNS 10.31.33.7

@derelict Thanks for the tip! My problem was not having the 10.55.248.0/24 on the local and remote networks. I had the spoke subnets in the remote access server. Much appreciated!

switch to aes-128-gcm