The reason was (a), the username was not matching Common Name. One needs to enable "Username as Common Name" for the server for this to work properly.

If you don't know a remote source beforehand you can't firewall it in advance. My approach would be to make sure you're using TLS keys in addition to client certificates and also usernames and passwords. That's three levels of authentication where if any one of them is not present, the connection won't establish.

Yes, you can use the cloud provider approach but then you're relying on your connections first establishing to that provider and then to you. All that is doing IMO is moving the "noise" elsewhere.

I'd just use good security and live with the noise. TLS key, client certificate (which can be revoked), associated private key are something the user has. The username and password are something the user knows. That's not terrible in my book.

edit: you can also cut down on the noise by using a different port on the server. The usual port of 1194 UDP is going to get probed a lot. Pick something else and you'll likely have less noise in your logging.

second edit: the response about using dynamic DNS didn't make any sense to me at first as I was thinking of this as supporting a fleet of remote users but that could work. However, I tend not to trust dns resolution in critical aliases as I've seen empty alias tables too many times.

@djlandino
If you want to be able determine the clients on the destination devices by their virtual VPN IP, you have to connect the VPN box to a separated network setment, a transit network, to get the routing work properly.

@viragomann
I'm trying to still with the traffic over the VPN tunnel and don't expose the syncthing encrypted traffic trough the internet, that way don't need to NAT any ports on remote touter. I will check how to set up VPN as private network I don't have any idea but i will investigate

Thanks

@Pippin that common subnet list is excellent!

@viragomann OK, so this issue is resolved. I disabled ALL the other P2 proposals under the corresponding P1 (the reorder function in the UI crashed?!) And now I can see traffic flowing from a host on the LAN subnet to the host at SiteB and from the OpenVPN client to the same host on SiteB. They are both using the same BINAT network range for NAT, which is a non issue in this test setup but could cause issues where the last octet of a client is the same in both P2's. I suspect the issue was the ordering of the P2 proposals, it's the only change I made. Thanks for pointing me down the right path!!

591ec58a-5e86-4b6f-a4b0-e619692ca83b-image.png

@ariban99
You were missing the clients tunnel IP in the CSO.

Note that a tunnel network of /30 or less is not compatible with DCO (only supported on Plus at this time, but I cannot see, which version you're using).

I fixed on my own. I am not sure why but the default "Camera Subnets" was somehow not correct. I created a new Alias with the Camera Subnet defined properly, then applied it to the Firewall Rule and the Nat Rule for the Camera Subnet section, and it worked.

I also added the kill switch with tagging which is defined in this video. Which for anyone having trouble, this was the best thing I found in all my searching.

https://forums.lawrencesystems.com/t/how-to-setup-pfsense-openvpn-policy-routing-with-kill-switch-using-a-privacy-vpn-youtube-release/12441

@Jarhead
I have the same style of configuration for the "Wireguard" tab where there are rules put in and the "Wireguard_VPN" tab where I also have no rules in it.

From memory, I had to create it this way because something wasn't working ... but now I can't remember what exactly.

EDIT:
I deleted "OpenVPN_VPN" but no better, my problem is still there ... fortunately the "Boot Environments" exist, I was able to go back to my original situation without any problem (so back with "OpenVPN_VPN")

EDIT 2:

I may have found the source of my problems and if so, I'll have to do some more tests soon, I'm ashamed ... my problem would rather be in the firewall of my Android phone.

If that's the case, I apologize for my request and thank you so much for all the advice you've given me!

@Bambos said in No traffic over CloudConnexa Connector:

I have other site to site tunnels between pfsense boxes, and there is no rule on OpenVPN interface, and all the rules apply to the dedicated assigned interface.

What is the difference with this setup ??

As I mentioned, OpenVPN is an interface group. Rules on this tab are applied to all OpenVPN instances on the machine.

Refer to the docs:
Interface Groups
Rule Processing Order

Good news is that it is not sorted and I have the devices split over the VPN and WAN as needed.

Only issue I am having ensuring that the VPN us using the VPN DNS servers. I have the VPN client set to "Pull DNS", however when doing the leak test, it is showing that Cloudflare DNS is being used, which is not too surprising as I use Cloudflare (1.1.1.1) as my remote DNS server.

That being said, earlier in this topic, we created a rule to redirect my VPN clients to 1.1.1.1 as shown below.

e7bab4a5-59b0-4ebe-8435-7875a0fc3857-image.png

So I altered this to the DNS of the VPN provider (5.254.106.2), unfortunately after doing that I cannot get websites to resolve for clients on the VPN. I have confirmed I can ping the VPN DNS servers (When connected/disconnected from VPN), so all is well on that end.

While possibly completely unrelated, I went into the DNS settings and input the DNS servers for the VPN and allocated the VPN DNS entries to use the VPN Gateway as per the below screenshot.

bcd36cb3-e464-4e0c-a65e-ea13c4acb4a3-image.png

Any suggestions ?

@the-other said in Switch OpenVPN to IPv6:

you write that you want to change to IPv6 udp for openVPN but your screenshot shows you configured TCP port 1194...might be a problem, since UDP 1194 is standard port for openVPN (default), with TCP most ppl chose 443 (in order to reach your VPN in strict surroundings > hotel where UDP ist closed).

I made a mistake, I changed it to IPv6 UDP (1194).

That was the problem. Now it works :-)

In doing some more research I think I may use PIA (Private Internet Access) for my VPN rather than NordVPN. It is easier to configure. I appreciate all of the help I have received so far. Thanks to all.

@panzerscope said in Configure Which Machines Use VPN vs WAN:

but failed to find a decent guide and that is to configure on PfSense

Here https://www.youtube.com/@NetgateOfficial/videos on that page you'll find Advanced OpenVPN on pfSense 2.4 and Advanced OpenVPN on pfSense 2.4

They are old, but they with show what needs to be done.

What you probably want is this : Policy Routing Configuration.

@viragomann Now i can't connect to proxmox server only, but any other service is working

@viragomann OH! I get it now! I thought I needed to configure it by editing the VPN's config/wizard. But still, I knew it has to have an easier way.

Thanks a lot!