I am using the subnet feature (pfSense) trying to migrate from the net30 architecture.  Some of my clients are 2.1.5 the rest are 2.3.2.

have infconfig-push configured properly in the server's client spec override.

I believe I have configured this correct because routing seems to work.  However, I cannot find the client tunnel-end address I assigned to any of my clients in their routing tables ovpn or freebsd.  Ifconfig yields only 172.16.64.0 –----> 17216.64.1 (the server) on the relevant interface.  Ovpn status routes shows only 172.16.64.0 for the virtual interface.

Is this correct?

Awesome, thanks that answers a lot of questions, I was farting around with settings for the firewall rules and borked something up, once I get it straightened out, I'll try that. Thank you for your reply. Yes, I am limiting the size of the subnet, but I will try increasing the number of IP's available, initially the scope has strictly been to get one tunnel working, but I fully expect there will be multiple clients in the near future. Part of it is that I have to consider if the single server will be sufficient for all our needs or if a 2nd vpn server instance will be needed.

Digging this thread from its grave to post my solution: I enabled "Client Specific Overrides" and literally copy-and-pasted my configuration from the "Servers" tab. I have no idea whatsoever why this would be needed but everything works now.

If someone could explain why I needed doing so this could maybe help another poor soul with the same problem.

I changed to 192.168.2.1/24 but after of this i lost wan ip on pfsense, but i can ping it..
http://prntscr.com/cpnhll
http://prntscr.com/cpnjdk

At a high level:

You need to push the Site 2 Lan subnet (192.168.4.0/24) to your clients in the roadwarrior's OpenVPN config

You need to add a route for the roadwarrior's tunnel network (192.168.2.0/24) in the Site 2 OpenVPN config

How have you set up your 'Outgoing Email Server' in the Untangle Email Settings. Are you using Direct or Relaying via another mail server?

Both Hotmail and Gmail are very picky about who they receive mail from. If you are sending using the direct option and your Untangle box hostname is not resolvable via public DNS then the mail will be rejected/blocked. If your public IP is dynamic then chances are good that the mail will also be rejected.

If in doubt set up the Outgoing Email Server using the relay option via your ISP's SMTP server.

If anyone has any suggestions about this, I'd really appreciate it. Aside from it being a routing issue, I'm out of ideas as to why the server works for ipv4, but not for ipv6. I can post the existing routing on the client and/or server pcs and pfsense if that would help.

because i found this topic already open will update with the same issue i have. The openvpn connection is verry slow. When i try to copy something it gets a max of 50kb/s !!!

I have attached the connections for both client(speedtest) and pfsense-openvpn server(console).
On the Openvpn side i use:

DH Parameter length (bits) - 2048 Encryption Algorithm - AES-256-CBC Auth digest algorithm - sha256 Hardware Crypto - Intel RDRAND engine

Should i need to lower those?

Thank you


No what I mean by ACLs is the ACLs in unbound (resolver).. Unless you have turned that off and turned on the forwarder (dnsmasq)?  There seems to be an issue going around with that dnsmasq seeing a conf file and limiting queries to the local network if your using the forwarder.

https://doc.pfsense.org/index.php/Unbound_DNS_Resolver#Access_Lists_Tab

"I was regurgitating something I read somewhere else on the interwebs."

Hehe yeah since we all know everything you read on the internet has to be true ;)  Some of the nonsense I see that says it more secure or better to do something is most of the time complete utter hogwash!!

The big thing as of late is dns leakage.. How tight is your tin foil hat??  What dns are you using exactly?  Do you really think your ISP is tracking what IP address 1.2.3.4 (which they know is billy bob their customer) is going queries for..  Oh that billy likes his fetish porn, serve him up more fetish porn ads?  Or maybe they are selling that to ???  The nsa maybe??

While yes data can be gotten from dns queries.. Who do you think is watching yours?  And where exactly are they doing it from?  Once you know who your trying to hide from, then you can figure out how and if you need too.  All comes down to how tight that tin foil hat is…

Right, so the connection still gets opened up. I removed the additional parameter from System -> Advanced. Still works. Of course deleted all "Clients". Still works. No traffic though. I verified that my ovpn-file for this firewall looks exactly like others that work - so I opted to download and install the latest version of the OpenVPN client for Windows. Tadaa. Now everything seem to work as expected. I suspect that part of debugging should be killing the openvpn.exe -process in windows every time, to make sure you don't have stuff interfering.

A learning experience.

With the recent upgrades of pfSense, the default network topology changed from net30 to subnet. If your main site changed to subnet after an upgrade and all of the other sites, clients, etc. stayed on net30, you would likely have issues.

I would see what the topology is set to on the other networks, i.e. net30, subnet, p2p, then adjust the main site to match and see if that corrects the issue.

As a side-note, you can check the OpenVPN logs on the main router by going to Status -> System Logs -> OpenVPN.

Did you install the TAP-Adapter on Windows?
The client doesn't find a free TAP-Adapter. Check your network settings.

It's designed to be either completely managed elsewhere, or completely managed on pfSense.

In order to revoke a certificate, pfSense needs to have the certificate present. Either in the cert list or on the CRL (it's copied there when you revoke it). The CRL is rebuilt that way because it has to be. It can't add to a CRL it didn't create, since it doesn't have the older certificates on hand to revoke.

If you make a new CRL and revoke everything all over again, then you can add to it. But you can't import a CRL and then add to that.

That's how it's always worked.

Thanks guys, it was 100% the firewall on the Windows Server. I adjusted the Echo Request settings on the Windows box, and we are in business (Problem 1 Solved).

Since this post also included questions / concerns about operating two VPN's at the same time (though the question was mostly answered) I might be asking follow up questions in the next day or two, as we will be testing then.

-Specifically, I had to change Local Subnet to Any in this case.

.png)
.png_thumb)

@Kei:

Could someone suggest a working solution for this problem?

The correct answer is: Three different machine accounts or certificates.

There isn't a good way (or perhaps any way) to accommodate one client with three static addresses in the way you describe. It's far easier and far more secure to configure them one account per device if they must use them simultaneously.

@jimp:

If it's for an OpenVPN client, a gateway group should work OK, provided that it's a failover group (only one gateway per tier), though you might have an issue if the group prefers a WAN that isn't your default gateway.

Could you elaborate on why this is (and possible workarounds)? I have exactly this set up and I'm running into issues with the client ending up on the default gateway even though it's using a gateway group that prefers a different WAN interface before failover to the default.