@ipguy said in I need BF-CBC: https://forums.openvpn.net/viewtopic.php?t=35809#p111709 These openvpn options : providers legacy default data-ciphers-fallback BF-CBC compat-mode 2.3.18 check if they still exist in the version used by pfSense. First : check the Openvpn version used by pfSense. Then, with that version number, look them up in the openvpn user manual. If it's the case, then use them here : [image: 1754303064757-c6da93cf-9502-4171-b791-b119919f5e6f-image.png] for example, I use the option status /var/log/openvpn.status; status-version 1; for my own needs. When yous aved tehse option, check how OpenVPN sarts up (the logs) and see if it doesn't scream with errors. Also check the openvpn config file (the one created with the GUI parameters) for consistency. You can find the file here : /var/etc/openvpn/server1/ and look for the file "config.ovpn". It's an ordinary text file. Don't (bother) edit(ing) this file as it is auto generated by the GUI.

Thanks but I'mafraid to say I've had a conversation with chatgpt about it and it didn't take long to find the solution, firstly as you suggested I binded to any interface, then created a dedicated firewall rule in the LAN interface. Then got Connection Attempt write UDPv4: No route to host (fd=6,code=65) in OpenVPN logs Which again chatgpt advised creating a default gateway route back to the UDM in System/Routing Hope this helps someone else in the future.

I made a mistake in my config, for the local network in the VPN config I enter 192.168.0.1/24 and should have been 192.168.0.0/24

@labu73 The sentence in bold letters is still the essential message to get this work.

@viragomann I lost oversight. The customer edited stuff on his own ... and wrote he succeeded by adding fw rules and policy-based-routing. Sounds like overkill a bit, but ok if he's happy. I have to accept that this box is out of my control somehow now ;-) thanks for your help. I might report back if I get access again and see things.

@phthatcher said in SG-1100 as VPN client only (no dhcp) adding to existing network: just assure that when the server reaches out to the web it is behind the vpn So all you need is to configure pfSense as default gateway on the server. The pfSense only needs a single interface (LAN, router-on-a-stick), connected to your LAN. On the VPN interface you have to add an outbound NAT rule, as mentioned in the ExpressVPN tutorial.

@viragomann banally ho quest problem, per riassumere If you download your pc from the lan dove and install the pfsense with opnvpn site to site client, pingo i server windows o i pc della lan pfsense server, invece dalla parte server non pingo nessun pc, nemmeno il pfsense client. Invece dal ping di pfsense pinggo calmly. What can you control that the server does not function?

Hi Jens, I would suggest the following: Set the ‘WebCfg – OpenVPN: Client Export Utility’ permission as the user's first permission (i.e. so that it appears at the top of the list). This will allow the user to access the Client Export Utility via the pfSense logo, as the first permission effectively sets the ‘homepage’. Best regards, Hagen

Just in case anyone else is losing hair over this for me with pfsense + 24.11 OpenSUSE 15.6 (I'm sure other distros are similar) and OpenVPN client 2.6.8 though NetworkManager. No edit of /etc/ss/openssl.conf was needed No hacking of OpenVPN conf files was needed. No exporting user certs from System-Certificates was needed. In VPN-OpenVPN Client Export Microsoft Certificate Storate - Untick (We are using Linux) Password Protect Certificate - Tick Certificate Password - Add something meaningful. Download from Bundled Configuration - Archive (Inline did not work) Extract somewhere sensible In NetworkManager: Client on "+" Add New Connection in bottom left Scroll down to bottom Import VPN Connection & choose the .ovpn from the extracted archive zip. Optional but sensible: fill in the certificate password Change to save password for user only (not system-wide) Make sure you fill in the username (required) and password (optional) or client login fails Change to save password for user only (not system-wide) Really could have used this in the pfsense documentation!

@johnpoz ...good point on the lease time, I would have not thought of that, and wondered why things were not working... Cheers!!

Well Comcast was the fault - WAN_DCHP gateway ping automatically set to ip address but no response gateway down - only it wasn’t and the straight to isp was working Reset to 8.8.8.8 VPN vlan came back

@Aadrem said in OpenVPN: Allow Internet via WAN IP but Block LAN Access (Hybrid Split/Full Tunnel): push "route 0.0.0.0 128.0.0.0"; push "route 128.0.0.0 128.0.0.0"; This is the same as checking "redirect gateway". This setup behaves like a split tunnel, so the client continues using its local internet connection. No, it adds routes to the client for the whole IPv4 range. This is not split tunneling. The client will only be able to access devices within his local subnet, but any other traffic will be routed over the VPN, and this is what you need in fact. I already have other VPNs configured as full tunnel, so I cannot apply restrictive firewall rules globally, as that might affect those existing VPNs. You can restrict the rule for pass traffic to WAN / block local subnets to the clients source IP. You can also assign an interface the the respective OpenVPN server. Then you get a firewall rule tab, where you can add rules for this instance only. If you only want to allow internet access it's a good advice to create an alias, which includes all private network ranges like this: [image: 1751383549682-d4dab693-0eb8-4b58-99da-109081f6e881-grafik.png] Then you can use it as destination in firewall rules, either in a pass rule with "invert match" checked to restrict the rule to non-private networks only, or in a block rule followed by an allow-any rule.

Yes, both are configured to to listen to the wan gateway group, but different ports.

I've tried doing this a NAT: [image: 1750866954364-044467cb-9aba-43cd-9478-da27475ebcfe-image.png] Resolving in no port open and no trafik towards my host, as a simple nginx page. This is what I would Normally do NAT a port to a service. I'm testing with https://ismyportopen.com/ - or directly onb the IP:PORT With my VPN-CLient created as a Interface - without any rules for that Interface: [image: 1750867425016-4f35e0a9-d1fa-42c2-93a0-5cb8d1a679aa-image.png] Since my VPN-client are created as an Interface - I would like to think there should be the rules under this interface for incomming rules. Where I should believe (as the torguard as a Interface) should look like this instead: [image: 1750867966347-498a8fdc-11a4-41ff-990f-983764915838-image.png]. But I'm not getting through in any of the 2 ways to my nginx. No issue with internal IP and port - which showing nginx testpage

@itinfo PICNIC I'm glad, that it was as simple to resolve.