@wakson005 Ok turns out the issue is using alias in my openvpn server settings. Though the alias is correct it seem to not load properly when performing HA or rebooting of PFSense. Do anyone else encounter this problem?

If Server instance has this setting OpenVPN still work but encounter the issue I stated above where I have to restart the tunnel network even though it show it is connected to get the traffic and ping working again. This is after a HA failover or a reboot of pfsense.

PFSense 2.7.0 & 2.7.1

Alias:
61e514fc-8637-490e-9900-516322d46417-image.png
Setting that will fail:
1a783268-3601-4f1a-ac54-9841c2f9bc83-image.png
Setting that will work:
ef5187d5-b71c-403b-8b31-4bb23d383f42-image.png

Obvious for this case it is pointless for an alias but for 10+ subnet the alias is just more convenient. I just like to set things up for expandability when possible. Especially in a STAR OpenVPN setup

@viragomann said in OpenVPN Firewall Rules problem:

o do so add a rule to the top of the LAN rule set and put the server into the destination, not dest ports. In the advanced options state the WAN gateway.

Yes, the destination server is in the web. But this web server doesn't block VPN connection because :

With my Formuler Z11, I can access to the web server IPTV (MyTVOnline 3) through the VPN installed in pfsense. With my computer, I can access to the web server IPTV through NordVPN client directly installed on my computer.

The problem is when I want to connect to the web server from my computer through the VPN installed on pfsense. Maybe the problem is IPTV Smarter Pro application ?

@Gertjan

Well, in my case, we have sites to sites OpenVPN links.
Each site is a "vpn client" and there is an openvpn server in the middle.
Each sites have their own data server(s) and other equipments.

Users on each sites can access servers on other sites.
I believe NAT wouldn't work well in this case.

But, now, I think I understand your idea, it's when the client site only have "clients" users, then I understand your NAT suggestion.

Thanks again

Phil

@andrzejls thank you!
I never used this before.

I did it, but now that’s weird, my vpn is setting up, but it does works when I locate my IP.

I’m going to reset my openVPN setup and doing it again.

found the issue, I had copied to wan rule and selected wan2 but forgot to change the destination from Wan Address to WAN2 Address. All working now.

Thx all.

@viragomann said in VPN Configuration Issue: Accessing Site B from User Authentication VPN in OpenVPN:

The pfSense GUI provides the "Local Network/s" field for this.
So this box should look like this in your setup:

192.168.10.0/24,192.168.20.0/24
This pushes the routes for both LANs to the clients. However, you need also site B let to know how to route the clients tunnel pool.
This is done by adding the access server tunnel network 10.0.8.0/24 to the "Remote Networks". If you push the routes from the server you can also add it the the "Local Network" in the site-to-site config at A.

Reply Quote 0

@viragomann Success! Thank you so much! 🍡

Thank you very much for your guidance. I now have OpenVPN to the LAN working fine.

Now I'm trying to figure out the next problem. I have Used Port 4 on the Netgate 2100 to assign a VLAN with a completely different IP of 10.1.10.1/24. The VPN server does include 10.1.10.1/24. I added a rule to that interface (for now) as any to any, but the OpenVPN cannot get to a web server at 10.1.10.200.

Assistance will be GREATLY appreciated.

Leon

@cezar_a your welcome

@swaldren peer to peer doesn't route all traffic out the vpn.. It just allows each side to talk to the other sides network - if you allow it and setup the routing correctly..

Remote access is for road warrior connections - where you don't care to get to the remote network the clients on, just the client.. Via whatever IP you hand it out of your "tunnel" network.

@DominikHoffmann said in Update to 23.09 broke OpenVPN server:

I know it is the 23.09 update that broke my OpenVPN server.

Tip of the day : put back the RSS dashboard widget :

2a413d79-8581-4e18-9300-c7923b1f5d53-image.png

its full with info that you need to know. Even if you don't know it yet 😊

@walternet said in OpenVPN Client Issue with VPN.S (VPNSecure.me) after upgrading 2.6 -> 2.7:

I found my issue : compression param was misconfigured ! :-)

I was able to find thanks to @johnpoz config share !

you're right ; however, if your compression param is not OK, there's no traffic in the OpenVPN tunnel ... and no byte sent / received in Status / openVPN menu ...
Symptoms are the same as routing issue ... which was my interrogation ...

Have a nice end of day !

W.

@viragomann

Thanks Virago, the error is because a DNS problem, we fix it.

@viragomann Okay, but in the firewall I am blocking communication from the LAN to the VLAN, but the LAN still communicates with the other side of the tunnel.

Configuring my IPs:

LAN Main firewall: 10.1.1.1/24
VLAN: 172.24.0.0/24

LAN client firewall: 10.0.0.1/24

IPv4 Tunnel Network: 192.168.210.0/30

@jimp Awesome, thank you for the reassurance. We'll keep working on moving our users over but can at least take advantage of the bug fixes/etc in 23.09

I finally found the culprit. The clients that I was expecting to connect to the OpenVPN server were configured under OpenVPN > Clients. Hence the server tried to connect to itself. In combination with push "redirect-gateway autolocal def1";, that seems to have broken the routing on the pfSense.

The solution was to delete the clients from OpenVPN > Clients.