@johnpoz

Looks like 23.09 is going to be out soon.

https://docs.netgate.com/pfsense/en/latest/releases/23-09.html

@viragomann hi, your solution work!
thanks!

Could somebody delete this topic please?
It was created accidentally when I intended to post to a different topic :(

The dropdown in taskbar is nice if you have multiple VPN's for different sites.

38d02b4b-d2e7-46c3-af17-adb954427f70-image.png

@viragomann

thanks
i tried to set langw to none, but i get the same result.

vlan33 is 19.83.10.32/29 so indeed a typo.
57de17ec-5b90-4942-a934-09ebaad386df-image.png

my actual subnet i need to access (98.91.0.0/16, and 5 more of the /16 subnets so covering a quite wide area) and set in OpenVPN Server's "IPv4 Local network(s)" section is not the pfSense LAN (19.83.10.32/29). pfSense LAN i could call MGMT because it's got no real use but to manage the OpenVPN.

Btw the reason for the tiny vlan subnet is that to have carp and HA set up properly, i needed to allow promiscuous mode, mac address changes and forging transmits which i will not do on my other vlans for security reasons.

once again, setting up a single server with the same setup without virtual ips it's all wrapped and packed working.
there's something about the firewall/nat/rules i can't figure out.

i can access (ping) 98.91.0.0/16 devices from WAN, LAN, Carp LAN, Carp WAN, too but not from OpenVPN 'nic'. I can ping my client from LAN and WAN, Carp LAN and Carp WAN, also OpenVPN 'nic'.

I feel like there's a route/nat/firewall rule missing for requests coming from the OpenVPN nic, to my desired subnets (38.91.0.0/16 etc)

@AMartinelli said in Establish openVPN tunnel from remote:

From my understanding, the steps should be these ones:

openVPN traffic must be allowed to and from B3 WAN port in the whole network B. Tipically, this means allowing UDP traffic on port 1194 for B3 WAN IP address.

Since B3 is the server, it is sufficient to allow the OpenVPN traffic (e.g. port 1194) to B3. The OpenVPN server itself doesn't initiate a connection on its own.

openVPN traffic reaching B1 must be forwarded to B3, more specifically to its WAN port IP address.

So you have to forward UDP 1194 to B3.
As ist seems B2 is also a router in between, you have to forward it on B1 to the WAN port of B2, and on B2 to B3.

There must exist in network B routing rules allowing network B devices (in this example B1 and B2) to reach B3 WAN port.

If you only need to access B4 devices as you stated above, there are no routes needed for the other networks.

I assume, you have stated the LAN address of B2 as the WAN gateway on pfSense in the interface settings. If this is the case, pfSense nats outbound traffic on the WAN to its interface address.
If the VPN is for your own private purposes, what I assume, this would be fine and you would also be able to access B2 without the need of a static route. However, since B1 is behind a router from the point of pfSense you would need to add routes to access this subnet.

In either case, you need to enter all subnets you want to access (B1, B2, B4) from the remote site into the "Local Networks" box in the OpenVPN server settings.

Maybe the B4 devices need additional settings to allow access from outside of their subnets, if it's even possible. At least, they need to have the pfSense LAN IP as their default gateway.
Try to access them from B2 to check this.

B3 needs to be able to communicate through internet

This is not necessary to connect to the OpenVPN server, however, it is for installing packages and updates on pfSense.

@viragomann

Ok I see now.

Thank you, I did find a NAT rule that took over almost the whole UDP port range and was obviously interfering with other inbound traffic.

After re-configuring the service in question and reducing the Inbound UDP port range to something more reasonable, I was able to resolve the OpenVPN connection issue.

@viragomann yes I did install it and it shows installed

@Motleycru oh my oh my ...man ....thank you so so so much....so unbeliable....i wasted about 6 hours tying to debug this shit. i was so frustuated and wanted to wack someone from norde, GL-Inet or dd-wrt ...what a mess .... a simple code comment on some screen would have saved 1000's of hours of peoples time. some one deserves to wacked serously. but thank you so so much. i can get some sleep now

@Kajetan321 and there you go - why the other suggestions are normally easier ;) Because doesn't matter what the client does.. All it needs is its normal gateway..

@ShaneDeak

Makes no difference in my case. At the end i had to create a new LAN firewall rule at client site pfsense (the one with dual wan and failover).

FailoverVPN.jpg

10.0.33.0/24 is the remote local net.

Now it works in both directions.

@ozgurerdogan If you have some box with 2 nics.. You need to make sure it the correct route to get to whatever your vpn tunnel network is.. Or it would just use its default route to try and answer some IP it does not have a route too.

So this other wan connection being used for non vpn rdp into this box, is not pfsense I take it.. Why would this other connection not come into pfsense?

Hi all,
I do not know much about pfsense command line.
Wondering if someone can help me step by step ?
Do I need command line access to the router or I can use the web access to the router ?
Can I use the command prompt section ?
So I have to create 2 executable files name notify.sh and disconnect.sh ? How I am going to create these files ?
I think I got the part to set the permissions. How can I set the permissions ? by using Execute Shell Command section on the web ?
What will be in those two files ?
So same code in both files ?

@Armstrong said in Email Notification - OpenVPN Client Connect (Common Name):

#!/usr/local/bin/php -q
<?php
require_once("/etc/inc/notices.inc");
$local_connect_value = " user_name: " . getenv('common_name') . " vpn_client_ip: " . getenv('ifconfig_pool_remote_ip') . " from: " . getenv('trusted_ip') . " on " . date('F j, Y, g:i a');
if ( strrchr (FILE , 'disconnect') ) {
$local_connect_value .= ", duration : " . getenv('time_duration') . " seconds, received : " . getenv('bytes_received') . " bytes, send : " . getenv('bytes_sent') ." bytes. DISCONNECTED.";
}
notify_all_remote($local_connect_value);
?>

Am I coping from <?php or from #!/user ?
If it is from <?php then what I have to do with first line #!/usr/local/bin/php -q

Is it possible some one can help me step by step and also tell me which part of the webconfigurator I need to use to do all this please ?

@jimp i have the same problem but i use /30 so tunnel network should be specified right?
other subnets (tried /29 and it connected but no traffic and wrong ping due to wrong subnet) and no ipv4 tunnel network work (with this obviously no IP but still connects the server)
here is the thread I started

@elliopitas rolled back my client pfsense to 2.6.0 and it works.
I still get the last error though so its the 2nd I guess.
back on the updated version all other subnets (tried /29 and it connected but no traffic and wrong ping due to wrong subnet) and no ipv4 tunnel network work (with this obviously no IP but still connects the server)
21c9e977-2e59-482a-86fb-08b2a832d602-image.png

On the slow netgate, I stop the IPsec tunnel and reboot the device.

after few files transfert over openvpn, I check the interrupt with the commande : vmstat -i | grep qat

the command didn't return any result.
Maybe I'm wrong but it's seem that openvpn don't use QAT.

after restarting the IPSec tunnel vmstat -i | grep qat return :
irq170: qat0:b1 139 0
-> QAT is used by IPSec

is there a reason for openvpn not using QAT ?