@pfchangs77 said in pfsense openvpn won't connect from certain cable providers ?:

supervisors/managers

Yeah they not going to know squat, you need to talk to one of their upper level tech/engineers ;)

@dimangelid it also worked for me, thank you very much have a good day.

@greenlight
I don’t use pfblockerng

Some more info...

I am trying now to reconfigure my system by getting rid of all the VPN configuration and redoing it..

However as one last thing, I was going to try was removing my VPN Gateway and recreating it and subsequently assigning a VPN interface to it.

However when I did that, my Internet access stopped working. i.e. the WAN_PPPeO gateway was removed under the covers!

I wonder if this is the problem I am experiencing above:

There is something weird in that the Gateway link on my rule shows that correct VPN gateway, including a red status when I hover over it, but when I click the link it opens to the WAN_PPPOE Gateway definition, not the VPN one.

Which leads me to believe there may be something that happened during the upgrade? I even recreated the rule from scratch, with the VPN gateway selected, but it still clicks through to the WAN_PPPOE gateway?

For clarity, on the Rules/LAN page where I have my rule to direct certain hosts to the VPN Gateway. it shows that I have my VPNgateway selected for the traffic. If I hover over the VPN link for the rule, It shows the VPN gateway state.

But when I click on the VPN gateway link, it opens to the WAN_PPPoE gatweway definition, not the VPN gateway definition? if I inspect the link, the URL points to the actually WAN_PPPeE gateway with id=3 whereas the VPN gateway is actually id=2?

I wonder if the backup/restore of my configuration is just screwed and I need to start over?

Any ideas here?

@dneuhaeuser said in pfSense 2.7.1 OpenVPN SHA1 hash clarification:

I understand that with pfSense 2.7.1 SHA1 certificates are no longer supported for OpenVPN.

However the list of "Hash algorithms removed from OpenVPN" does NOT include SHA1.

So does this mean SHA1 is still usable as auth digest algorithm for the time being?

That is correct. It is still OK (though not great) to use as an auth digest algorithm for now, that's a bit different context than when it gets used on a certificate.

No, that kind of control would have to be implemented in the Client OS and support for those sorts of restrictions vary widely. Especially if it's a device owned by a user and not controlled by the company there wouldn't be a way to enforce anything on there.

@SteveITS
I'm trying to avoid the logs full of "recursive routing".
Doing a packet capture, I discovered that one of my LAN devices that sends traffic over the OpenVPN client ( I have a NAT rule for that ) is trying to connect to the public IP address of my client.
I created a block rule that blocks traffic to the public IP, and it is working great.
With that rule there is no more "recursive routing" on the OpenVPN client logs.

On my Client config, I have a FQDN, not an static IP, and that FQDN calls a list of IPs, and uses 1 public IP from that list to connect to.
That's why the Remote IP always changes, and that's why I'm looking for a way to automate via an Alias or Virtual IP that IP, so that the "blocking" rule continues doing its job.

Just realised I made a mistake. I wanted to reply to a thread and I’ve ended up creating a new one. Seems like I can’t delete this either.

@wakson005 Ok turns out the issue is using alias in my openvpn server settings. Though the alias is correct it seem to not load properly when performing HA or rebooting of PFSense. Do anyone else encounter this problem?

If Server instance has this setting OpenVPN still work but encounter the issue I stated above where I have to restart the tunnel network even though it show it is connected to get the traffic and ping working again. This is after a HA failover or a reboot of pfsense.

PFSense 2.7.0 & 2.7.1

Alias:
61e514fc-8637-490e-9900-516322d46417-image.png
Setting that will fail:
1a783268-3601-4f1a-ac54-9841c2f9bc83-image.png
Setting that will work:
ef5187d5-b71c-403b-8b31-4bb23d383f42-image.png

Obvious for this case it is pointless for an alias but for 10+ subnet the alias is just more convenient. I just like to set things up for expandability when possible. Especially in a STAR OpenVPN setup

@viragomann said in OpenVPN Firewall Rules problem:

o do so add a rule to the top of the LAN rule set and put the server into the destination, not dest ports. In the advanced options state the WAN gateway.

Yes, the destination server is in the web. But this web server doesn't block VPN connection because :

With my Formuler Z11, I can access to the web server IPTV (MyTVOnline 3) through the VPN installed in pfsense. With my computer, I can access to the web server IPTV through NordVPN client directly installed on my computer.

The problem is when I want to connect to the web server from my computer through the VPN installed on pfsense. Maybe the problem is IPTV Smarter Pro application ?

@Gertjan

Well, in my case, we have sites to sites OpenVPN links.
Each site is a "vpn client" and there is an openvpn server in the middle.
Each sites have their own data server(s) and other equipments.

Users on each sites can access servers on other sites.
I believe NAT wouldn't work well in this case.

But, now, I think I understand your idea, it's when the client site only have "clients" users, then I understand your NAT suggestion.

Thanks again

Phil

@andrzejls thank you!
I never used this before.

I did it, but now that’s weird, my vpn is setting up, but it does works when I locate my IP.

I’m going to reset my openVPN setup and doing it again.

found the issue, I had copied to wan rule and selected wan2 but forgot to change the destination from Wan Address to WAN2 Address. All working now.

Thx all.

@viragomann said in VPN Configuration Issue: Accessing Site B from User Authentication VPN in OpenVPN:

The pfSense GUI provides the "Local Network/s" field for this.
So this box should look like this in your setup:

192.168.10.0/24,192.168.20.0/24
This pushes the routes for both LANs to the clients. However, you need also site B let to know how to route the clients tunnel pool.
This is done by adding the access server tunnel network 10.0.8.0/24 to the "Remote Networks". If you push the routes from the server you can also add it the the "Local Network" in the site-to-site config at A.

Reply Quote 0

@viragomann Success! Thank you so much! 🍡

Thank you very much for your guidance. I now have OpenVPN to the LAN working fine.

Now I'm trying to figure out the next problem. I have Used Port 4 on the Netgate 2100 to assign a VLAN with a completely different IP of 10.1.10.1/24. The VPN server does include 10.1.10.1/24. I added a rule to that interface (for now) as any to any, but the OpenVPN cannot get to a web server at 10.1.10.200.

Assistance will be GREATLY appreciated.

Leon

@cezar_a your welcome