I found that my log needed a reset, so now when this happens the next time I will hopefully get some
useful info and see whats the problem is.

Perhaps I need you guys again…

Hi,

anybody have any further ideas? This is still not working, but I cannot find the issue. All settings look fine.

@Viragomann:

Thanks for your reply. Forgot about Winblows firewall. I just punched a hole in it and it works. I was only using this machine to test the connection before setting it up on my remote machine. Thanks again.

Hi everyone.

acriollo can you help me setting up an OpenVPN Server in pfsense and a Mikrotik OpenVPN Client?

I can't get mine working…

Thanks in advance.

Hi,

The way I got this working was via another FreeBSD instance and creating a separate curl-package with cares-support (https://github.com/Yubico/yubico-pam/issues/55 - is in fact my post).

However, this is not at all good, since every update of pfSense breaks the package, and you need to reinstall the precompiled port. This is why I tweeted pfsense a while back urging them to ship pfSense with cURL-cares (https://twitter.com/ict_sec/status/648418038807724032).

I just jotted down a few notes to help me remember what I did on a separate FreeBSD instance to get it working, with the guidance from http://mjslabs.com/yubihow.html.

mv /usr/ports /usr/ports.bak pkg install subversion svn checkout https://svn0.eu.FreeBSD.org/ports/head /usr/ports make config make install pkg create /usr/ports/ftp/curl

Transfer the newly created .txz file to the pfsense machine and install with pkg add curl-XXXX.txz

Honestly I've never run into the key length issue on "modern" clients.

I have used no less that 2048 bit for certificates and DH parameters for at least the last five years without issue.

I would make sure your certificates are correct, that has always been the biggest "hassle" for me in setting up OpenVPN links.

After doing a little hunting on the OpenVPN site, I do see reference to a similar problem with a DD-WRT router and an iOS client, but that was on a much older version of the OpenVPN client.  Might be worth a check to make sure the iOS client app is fully up to date or perhaps even an uninstall/reinstall.

Hi There,

I've resolved this by changing the gateway from existing to pfsense IP which then will clients to communicate pfsense as the gateway.

Now, I'm able to access the said network.

Thanks!

Let me replicate to ensure I've got your intention well.
You have a pfSense box running an OpenVPN server and Windows and CentOS should connect to it and be able to communicate together? And now your challenge is to setup VPN client in CentOS?

Do you use NetworkManager for your connections?

Yup the resolver has access list.. and remote networks would have to be allowed..

@johnpoz:

So what is this corp firewall?  I ask because to be honest end pointing a vpn connection behind the edge is normally a bad idea, and just complicates the setup.

I would suggest if you want to use openvpn to provide road warrior access that you swap out your corp firewall (it doesn't support vpn?) with pfsense and setup the vpn as it should be setup on the edge device.

Hi there!

the firewall is a dell sonicwall which does not support more then one ssl-vpn client at a time…

which brings us to same question on how to achieve that.
forumers had written that they have had or have same setup but none writes on how to actually achieve that.

please advice!

Probably you're right with "That's widely documented", as you are in that theme and an admin here.
I did'nt find anything about that anyway. Maybe you can point me to a good place to start reading about?

Even if pfSense is not for beginners, there are lot's of things where I feel the documentation is not comprehensive enough.
To have that "InterfaceAdress" at that dropdown at least is missleading.

As I can't imagine where someone can use that intentional than.
If I have one VPN it will do, but adding a second VPN will break the outbound-NAT for the first one. So it should recommended that you better not use "InterfaceAdress" there, because this can cause Problems later, when you allready forgot the Outbound-NAT-Rules depending to the first VPN are affected than.

No.  You add routes and iroutes to OpenVPN and it adds them to the routing table as necessary.

I'm asking if you can renumber because it would be easier to do (and reduce your chance of a collision with another network) if you were to number your LANs something like:

172.26.48.0/24
172.26.49.0/24
172.26.50.0/24
172.26.51.0/24
172.26.52.0/24

Then, to every site, you would push a route to 172.26.48.0/28

Then, in your client-specific overrides on the main site, you would iroute the appropriate LAN network to the appropriate client.

And on all your OpenVPN rule tabs, if you want everyone to be able to access everything, you would pass all traffic from 172.26.48.0/28

my client is set to 3 as well, server is set to 4.. let me set it down to 3 and reconnect.

Ok just reconnected server set to 3 and still see it verify.

Oct 22 14:28:22 openvpn[12190]: publicIP:63992 [johnpoz] Peer Connection Initiated with [AF_INET]publicIP:63992
Oct 22 14:28:22 openvpn[12190]: publicIP:63992 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Oct 22 14:28:22 openvpn[12190]: publicIP:63992 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Oct 22 14:28:22 openvpn[12190]: publicIP:63992 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Oct 22 14:28:22 openvpn[12190]: publicIP:63992 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Oct 22 14:28:22 openvpn[12190]: publicIP:63992 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Oct 22 14:28:21 openvpn[12190]: publicIP:63992 VERIFY OK: depth=0, C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpozsnipped, CN=johnpoz
Oct 22 14:28:21 openvpn[12190]: publicIP:63992 VERIFY SCRIPT OK: depth=0, C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpozsnipped, CN=johnpoz
Oct 22 14:28:21 openvpn[12190]: publicIP:63992 VERIFY OK: depth=1, C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpozsnipped, CN=openvpn
Oct 22 14:28:21 openvpn[12190]: publicIP:63992 VERIFY SCRIPT OK: depth=1, C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpozsnipped, CN=openvpn
Oct 22 14:28:17 openvpn[12190]: publicIP:63992 TLS: Initial packet from [AF_INET]publicIP:63992, sid=6f5a2a44 6d92e177
Oct 22 14:28:17 openvpn[12190]: TCP connection established with [AF_INET]publicIP:63992

client

Thu Oct 22 14:28:17 2015 TLS: Initial packet from [AF_INET]10.56.226.130:8080, sid=ba339956 9c9fc85c
Thu Oct 22 14:28:19 2015 VERIFY OK: depth=1, C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpozsnipped, CN=openvpn
Thu Oct 22 14:28:19 2015 VERIFY OK: nsCertType=SERVER
Thu Oct 22 14:28:19 2015 VERIFY X509NAME OK: C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpozsnipped, CN=pfsenseopenvpn
Thu Oct 22 14:28:19 2015 VERIFY OK: depth=0, C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpozsnipped, CN=pfsenseopenvpn
Thu Oct 22 14:28:22 2015 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Oct 22 14:28:22 2015 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Oct 22 14:28:22 2015 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Oct 22 14:28:22 2015 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Oct 22 14:28:22 2015 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Thu Oct 22 14:28:22 2015 [pfsenseopenvpn] Peer Connection Initiated with [AF_INET]10.56.226.130:8080

All you have to do is be able to identify the traffic.  Post your port config page.

If you have an inbound port forward from PIA to you you don't need to do anything because the traffic is obviously coming in PIA.

For outgoing ports, you will have to uncheck Use Random Ports then set a port or port range for outgoing connections.

Then add those ports to the firewall rule that policy routes traffic to the VPN.

If you set outgoing ports from 63001 to 63010 you would set your firewall rule like this:

TCP/IP Version: IPv4
Protocol: TCP/UDP (unless you know it's one or the other)
Source: Local Host IP
This is one of the few times it's appropriate to do this, but click advanced
Source port range: from: 63001 to: 63010
Destination: any
Destination port range: from: any to: any Advanced Features
Advanced options: mark the packet NO_WAN_EGRESS
Gateway: YOURPIAVPNGW

A better way to do it might be to add an IP alias to your torrent host and make Deluge use only that. No idea how to do that on your system, but Deluge appears to be able to select an interface for outgoing connections. It looks like mine (MAc) just prompts for an interface name. Might take some digging.

Just to ask the obvious simple question:

If these are Windows machines, have you made sure the internal firewalls are not blocking "foreign" subnets (perhaps turn them off for testing purposes)?

Have you tried pinging something easier (like a network printer) instead?

That's from gateway monitoring, where the specific ovpnX interface is assigned.