I downgraded to 2.1.2 (backup restore) but the OpenVPN service does not start because of the same error. I upgraded again to 2.1.3 and the problem has now been solved.

Sorry,

You're going to have to use a little longer explanation, to explain your problem.

I'm guessing that we're fighting a language barrier  :P

If you can give a clear explanation of your problem, someone here will try to help.

I added comment to your post on the other forum.

I have v6-over-v4 working with this configuration:

push "redirect-gateway-ipv6 def1"; push "route-ipv6 2000::/3";    <<<-----  Global Unicast Address

Of course the IPv6 prefix (in the screen shot) is unique from the LAN.  I get a /60 from DHCP-PD.

Just FYI:  I also have a second OpenVPN instance running for v4-over-v6.  One thing I found was that you need to use tcp6.  If you use udp6, there is very nasty interface looping.

ovpn.jpg_thumb
ovpn.jpg

You have a strange VPN setup.

VPN1: 10.2.6.0/29
VPN2: 10.0.0.0/8
?????

VPN1 is part of VPN2!
Why is VPN2 as large? I can't believe that your hardware can manage as many connections.
Why is VPN1 as small? By default the server allocates a /30 net for each client.

You should clean up this at first.

Add an additional rule to LAN interface underneath the one that directed PC #1 over VPN, that blocks any traffic from this PC to anywhere.
If you have additional subnets on other interfaces that should be accessible you have to exclude this.

This rule is applied only if VPN id down.

@jimp:

Not that I'm aware of, no. Not unless you manually setup a mesh of tunnels.

You might look into Tinc.

I see, i will take a look =).

Thanks for the reply

We have a bunch of servers and for security we limited access to them to a specific group of ip address. Our WAN ip addresses. They are not located in the same location as our PFSense box so we have to go over the internet to connect to them. So when people need to connect to them from home they have to connect to the VPN first.

I didn't know that it went through the default gateway so that is good to know.

I went ahead and added a rule to the openvpn tab as you suggested and I got the desired effect.

My brain thanks you! You are the man!


It was the firewall on the remote windows machine, I totally forgot that windows blocks shares outside the subnet by default.

Thanks a lot!

Glad it all worked out.

Like many others around here I find the forums to be a wealth of excellent information for pfsense.

It may take a little time, but searching and asking polite questions seems to yield great results (at least for me).

Good luck  :D

We use OpenVPN Access Server at work on a dedicated server which replaced our old Microsoft VPN server.  The "engine" is basically the same with exception that the GUI is provided to manage it.  There is one thing I do like about OpenVPN Access Server is the Web GUI for users to install the pre-packaged OpenVPN client created specifically for that user and their certs are generated on the fly.  Long as the users are part of the "OpenVPN" security group in Active Directory they can easily use it.

In PfSense I have to pretty much have to install it for each user manually.  It's not big of a deal for a small office using the OpenVPN export add-on but 200+ users it would take awhile.  But once it's installed users don't have to do anything other than launch the client and log on.

This is little more what you were asking about but wanted to point out a couple of key differences in terms of deployment.

I prefer using PfSense as I don't have to deal with licensing nightmare and very flexible in network configurations.

I was just coming back after taking some time off of work and going to post something.  Thanks for fixing this guys!

I did try that first and only the openvpn server settings were restored, no certs.

Do your showing a public IP there 197.130.x.x how do you think your going to talk to 10.0.2.15.. How exactly are you talking to 192.168.56.107?

Where are you VM interfaces on this PC?  What VM software are you running exactly?

What exactly are you trying to accomplish here?  Are you trying to run your PC behind the VM pfsense connected to your internet for a firewall between your PC and the internet?  If so that does not have anything to do with a vpn connection.. It wouldn't be needed from your pc to pfsense.

And I forgot to mention, before testing the client I removed the default gateway addy from the TAP adapter.  Even though Windows moved the connection to Public, I could still access what I needed to on our work network.

Create the VIP as a 'CARP' type, then select the VIP under Interface in the OpenVPN server.

@Hollander:

Could I ask: how do you see if there are DNS-leaks?

You could create a firewall rule to allow and log any outgoing traffic on port 53 for the WAN. You should see the only name resolutions will be for pfSense stuff and PIA servers. What's nice about the logging is it deconstructs the packet to determine what hostname was requested to be looked up. If you are interested in logging DNS but just in general check out the thread I started here:
How can I record and maybe monitor all DNS requests and replies?

If you stop DNS outgoing on the WAN there is a "which came first, the chicken or the egg" problem because then how does pfSense lookup the address for the PIA server you're connecting to, or pfSense to check the latest version of FreeBSD?

Also keep in mind about the DNS forwarder if you have that enabled you could leak in certain scenarios. For example I have a pfSense box behind a wireless router. So my router has address 192.168.1.1 and when it assigns an IP via DHCP it offers nameserver 192.168.1.1. So the pfSense WAN IP address is something like 192.168.1.2 for example with nameserver 192.168.1.1. Then the pfSense LAN has a DHCP server (192.168.10.1) that assigns an IP 192.168.10.2 and nameserver 192.168.10.1. When client 192.168.10.2 wants to resolve it sends its request to 192.168.10.1 which is the pfSense DNS forwarder. That then sends the request to 192.168.1.1 which is the wireless router DNS forwarder. I believe that would happen even if I was routing my traffic over OpenVPN because 192.168.1.x is a local route. The setup I have right now is I disabled the pfSense LAN DNS forwarder and the pfSense LAN DHCP instead offers google nameservers. The google nameservers are not a local route so they go over VPN.

@Hollander:

The military man here says that the order of the rules in NAT is important (VPN should be at the top of the list), whereas some comments below it he says this is not necessary if your VPN is the default gateway. However, I have neither: my PIA VPN is not at the top of the rules in NAT, nor is it the default gateway. But I think my PIA VPN is working - looking at the traffic in the GUI, as well as when I look up my own external IP. So apparently what he writes isn't true  ???

That I don't know about, you may have to start a separate thread to ask that question and get someone's attention. In my rules the OpenVPN PIA is first.

Also, unrelated, the biggest issue I've had so far with my setup has been OpenVPN continues to work even after it's terminated due to fatal error. So FYI, you may encounter that. It looks to be a bug.

Assign different tunnel networks to each single VPN server and base your rules on these subnets.