I confirm. Everything is working now. The packets were going back to the wrong gw.
It's too bad the dashboard widget doesn't provide more information about the individual connections but I guess I can get that from some other program on the firewall like bandwidthd for example.

Update: Nope, can't get that from bandwidthd.

All good now.

@mweiler said in Local resources not reachable via tcp:

add a static route on each of the local devices you want to access from a VPN cleint.

So you are saying that this should work, even with my setup of two routers in the same LAN?

Yes, this should work.
You need a static route for the VPN tunnel network and point it to the LAN IP of pfSense.

I had already tried that, but somehow failed.

Also consider to allow the access on the destination device itself. Its firewall might block the access by default, because its from outside of the local subnet.

Masquerading would circumvent this.

And doesn't the fact that 'ping' works already prove that the clients know the routes?

No, as I mentioned in my first post, you actually have an asymmetric routing.
Request packets from VPN client go from pfSense directly to the destinations device, but response packets are sent to the router. If the router is statefull, he might drop the packets, because he never saw the belonging request packet.
Ping (ICMP) is stateless, hence this doesn't matter.

However, why won't you set up a transit network? If your primary router is capable to handle multiple local subnets or VLANs, this would be the preferred option for me.

Thank you, that made it.
I did not expect that I could use Client Specific Overrides to add a route on top of "Force all client-generated IPv4 traffic through the tunnel."

👍

@michmoor said in Connected to home VPN but public IP not showing the correct IP (Netflix bypass):

I think is the opt

Thank you, that did the trick!

@tjabas
VPN = Virtual Private Network
So yes, OpenVPN gives you an additional subnet and a virtual network interface, where the clients are connected to after establishing a connection.

You can control the access with firewall rules or forward it as on any other interface.

pfSense has a wizard implemented for configuring an OpenVPN server with the intention to access the local networks.
It's pretty easy. Just give it a try.

Also it's all well documented: OpenVPN Remote Access Configuration Example

@nickyw the section “Create pass approved internet bound traffic out the VPN gateway” has the rule to send traffic out the VPN gateway. It’s policy routing: https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html

@johnpoz Hello,
Thanks for the answer.
I actualy came here to asnwer my own questionas (for future readers), I just learned waht you wrote.

In my case I also had an additional problem on my network. I already had a VPN (10.8.0.0/24) on my old debian server that is to be replaced by a new server hosting pfsense. And by mistake I reused the same 10.8.0.0/24 network config for new VPN. That seamed to cause my issue. After tinkering with:

and finaly moving new VPN to 10.8.2.0/24, I can access my local machines from the phone over VPN.

But again thanks for quick response. Hope this helps someone in the future.

@pfsenserookie Please close this topic off.

Issue is resolved; i setup openvpn from scratch and used different port and cleaned up some old firewall rules made by the openvpn wizard.

@rcoleman-netgate

Been busy, and Internet seemed stable for the last couple of months. The last couple of days it as been acting up again.
The WAN gateway is showing packetloss: WAN_DHCP 38.13.74.19 340.8ms
9.0ms 13% Warning: Packetloss

Sometimes the packet loss was occurring on the NordVPN gateway instead, but I couldn't capture it yet.

I am using a Netgate 1100. pfSense 22.05

I'll look into the links you posted as well.

@dev-tomas2003

I strongly recommend using real hardware for any firewall, not just pfSense. However, with DHCPv6-PD, the ISP provides a prefix, often a /56, which pfSense then splits into multiple /64s, for the various interfaces. For example, I use prefix ID 0 for my main LAN and 3 for my guest WiFi VLAN. I also use the same values for the 3rd octet of my IPv4 address block to keep things simple. Also, with IPv6, local LANs are supposed to be /64, which means you don't split off part of it for other networks, VPNs, etc..

@kilian77 said in Problem configuration OpenVPN:

@johnpoz my ISP router: 192.168.10.1
my pfsense WAN port: 192.168.10.22
my pfsesne LAN port: 192.168.1.1

Ok, that's fine.
As that is what I have.

f3730204-1f71-4696-ae1b-779d79caf14a-image.png

My pfSense WAN IP (DHCP) is :

49ee6be1-b9ea-4f36-b569-e78fb7f32638-image.png

What about the other Livebox settings ?
You've set a DMZ ?
What is the firewall setting ?

I use :

6fd31916-4d51-4759-a9a1-38421c83c6c9-image.png

This (uPNP) has been shut down :

68154c35-a684-4479-b02d-e2834c143c22-image.png

as, as it says (translation) : this option can make your live hard ...

Nothing here :

7a8a35e6-e01d-413c-8c2a-29ceab16f7d9-image.png

As said earlier :

debb9342-f2dd-4f4f-9110-f424172fcc0f-image.png

Because 'why not'. (pfSense is the only LAN device of my Livebox [except the Orange TV decoder ])

If with these settings you still won't fine a solution.

RESET the Livebox (and do not restore faulty settings back in !!).
You have to give manually the fti/xxxxxxxx and the connection ISP password
Make the connection work.
Then change the LAN network from 192.168.1.1/24 to 192.168.10.1/24
And make that work - test with pfSense.

Then : make the NAT OpenVPN rule UDP to pfSense, port 1194.
And test.

It is and should be as easy as that.
Remember : These Livoboxes are world's most stupid ISP routers on the planet.

It still does't work : throw it out of the windows.
Call 3901 (Orange Support).

And also : visit the neigbor : test at his place.
Or come pay me a visit, I'll show you.

@Gertjan Yes, using iOS Settings/VPN to activate is the workaround noted in the article @tman222 pointed me at. OpenVPN says they are working on a fix...

@viragomann
I will try to check and if i found the reason i will post it on here. maybe it help somebody else.
anyway thank you for your help and quick response.

@Wastapi said in Update DNS on every VPN connection:

@Bob-Dig
Where is it defined to be 5 minutes? URL please

It is called "Aliases Hostnames Resolve Interval", you find it in System - Advanced - Firewall & NAT.

@Derelict said

Probably not going to happen for only one device unless that device is the only device on the bridged segment.

Thanks Derelict. If it comes down to it I might try a tap connection.

Can two site-to-site OpenVPN instances run at the same time with one in tun mode and the other in tap mode?

That would be nice if a small segment of LAN IPs (or perhaps a separate subnet) could be in tap mode, with the bulk running in a 'normal' tun configuration.