Kill disconnects the client and it's free to immediately reconnect (e.g. maybe to the next server in its list if it has multiple)

Halt tells the client it should terminate completely (e.g. stop the process) so it will not reconnect.

https://docs.netgate.com/pfsense/en/latest/monitoring/status/openvpn.html#ssl-tls-client-server-mode

The the LAN at 1 can ping 2 but not the other way around then your routing is probably OK and it's most likely a NAT or firewall rule issue.

There are a lot of troubleshooting suggestions for that sort of stuff at https://docs.netgate.com/pfsense/en/latest/troubleshooting/connectivity.html

But to boil that down a bit, you should check:

Look at the OS routing table on both sides, make sure there are entries for the opposite side LAN(s) and that those routes are pointing to the correct OpenVPN interface(s). When you ping from the firewall make sure to ping from both the OpenVPN interface itself (default source) and again using the LAN interface as a source. That tests routing between the LANs in both directions, not just to/from the OpenVPN interface directly, which is a much different test. When pinging from a client on the LAN, look at its states under Diagnostics > States on both firewalls, there should be two entries on each, one as it enters the firewall and one as it exits the firewall. If something like outbound NAT is catching it, the NAT would show in these states. If the traffic is taking the wrong path, that would also show (e.g. it should go in LAN, out VPN, in VPN, out LAN). If the packets are exiting a WAN unexpectedly it may be from those clients hitting a policy routing firewall rule, so you might need to add a rule above whatever rule it's hitting to pass VPN traffic without a gateway set.

That should give you a better idea of what's going on and what needs fixed.

10.0.0.0/8 (255.0.0.0) [10.0.0.0 – 10.255.255.255]
172.16.0.0/12 (255.240.0.0) [172.16.0.0 – 172.31.255.255]
192.168.0.0/16 (255.255.0.0) [192.168.0.0 – 192.168.255.255]

https://en.wikipedia.org/wiki/Private_network

-Rico

@MikkelBalle said in Multiple clients - VPN provider is sometimes assigning same subnet to different clients:

Is there anything else I can do to avoid the issue?

I don't think so. But in my experience the problem only occurs if gateways have the same ip-address, the same subnets don't matter. So maybe you should look into this weird behavior of your setup.

@skysurf76 said in Request for suggestions for setting up remote firestick access to local LAN resources via OpenVPN on PFSense:

install OpenVPN on the firestick

I wouldn't even think that is an option to be honest.. The easy solution would be at the location the firestick is would be to create a vpn client connection on their router to the home where the server is pfsense.

Now with any android device you could prob side load openvpn client?? But you going to trust where you get this side load apk?

@michaelschefczyk I started from zero added everything from zero as it was a branch office Firewall with just 2 users and this configurazione:
OpenVPN Access Server (for when I need to access my other servers and I'm not in the office or at home as I limit my firewall/servers and my customers one only to my own IPs)
One OpenVPN Server Site To Site Shared Key where one pfsense in cloud was connection (stopped working)
One OpenVPN CLient to the main site with PfSense with shared key which stopped working.

So I started from zero
I added just Openvpn Client as SSL/TLS and in NO WAY I could make it working and the certificates are ok, if from the firewall I ping the other side it's working
just it does not rotate from LAN through the VPN.
I disabled it and I configured Clied as Shared Key and BUM IT WAS WORKING.
So I started to add users, Nat Rules and lalalalal.
It was working...
Then I added first Server (Remote access) and... it stopped working...
if I disable the Remote Access server and I rtestart the client connection it works again.
it's evidently a problem of routing and the subnets are all UNCOMMON and all DIFFERENT as they have always been.
I don't know what did they mess up but surely the fact that SSL/TLS site to site is broken is something abnormal ❌
moreover they tell that SHARED KEY IS DEPRECATED and we should implement SSL/TLS
and they break the new one...
Moreover to whom can we ask?
No one knows...

@chudak I think one of the other fixes in the app was something about fixed issue with display of available update

I normally use openvpn, but I do have tailscale setup as my backup, I am just so use to openvpn its my go to.

when I was adding the new profiles for my new certs on my ipad, I noticed I had not added tailscale to it - it was very easy ;)

Thanks guys useful info!
Didn’t realise ping was changeable to interface as it’s came up as auto - but never clicked it to reveal the rest (dumb I guess)
Did the reset to previous config just in case - didn’t help but after a few hours an few reboots without changing anything everything started working again so assuming there was a problem at the remote server end tho it was over many different countries and servers and the phone Nordvpn app was ok all the time - tho that’s running IKEv2 not upd OpenVPN if that changes anything - so who knows

@viragomann

I reposted, thanks

https://forum.netgate.com/topic/181119/solved-pfsense-2-6-0-system-logs-message-openvpn-failed-to-start

@gijey
Ensure that the LAN address of pfSense is set as default gateway on the LAN devices.

Also check if access from outside of the local subnet is allowed on the devices firewalls.

Sorry, solved... 🥺

By mistake I've entered the same subnet of the tunnel to a new interface (vlan) while copying/pasting from my config sheet... 😶

currently the company has an ASA which does radius to their Network policy server which has the Azure AD add on. So was hoping that OpenVPN or other vpn on PFSense. Hoping to reuse that

@knebb

You can stay on Debian 12 and even upgrade later.

Just use OpenVPN client from Debian 11.

The default:

dpkg -l | grep openvpn ii openvpn 2.6.3-1 amd64 virtual private network daemon dpkg -l | grep openssl ii openssl 3.0.9-1 amd64 Secure Sockets Layer toolkit - cryptographic utility

Steps:

sudo apt purge openvpn sudo apt autoremove sudo sed -i 's/bookworm/bullseye/g' /etc/apt/sources.list sudo apt update sudo apt install openvpn dpkg -l | grep openvpn ii openvpn 2.5.1-3

Lock openvpn package so it doesn't upgrade automatically in the future:

sudo apt-mark hold openvpn openvpn set on hold.

Remember to revert to the default distro repositories:

sudo sed -i 's/bullseye/bookworm/g' /etc/apt/sources.list sudo apt update