@johnpoz

@johnpoz said in Using pfSense as OpenVPN Client:

What your trying to do requires some basic understanding of routing, dns, etc. So no you wouldn't follow some vpn guide to connect to their service and route all your traffic out it..

I think I should not have listened to the people who told me, "Sure, this is easy to do and only takes a few hours." OpenVPN wasn't that hard to set up, in the long run, but dealing with the firewall rules and NAT to redirect ONLY the LAN traffic that is either responding to requests from within the VPN or that is only going to the VPN turns out to take a lot more than I thought it would from trying to remember what I was doing 15-20 years ago.

@ebeagle said in Pfsense as Ivacy VPN client:

Hi @DavieJG ,

Sorry for necro-posting.

Do you mind sharing your Ivacy VPN OpenVPN settings?

I've been in contact with their support who provided me a guide to pfSense 2.4.4 that doesn't work. According to them there seems to be some issues with version 2.4.4 that their R&D team is trying to get sorted.

I tried to use their OpenVPN config files for Linux as a reference but those don't work even on Linux.

Hopefully your config can shed some light why mine is not working.

Cheers

Were you able to figure this out? I am having authentication failures with Ivacy but I have followed the guides multiple times and I don't see what I am doing wrong.

@pippin said in OpenVPN client connecting - but is useless:

server 172.16.8.0 255.255.255.0
push "route 172.16.7.0 255.255.255.0"
route 172.16.7.0 255.255.255.0

I may have missed something (reading disability), but is the only change removing where I typed 2 or 3 zeroes instead of just one? If so, what do the extra 0s do for the system? Won't they still be evaluated as integers?

Although SSL certificate was valid I still was unable to connect using ldapsearch client or openvpn. May be CA certificate is expired on LetsEncrypt end or it is because of free cert. Not sure. But again in pfsense under user management -> ldap configuration were not issues after certificate was renewed on ldap server.

Anyway

Was able to solve the issue by adding.
TLS_REQCERT allow

to

/usr/local/etc/openldap/ldap.conf

Now openvpn connects fine as well as ldap cmd client

Well it's working now.
It had been assigning .3 to the second client (the client had .3)
But the server's route table was showing it's subnet routed to .2
Not sure why.
And not sure how it got fixed.

The ipsec internal routing is a bit confusing as well.
I'm not used to that yet.
Seems like it has it's own routes and not what you see out at the routing table.
Are there tools to much better see what's going on with it.
To make matters even more fun in packet capture you can choose the ipsec "interface".
But capture does not work when you click start. (1.7dev)
Anyhow I have a working single server instance and two site-site remote clients.
I have a lot more to learn.. and not a super pro yet here :)

Ok, so apparently it just wanted me to create this topic in order to start working. 😉

I had previously come across this link: https://forums.openvpn.net/viewtopic.php?t=33561 where the person had to go to http(s)://pfsense.router.ip.address/status_filter_reload.php to get things working again. Well I had tried that at the very beginning, but not again since reconfiguring the server settings on the one upgraded to pfSense 2.6.0. After writing the opening for the thread, I went back over my steps, and figured it couldn't hurt to run the filter reload again, even though I had been applying changes to the firewall filters during troubleshooting. As soon as I reloaded the filter, I began receiving pings from a LAN address on the internal network through OpenVPN that was a separate address from the pfSense box. The only other thing I additionally did was to add outbound NAT rules, specifically for my OpenVPN ranges to LAN, although automatic created the same rule plus more. I suspect this was the answer as typically you need some sort of a NAT to route through a firewall. However, there wasn't one setup in the previous config (pfSense 2.4.5-RELEASE-p1), so... 🤷 Hopefully writing up this response will help someone (possibly even myself in the future) if they experience the same problem.

@richie1985

Easy : and I'll excuse upfront for the answer : set an alarm on whenever is "during night" and then do whatever you need to do.
There is no such thing as "pre set" a setting, and have it taken in account at a pre determined (date) time.

A openvpn server restart will disconnect all the connected users, I get it.

If you 'really' need this possibility, there is only one solution :
As the GUI handles everything that is 'settings' and 'functionality start' and 'functionality start' the good old "script it yourself" will work just fine ( open source means also IMHO : do what you want with your copy 😊 ).
The good news or the bad news - whatever applies to you : it's just PHP.

If not : go here - or here.

NetSetMan let you change fast the IP of your PC to swap fast over into another subnet or network. Perhaps it will be supporting one or more of the other given tips and hints related to that problem.

I have now tried stopping both OpenVPN tunnels and restarted them one after another and they are now both up again. Not sure what the issue is but at least I now have a way to get the link up.
I will see if the die again in a couple of hours...

@michmoor said in Remove OpenVPN access admin:

@jimp Curious is there a way to use certs if you have an internal PKI? It would be more scalable using that then the firewall itself to manage all my users and certs.

Sure, you just import the CA cert (not the key) and the server cert on the firewall, then pick those in OpenVPN. The other certs never need to touch the firewall, they only need to validate against the chosen CA.

@hope-it-works said in Having problems connecting two OpenVPN-Servers:

That's what I had configured before. There I couldn't use the same subnet for both VPN servers.

That's correct. But is there any reason for needing both to be within the same layer 2?
For accessing services that's not a requirement at all.

I should mention that we currently don't have a LAN Interface. Is a LAN interface required for this setup?

You only need access to the pfSense GUI to configure it. If you have open the WAN for this purpose, you don't need a LAN interface.

Dear @jimp
Thank you very much for your suggestion,
the problem was resolved by just removing the tunnel network!

07e6c93d-99c8-473a-abea-932b70ace8bb-image.png

@dlogan
Basically OpenVPN is designed to connect multiple clients to a server. But this is only possible if the mask is larger than /30. Consequently that gateway is not unique and you need another method to tell pfSense the correct gateway to route traffic to.
You can enable routing in such setup a adding client specific overrides for each client on the server, where you define the remote networks.

However, if you don't want to create CSO (which makes no sense in your case as you have a separate server for each client), you can set the tunnel to /30, so the gateway is unique.

But I can't tell you, why this is not an issue with a pre-shared key setup.

@tjrjcj You can do what I (and others) do and have your VPN connection be dedicated to a single network and then change which network you use... on my iMac I can do that one of two ways: Service Order in the Mac or switch port at my desk. But it depends on your employer's VPN on if this is possible.

@rcoleman-netgate That makes sense if I were hitting the 10 year mark but it'll be awhile until that happens. My concern is from upgrading pfSense. My first 2.6.0 upgrade that had OpenVPN fell apart so I've been holding back until now when I can devote a large amount of time to both the upgrades and supporting the influx of calls. Now that I've upgraded a second unit and it didn't have the issues I'm trying to determine what to expect on the next 30 or so upgrades. Until now I thought that the upgrade necessitated a change in OpenVPN that would cause issues with remote users until a new cert was put in place but it appears not.

@michmoor Cool, thanks for clarifying that 👍

@gertjan
I agree, I have the same rules.
I'll try to return the default settings and configure a different vpn server for each interface. thank you for your help.