@dbadovsky
Yeah, it has to be in the client specific file, mentioned above.

Nice that you got it sorted.

All sorted now, a couple of badly configured alias's were the issue and have now been rectified. all is working now as desired.

I want to post the critical take away I learned from this discussion for others searching in the future. I did find other discussions but they were very detailed and specigfic to the person's situation very much like this one is, so it is hard to know what are the specifc parts from the ones that apply to everyone. So here just to call it out, the key takeaway that taught me what I needed is.

Check the gateway status (Status -> Gateways) for the VPN Client interface. That will tell you if you have a client configuration problem or not. I ultimately did but the Status -> OpenVPN page indicated it was fine and it actually wasn't.

@johnpoz

It doesn't look like my load is that significant. It's been like this since this box has been running.
947788aa-a1a3-4669-ab8b-c0d3ad215875-image.png

@n8lbv

You are main focusing one point from several available.

Entire pfSense is multi or single core
Underlying system FreeBSD WAN part ist single or multicore pending on the
usage of PPPoE or not. (PPPoE = single queue not
PPPoE = multi queues) One queue per each CPU
core is able to use OPNvpn package is taking advantage of multi CPU
cores usage or not.

It all plays together and not something alone.
You may be able to tune some things here in the game
according to your hardware and use case, like;

mbuf amount mbuf size queues amount queues length queues size

@viragomann Thank you very much for your answers, in particular I did not consider that the error could be in the official tutorial of ProtonVPN, probably I will set up the variant "Client - pfsense - ProtonVPN" with DNS over HTTPS.

@gokulapandi
Yes should work for A and C.
But if you restrict access on B to certain subnets as well, you need to add the same rule as you have at A on the interface connected C and that one you have at C on the interface connected to A.

@tangooversway
Presumably the VPN server pushes the default route to you.
This is a pretty common setting of VPN services.

To avoid it go to the VPN client settings and add a check at "Don't pull routes".
After that you have to create policy routing rules to direct the desired traffic out through the VPN.

Also, with my own OpenVPN setup, I didn't have to switch interfaces in the NAT rules. With the BrandX, it didn't work at all until I switched them.

What do you mean with "switch interfaces in the NAT rules"?
Basically you need to add outbound NAT rules for your internal subnets on the VPN interface, if you want to pass out upstream traffic. But there is nothing to switch. Existing rules (automatic) should stay in place.

@mhassman In our case, as I seem to recall from a few years ago now, the service was running but people couldn't connect until the service was restarted. I am not finding my notes in a quick search though. The weekly restart was just a sledgehammer approach to fixing it.

@roberto-bianchi Yes, is not compatible right now.
We need to stick with 2.5.x line until someone fix this issue.
I have the same situation and I'm testing pfsense 2.7-dev and some case.
Hope to soon see the solution here, regards!!!

@marvosa said in Site-to-site up but not routing, can't use a /30 or /24 tunnel?:

No tunnel network defined, need to add 10.152.0.0/24 in the "IPv4 Tunnel Network" box

I think there's some misunderstandings and misleading info on the tunnel network for a site to site. It shouldn't be needed unless someone is using a /30 topology. It should get the tunnel network from the server.

Regardless, before yesterday's patch, the tunnel network setting wouldn't accept anything less than a /30.

Hmm, so you weren't seeing kernel panics as shown in the linked bug?:
https://redmine.pfsense.org/issues/13938

I'm not aware of anything that would prevent an OpenVPN tunnel passing traffic whilst still connecting. Do you have any logs from the failure situation? When you tested did you see traffic coming over the tunnel?

@johnpoz

@johnpoz said in Using pfSense as OpenVPN Client:

What your trying to do requires some basic understanding of routing, dns, etc. So no you wouldn't follow some vpn guide to connect to their service and route all your traffic out it..

I think I should not have listened to the people who told me, "Sure, this is easy to do and only takes a few hours." OpenVPN wasn't that hard to set up, in the long run, but dealing with the firewall rules and NAT to redirect ONLY the LAN traffic that is either responding to requests from within the VPN or that is only going to the VPN turns out to take a lot more than I thought it would from trying to remember what I was doing 15-20 years ago.

@ebeagle said in Pfsense as Ivacy VPN client:

Hi @DavieJG ,

Sorry for necro-posting.

Do you mind sharing your Ivacy VPN OpenVPN settings?

I've been in contact with their support who provided me a guide to pfSense 2.4.4 that doesn't work. According to them there seems to be some issues with version 2.4.4 that their R&D team is trying to get sorted.

I tried to use their OpenVPN config files for Linux as a reference but those don't work even on Linux.

Hopefully your config can shed some light why mine is not working.

Cheers

Were you able to figure this out? I am having authentication failures with Ivacy but I have followed the guides multiple times and I don't see what I am doing wrong.

@pippin said in OpenVPN client connecting - but is useless:

server 172.16.8.0 255.255.255.0
push "route 172.16.7.0 255.255.255.0"
route 172.16.7.0 255.255.255.0

I may have missed something (reading disability), but is the only change removing where I typed 2 or 3 zeroes instead of just one? If so, what do the extra 0s do for the system? Won't they still be evaluated as integers?

Although SSL certificate was valid I still was unable to connect using ldapsearch client or openvpn. May be CA certificate is expired on LetsEncrypt end or it is because of free cert. Not sure. But again in pfsense under user management -> ldap configuration were not issues after certificate was renewed on ldap server.

Anyway

Was able to solve the issue by adding.
TLS_REQCERT allow

to

/usr/local/etc/openldap/ldap.conf

Now openvpn connects fine as well as ldap cmd client

Well it's working now.
It had been assigning .3 to the second client (the client had .3)
But the server's route table was showing it's subnet routed to .2
Not sure why.
And not sure how it got fixed.

The ipsec internal routing is a bit confusing as well.
I'm not used to that yet.
Seems like it has it's own routes and not what you see out at the routing table.
Are there tools to much better see what's going on with it.
To make matters even more fun in packet capture you can choose the ipsec "interface".
But capture does not work when you click start. (1.7dev)
Anyhow I have a working single server instance and two site-site remote clients.
I have a lot more to learn.. and not a super pro yet here :)