@crazily9892 said in OpenVPN Layer 2 with VLANs - How to Set Up?:

My pfSense lets me put a VLAN tag on my L2 VPN

Thank you.

I tried to set the VLANs on the OpenVPN tap interface:

Screenshot 2025-03-05 at 09.59.44.png

And then I added a bridge from the newly created VLAN to the existing interface which is tagged on the switch:

Screenshot 2025-03-05 at 09.59.48.png

Screenshot 2025-03-05 at 10.00.33.png

The CLOUD_LAN interface has a CARP Virtual IP Address:

Screenshot 2025-03-05 at 10.05.14.png

On the other end, I have a vmbr interface:

24: tap0.150@tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr150 state UP group default qlen 1000 link/ether e6:43:98:64:45:36 brd ff:ff:ff:ff:ff:ff 25: vmbr150: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether e6:43:98:64:45:36 brd ff:ff:ff:ff:ff:ff inet 192.168.150.1/24 scope global vmbr150 valid_lft forever preferred_lft forever inet6 fe80::e443:98ff:fe64:4536/64 scope link valid_lft forever preferred_lft forever

Which is bridged to the tap0 OpenVPN interface:

root@node1:~# brctl show bridge name bridge id STP enabled interfaces vmbr0 8000.107c614c4e64 no enp5s0 vmbr150 8000.e64398644536 no tap0.150

Anyway, if I try to ping the pfSense CLOUD_LAN IP address from the OpenVPN client, it does not work:

root@node1:~# ping 192.168.150.254 PING 192.168.150.254 (192.168.150.254) 56(84) bytes of data. From 192.168.150.1 icmp_seq=1 Destination Host Unreachable From 192.168.150.1 icmp_seq=2 Destination Host Unreachable From 192.168.150.1 icmp_seq=3 Destination Host Unreachable

And tcpdump only see the ARP request:

root@node1:~# tcpdump -i tap0.150 tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on tap0.150, link-type EN10MB (Ethernet), snapshot length 262144 bytes 10:03:23.636095 ARP, Request who-has 192.168.150.254 tell 192.168.150.1, length 28 10:03:24.659991 ARP, Request who-has 192.168.150.254 tell 192.168.150.1, length 28 10:03:25.683845 ARP, Request who-has 192.168.150.254 tell 192.168.150.1, length 28 10:03:26.708073 ARP, Request who-has 192.168.150.254 tell 192.168.150.1, length 28

This let me think that the problem is on the client, because packages are not exiting from it.

Do you have any idea?
Thank you!

@JonathanLee Not only smb needs to be accessed, but also a proxmox server, for example

@nattygreg Thanks I have attempted many trail and error tests, another one that gave me speed boosts was changing these settings.

Screenshot 2025-03-03 at 21.50.05.png

@Gertjan does SafeXcel accelerate any of these ?

@justanotherpfsenseadm
If the interface is configured as a DHCP client it possibly gets a gateway from the DHCP, or you've stated the gateway by yourself in the interface settings.
In theses cases pfsense automatically adds an outbound NAT rule.

You can verify automatically generated rules at the bottom of the outbound NAT page.

@Gertjan said in Any recent changes? Getting hard reset.:

Your "/sbin/ifconfig ovpns1 172.16.255.1/24 mtu 1500 up" seems to fail.

can't tell you why .....
No issues with my :

I couldn't seen any reason either, so I rebooted pfSense and that seemed to clear it.

Sooo I did some extensive testing on my home box...

Renew CA - use same key and same serial Renew server cert - use same key and NOT use same serial

In this scenario all existing certs are valid and can connect without an issue. If I renew client cert it also connects without an issue.

What is more interesting is this:

Old CA was valid to today for example When I generated client cert with that CA it was valid for 10 years and NOT until today like my old CA So this probably mean that this cert, generated with old CA and valid for 10 years will also be valid with NEW CA and NEW server cert in place :)

So if you have like 400 clients like I do it is IMHO OK if CA is valid for 10 years, then just renew CA and server cert approx. 2 years before expiration and take care of certs that are expiring and that's it :)

And then, repeat after 8 years...

Thoughts or criticism?
Can it really be this simple and straightforward or am I missing something?

@FernandoScheffel said in OPENVPN site-to-site LOCAL/AWS doesnt ping between hosts only between pfsenses:

I solved the problem creating a NAT Outbound rule in my pfsense server to translate local IP to tunnel IP

I'm having a similar problem.

Can you give an example of how your configuration looks in pfsense?

I tried to reproduce it but I think I'm making a mistake in some detail.

@Xentrk no idea how you pulled this off but as soon i enable redirection rule on LAN to openvpn gateway i get wierd shit going on like very slow gui reloads suggesting loopback errors, traceroute going through vpn, but websites like ifconfig.me reporting "normal IP" for some time then al web browsers time out, but i can run succesful trace to them through vpn connection....

VPN gateway is heathy - if i set it as default gateway everything works great, except it seems to ignore firewall rules as i get open ports without any NAT rules on it's interface.

@Gertjan said in How many max VPN user supports Pfsense:

@Sf said in How many max VPN user supports Pfsense:

I try to evaluate, and need to understand how calculate a vpn user.

Easy.
You need to know what you 'consume' yourself. With out flat rate ISP price, this notion is lost.
Then you need to know what others need : this question, how hard you try, can't be answered.
From now on, stay at home, do what the 'working world' did during covid.
And go ask others how they experiences it, the quality of their uplink to work, etc.
Understand that everybody wants a "1 Gbit symmetrical" these days ^^

As shown above : 80/100 users over a 100/65 Mbit could work ... but I'm pretty sure they had to wait ones in a while to get to their 'data' ^^

Thank for answer.

It's not bandwith or ISP that I want calculate, but cpu and memory needed.

I figured out the problem. Apparently there's something screwy regarding the bridged connections for my VMs (pfSense and OpenVPN clients) where if I try to force all traffic through the OpenVPN connection, it won't work (I am running VmWare Workstation)

I solved it by switching the external (WAN) and OpenVPN client box to NAT, and it worked just fine.

I have a setup behind a FortiGate and use a DMZ and a LAN for pfsense. So I'm not port forwarding form the internet into my lan and can have strict firewall policy on the wan side, into the Fortigate DMZ \ pfSense WAN.

Then the lan side of pfSense is more of a transit network and not part of my actual lan on the Fortigate, allowing me to also place explicit rules on what can cross into my lan and other network from the VPN connection.

Internet > FortiGate(DMZ) > pfSense(WAN)
pfSense(Lan\Transit) > Fortigate(Transit) > Fortigate LAN, Guest, IOT, NOT (Network of things, No internet access) and more.

You will need to be aware of port forwarding, firewall rules, routing to set this up correctly.

I'm guessing your issue was port forwarding or firewall rules on the Fortigate.

@AntonioR said in Connect to another site (same LAN segment, with radiolink):

the LAN is 10.0.0.0/24 in both sites.

easy : don't do that.
The router on the first site knows where 10.0.0.0/24 is, its local.

The solution is something like :
Change the 10.0.0.0/24 on the first site for (example) 10.0.1.0/24.
and tell router site 1 that 10.0.2.0/24.= can be reached using the VPN.
Change the 10.0.0.0/24 on the second site for (example) 10.0.2.0/24.
and tell router site 2 that 10.0.1.0/24.= can be reached using the VPN.

@opticalc said in Netgate's openvpn client's remote server and my homes public IP:

and it was leaking DNS due to my client still using PFSense as the DNS server

Unbound (the pfSense resolver) can be forced to use the VPN connection also .....

I followed some of your instructions and it is working once more.

I made a new CA as stated
I made a new Server Cert
I changed the OPENVPN to use the new CA & Cert
I changed 1 user to use the new CA & Cert
I downloaded and installed a fresh installed and it is now working.

@Gertjan Once more, thank you for time help time and assistance with helping me get this fixed. I really appreciate it.

That did the trick. 🙂

Thank you again. Pleased to have it working.