Solved!
Followed a lot of rabbit holes down until I found these:
https://serverfault.com/questions/1064935/openvpn-server-connexion-ok-but-no-access-to-remote-lan

which lead to:
https://openvpn.net/community-resources/how-to/#expanding-the-scope-of-the-vpn-to-include-additional-machines-on-either-the-client-or-server-subnet

Main take away was that I needed to add

push "route [Local LAN subnet] 255.255.255.0"

to the advanced configuration on the server setup.
Still reading a bit more to understand how this worked, but I'm able to ping my local machine as well as remote into it.

Happy days.

@rcoleman-netgate Hello Sir,
Yes, i make some trial and error and i notice that the issue comes when i let pfsense generate the shared key !

While i use another vpn instance already existing with copy , and edit the settings, is working !
Also this is happening on the client side ! both pfsense on 2.6 version.

Is this a bug or i'm doing something wrong ? I just exchanging the generated key with copy paste. If generated on server, client is not accepting it and cause this error. If key generated on client, and copy to server, server gets the error !

I will try 2-3 things and let you know.

@johnpoz Thanks, John, I'll give that a try.

In the mean time, I am trying to get a site-to-site VPN established between two Netgate boxes (one with a dynamic ip address) but I'm not having much success :-( The VPN connects but no traffic flows through it yet...

Actually do not know, still analyzing, that's the setting I changed and it seems to be stable now, cross-client (windows, linux, android, ...).
Also changed the DNS servers to both VPN network x.x.x.1 and vlans CARP IPs (the vlans reachable throguh VPN), to be HA proficient.

Do not know why I do need the DNS entries to reach other IPs in the remote networks (not hostnames, just IPs...).

Thank you very much!

I fixed the problem.

The firewall died during the night from friday to saturday, so naturally I needed to build a new one on sunday.

After a clean reinstall, I again started having the same error
openvpn xxxxx IP packet with unknown IP version=15 seen
Endlessly filling the logs, and killing the SSD-s.

It seems the ntopng is the culprit.
After disabling ntopng, the errors stopped. And after enabling ntopng, the errors started again, even when there are no clients connected, and the errors start and stop at random intervals.

I am currently testing running ntopng but without OpenVPN interfaces selected.
For now it seems to be working as expected.

So it seems running ntopng with OpenVPN interfaces selected causes the OpenVPN server to have endless errors, even when everything else is working fine.

Now I am waiting for monday so we have some user traffic, but judging by the short test I am currently conducting, it should work.
Hope this helps someone with a similar problem.

@vusqq Well normally if you have a openvpn client installed on your client box.. When you click on a ovpn file it will ask if you want to import it into openvpn

example.jpg

Not sure with macs, but for example here is a ovpn file I downloaded from pfsense with the export section under pfsense, and when I click on it windows, the openvpn software I have installed on my windows machine asks if I want to import it.

@orangehand where exactly are you pinging from.. 169.1 would be pfsense lan IP on the remote end.. There wouldn't be any different with your routing, or normally firewall on the 69.x device.

10.0.69.16 -- 69.1 pfsenseA -- vpn tunnel --- pfsenseB 169.1 -- 10.0.169.x

If you ping 69.16 from 169.1 interface on pfsenseB, it should work from 169.x unless 169.x is not using pfsenseB as its gateway. Or you doing some sort of policy routing on your 169.1 interface, or you have some firewall rule blocking access to this remote network?

@johnpoz Ah understood if going down VPN will lost my inet but if reset to default ISP gateway now and use in this way, during VPN problem on upstream VPN servers. My inet will exist with DNS resolver settings above? Second question: with default ISP gateway will this less privacy? Should I create for every other VPN location new VPN client in pfsense or exist way to combine a few locations in one settings? I mean to choose different locations like in VPN client on PC.

@antibiotic
Don't know, whats the suppose of your "local subnets" alias.
At the moment the default allow rule would pass any traffic with different source than "local subnets".

A different source could be the case if you have a router within your local network like a VPN endpoint, which passes traffic trough.
But where will it get to? Since you obviously have a single LAN subnet, which might be included in the local subnets alias, the traffic could be go to the WAN or VPN at its best, but would fail then, since it is not natted (Outbound NAT source).

@troubleshooting74

865e91ae-2931-4faf-a302-c24e1724e58a-image.png

User : auser
Password (twice) auser
I made this user member of the OpenVPN group
Checked : Certicate, gave it a description 'auser'

And save.

This user called 'auser' is now usable on the VPN Client Export page.

If not, it's time to explain your setup.

@gwaitsi said in Express VPN Received control message: AUTH_FAILED:

unable to get certificate CR

CRL missing, or not accessible, isn't a big deal in this case.
See for example unable to get certificate crl

If something happens to the certificate emitted by expressvpn, they would remove it message or warning, and force you to update your connection settings.
There is no such thing as : expressvpn let you use their generated certs, but starts to list them on a revocation list. That not needed in this usage case.
I've these same two warnings.

@pfchangs77

Thats exactly what it was. The routes. IPv4 Settings >> Routes >> ADD - 192.168.1.xxx (address of item) , netmask 192.xxx.etc, gateway 192.xxx.etc, metric XX then select "Use this connection only for resources in network" and it works fine. I'm posting this for others. Hopefully it will help.

Can mark this post solved.

@gizmobrat said in OpenVPN Remote users are able to access Router but not hosts on local network:

@viragomann
When pinging from the OpenVPN Interface I get 100% packet loss. So will this be a firewall or a routing error?

I suspect, it is. But on the server side. Either the destination device blocks the ping or it routes responses to anywhere else than back to pfSense.
Are you sure it has pfSense set as default gateway?

Secondly under Interfaces/Interface Groups I am seeing no groups.

You can see custom groups only there. OpenVPN is implicitly added by pfSense.
But that shouldn't matter so far.
You wouldn't need to assign an interface to the server for your purposes. It's only needed for policy routing or alike.

@viragomann Awesome Solution :), thanks

This is a follow-up:

Earlier on I did remove 10.0.0.0/24 from the IPv4 Local Networks but I was still getting the error so I thought that did not fix it. I had in the Custom options the following command

push "redirect-gateway def1 block-local"

I removed this and now I am not getting the message so I cannot send you the log now because it is fixed, but it turns out your were right. So the 3 things that can cause this error

when Redirect IPv4 Gateway is enabled there is an entry in the hidden field IPv4 Local network(s) you have enabled Redirect IPv6 Gateway but do not have IPv6 enabled overriding the redirect-gateway in Custom Options

This is an old log:

Sat Mar 18 18:08:16 2023 OpenVPN 2.5.8 [git:none/0357ceb877687faa] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Dec 2 2022 Sat Mar 18 18:08:16 2023 Windows version 10.0 (Windows 10 or greater) 64bit Sat Mar 18 18:08:16 2023 library versions: OpenSSL 1.1.1s 1 Nov 2022, LZO 2.10 Sat Mar 18 18:08:18 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]123.123.123.123:2727 Sat Mar 18 18:08:18 2023 UDPv4 link local: (not bound) Sat Mar 18 18:08:18 2023 UDPv4 link remote: [AF_INET]123.123.123.123:2727 Sat Mar 18 18:08:18 2023 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Sat Mar 18 18:08:19 2023 [pfSense Server Certificate] Peer Connection Initiated with [AF_INET]123.123.123.123:2727 Sat Mar 18 18:08:19 2023 WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results Sat Mar 18 18:08:19 2023 WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results Sat Mar 18 18:08:19 2023 open_tun Sat Mar 18 18:08:19 2023 tap-windows6 device [OpenVPN TAP-Windows6] opened Sat Mar 18 18:08:19 2023 Set TAP-Windows TUN subnet mode network/local/netmask = 10.217.1.0/10.217.1.2/255.255.255.0 [SUCCEEDED] Sat Mar 18 18:08:19 2023 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.217.1.2/255.255.255.0 on interface {39A232AE-AE2D-4EFC-9BCD-7159D7CFE9B1} [DHCP-serv: 10.217.1.0, lease-time: 31536000] Sat Mar 18 18:08:19 2023 Successful ARP Flush on interface [7] {39A232AE-AE2D-4EFC-9BCD-7159D7CFE9B1} Sat Mar 18 18:08:19 2023 IPv4 MTU set to 1500 on interface 7 using service Sat Mar 18 18:08:20 2023 Blocking outside dns using service succeeded. Sat Mar 18 18:08:25 2023 WARNING: OpenVPN was configured to add an IPv6 route. However, no IPv6 has been configured for OpenVPN TAP-Windows6, therefore the route installation may fail or may not work as expected. Sat Mar 18 18:08:25 2023 add_route_ipv6(::/3 -> :: metric -1) dev OpenVPN TAP-Windows6 Sat Mar 18 18:08:25 2023 add_route_ipv6(2000::/4 -> :: metric -1) dev OpenVPN TAP-Windows6 Sat Mar 18 18:08:25 2023 add_route_ipv6(2727::/4 -> :: metric -1) dev OpenVPN TAP-Windows6 Sat Mar 18 18:08:25 2023 add_route_ipv6(fc00::/7 -> :: metric -1) dev OpenVPN TAP-Windows6 Sat Mar 18 18:08:25 2023 Initialization Sequence Completed Sat Mar 18 18:08:25 2023 Register_dns request sent to the service

@viragomann I have fixed it!

I reconfigured the tunnel to be /30 (the error I was getting before was that 'allow duplicate connections' was enabled, and it failed to start due to this). I can now communicate between Site A and Site B.

Thank you for your patience whilst I troubleshooted this.

@edigest2 said in OpenVPN client to remote machine through pfSense, with reverse traffic/routing allowed when connected:

Should I configure the PFSENSE in peer to peer SSL/TLS mode? What parameters should I configure?

Yes, if you only need this one client to connect to the OpenVPN server, the easiest way is to set the tunnel mask to /30. This ensures, that the client get a static IP, which you can use to access it.

Then enter the main servers IP into the "Local Networks" field in CIDR notation (172.19.2.10/32). This pushes to route to the client.

Since the tunnel and the routes are pushed by the server, there is no need for special settings in the client config.
If the tunnel network is, say 10.0.8.0/30, the client gets 10.0.8.2. You can use this IP on the main server to access it.
Ensure that the clients Windows firewall allows access from the remote network.