@viragomann, I went off snooping in each of the menus to see what I could see when comparing the differences between the different configs, and you are absolutely correct. The Outbound NAT rule of Network 2 (LAN in this case) gets deleted when the gateway is deleted and never recreated.

8dcaf108-3cb2-4bf6-a46c-d05aaebec2fb-image.png.

In this case, the VPN is a requirement of the lab environment. I agree that an upstream VPN would be best, but this is impossible with the current infrastructure setup. However, I might delete the NAT rules and add static routes to the VM (as there are only a few) in any case.

I appreciate the response - it answers my question nicely.

You have to make sure that the server and clients are all using reneg-sec 0

https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/configure-custom.html#renegotiation-time

i want to use openvpn for p2p bgp tunnel. so use p2p mode.

this is remote ubuntu openvpn config:

mode p2p local 188.156.188.65 port 51756 proto udp4 dev-type tun dev usvpn link-mtu 1500 ecdh-curve ED448 tls-server remote-cert-tls client ca ca.crt cert server.crt key server.key float dh none auth SHA3-256 tls-crypt ta.key ifconfig 10.18.3.1 10.18.3.2 ifconfig-ipv6 2a0c:2406:513:b::2/124 2a0c:2406:513:b::3 auth-nocache keepalive 30 120 pull-filter ignore peer-id ping-timer-rem cipher AES-256-GCM user nobody group nogroup persist-key persist-tun status openvpn-status.log log openvpn.log verb 3 max-clients 100 mute 20 tls-version-min 1.3

Changing the protocol drop down in Endpoint Configuration enables the interface selection.
This solved my problem.
OpenVPN is running on both WAN Ports.

@wgstarks I don't use Plex for home streaming, and generally I didn't expose my home cinema server to tunnel. I looked at Cloudflare Tos but can't see where it says that streaming services are not allowed.

@dbx said in Access Webserver on openvpn client (site-to-site):

Ive checked the DNS using the diagnostic tool on the server endpoint and it does resolve to the remote private ip

The point is what IP the browser is using.
That the DNS resolution is working, says sadly nothing. If the browser uses DoH (DNS over HTTPS) he requests a public DNS server and doesn't care about your local DNS settings.

You can check this out in the browsers debugging mode (F12) and look, which IP it is requesting.

You can also capture the traffic on pfSense on the client facing interface. Enter the clients IP into the IP filter and state port "80|443" (means OR) and try to access the web server.
Then look, which IP it is requesting. But you will see some noise there.
However, you can search for the web servers private IP and the public IP.

@dbx said in Access Webserver on openvpn client (site-to-site):

you did also mention previously that there is some special settings on the client side.

The special settings, I meant, are the firewall rules. That you have to ensure that a pass rule on the VPN interface (not group) is applied to the forwarded traffic.

My current outbound NAT rule has:

Interface: SERVER_VPNV4
Source: Client LAN Subnet
NAT Address: SERVER_VPNV4 address
Source Port, Destination, and Destination Port and NAT Port all as *

This rule makes commonly no sense for a site-to-site VPN.
Such masquerading is needed, when you configure a VPN client for a public VPN service.

In a site-to-site you route the traffic to the remote site by entering the remotes network in the VPN settings on both sites.

Well, it seems I figured it out :

the config file had the

dev tun
dev-type tun

commands that were causing the problem. I deleted them and the problem is solved.

I used to think it was good practice to dump whatever is written in the ovpn file downloaded from the server, but it seems not.

@racefun Not routes. RULES.

Do you have any floating rules by any chance?

Except that we've seen in the other thread that doing so is triggering, at least, dpinger to restart. So it could be doing more than you think.

It is 2.6.0-RELEASE (amd64)

@viragomann

Ok,

thanks for your precious help, and in any case sorry for my approx english ;P

Ciao (form Italy)

@viragomann I was saying that if I want to use the main site like a VPN to access the internet, just like a commercial VPN provider, I would have a rule on the remote site that says LAN to any using VPN as gateway. This rule will be placed in NAT -> outbound. What I found with doing this with the VPN made from the main site is that it messed up the site to site VPN for the remote side. Somehow that outbound rule messes up the working remote site to main site connection.

@mecjay12
Thanks for getting back to me.

@viragomann said in Access from Client through HQ to Branch-Sites:

10.254.250.0/24

Thanks a lot. That was the problem :-)

Have a great day. S