@jknott

Nope, but I just added a route and it's good to go !

Thanks!

@gertjan Thanks fo rthe reply.
logs were not necessarily from the same session - I pasted the lines as reference to the error.

BTW, after increasing the log-level to 7, it reveals that the error was coming from the outdated CRL but the error reporting was very generic and confusing. It started working since this morning.

@shadow_saunter said in Trouble passing traffic to OpenVPN server on digitalocean:

Does the client log show that the routes are added properly?

Yes, the client log would be in pfsense, and i see an "initialization sequence complete", and the interface negotiated an IP on the vpn, 10.8.0.34 on a /24

"Sequence complete" does not necessarily mean that the routes are added properly. It's more interesting, what's to see above of this line.
Maybe you could post the log.
But since your interface is showing an IP, at least the tunnel subnet will be assigned correctly and you should be able to ping the server IP if it is allowed.

Can you ping the servers virtual IP, LAN IP?
Can you ping other devices on the server side?
Are there firewall rules on both sites to allow access?

this is where i'm at a loss, 10.8.0.1 doesn't answer when i try ping from pfsense

Can you ping it from another VPN connected device?

pfsense doesnt answer when i ping 10.8.0.34 from my phone on the vpn (other devices do)

That's not a good indicator for the a working VPN.
This would require that the client-to-client communication is enabled on the server, which isn't by default. Also it requires that the access on the source device is permitted.

For testing you can try to ping pfSense from the server, while you run a packets capture on pfSense on OpenVPN to see if packets are transmitted.

the only rule i have made so far is <screenshot coming>:
Source: PRIVATE_VPN
Port: *
Dest: *
Dest Port: *

Consider that this rule only allows access from inside the VPN tunnel network.

What do you mean by both sites? I use 1194/UDP, and i allow that on the VPN server using an iptables rule set that loads at boot.

I can imagine that the server also needs a rule on the OpenVPN interface to allow access.
But if other devices are able to access the server and other remote devices it should also work from pfSense itself.

Do i need a rule on the pfsense WAN?

No.

What does the fact that it negotiated an address tell me? I think it means that it reached my VPN server on 1194, and the server used 67 or 68 for DHCP and was successful.

Yes you reach the VPN server, but there is no DHCP protocol on OpenVPN. So it doesn't indicate that IP is working.

@warningsystem said in Access to the client terminal connected to the VPN:

My question is, from the company's network can I connect to this client, access the data from his machine?

The needed data are on the client machine itself, as I understand? Accessing the network behind the client was more complicated and would need a client specific override, when running an access server.

You can access the client itself simply by its virtual IP. You can add a SCO anyway to assign a static virtual IP to him.
But you have to allow the access on the clients firewall at all.

A trick I'm using for Windows clients to enable access to them is pushing the default route to them, but with a high metric by adding this into the servers custom options box:

This makes the client "smooth", but networking has to be enabled on the client anyway.
However, consider that the pushed metric is applied to any route which is pushed to the client, but worked well.

@viragomann maybe, except like I said before, it works on Android, but not on PC. And both these devices are on the same network. I'm still struggling with this. I will keep trying though!

@gertjan You were very objective.

Thank you very much,

As I'm starting in PFsense it doesn't cost anything to put this CRON to restart at night.

like I mentioned to you very strange, this happens to some person or other and expected.

It seems that OPENVPN stops listening to that user, then when I restart it through the GUI, the client connects, but like, there are others connected and everything is working normally.

But it's fixed, thanks a lot for your support.

@fadushin +1

@philipt said in VPN to my home network without access to all resources:

I wouldn't be able to tell you if I am, I just followed a guide on IIRC the official wiki.

Typically people post screenshots of their configs with public IPs and keys/password redacted.

I suggest you want to do that at this point so we can point you in the right direction.

As for opening a port -- I wasn't suggesting opening a port to the Pi, but to the pfSense so that if you lock yourself out of the VPN you can still make changes until it is running how you want it. After that you turn off the firewall rule that allows remote access.

@viragomann said in Translate OPENVPN Firewall:

I need to update old pfsense 1.4.5 to 1.6.0.

None of them ever existed. You probably mean 2.4.5 to 2.6.0.

Yes, of course!

but doesn't work with the local (internal) network ( doesn't work even the ICMP ).

Are you sure, you local device does respond to outside access?
Try to ping the pfSense LAN IP.

The local addresse connot connect to OVPN address (on TAP interface) and vice versa, but all the rest works fine

I think it's a MAC problem of the virtual interface assigned to OPENVPN.

Why do you think this?
Becouse, it would be the only difference between the two server

Is the OpenVPN server in tun mode? A tun interface has no MAC as far as I know
I use, at the moment, a Tap mode. After the new server will start i'll change in tun mode the OpenVPN

Thank You, very much

@mat123 said in OpenVPN strange routing issue:

IPv4 Tunnel network: 10.100.255.0/24

Either change the tunnel subnet mask to /30 or configure a client specific override.

Sorry for late reply. I had Expressvpn running, not well and very very slow. Finally removed and reinstalled pfSense (now 2.6.2). Installed Expressvpn on wrt3200acm router that is connected to pfSense and all problems are gone and speed is much much faster (same as with no vpn). Downside is wrt3200acm router is wifi ac. Tried Nordvpn on rt-ax86u but was a total failure, slow, disconnects, etc. Back to wrt3200acm on pfSense and looking for good ax wifi card for pfSense, no luck yet. Hope 2.7 will have 2.5gb drivers and I will not have to install (it worked but I am not good at that). Many people here on the net helped me to get Expressvpn installed and even more to install 2.5gb drivers, Thanks all very much.

@mcouture said in Site-to-Site TLS - routes not populating at Client:

I do now see: ERROR: FreeBSD route add command failed: external program exited with error status: 1

Maybe you stated overlapping networks. The log should show the network which the error is referring to.

@jarhead
Yes, thank you. I remember now, it needs to be on same subnet like you told me before. I understand now why it’s not working. Just created a new vpn server instance on port 1195 using the tun mode. It works great now that way for my use. I just connect when I need to.

The other instance in tap mode that runs within a vlan on the home side is bridged on the same matching subnet as on the remote side. That works great for my dhcp needs for this specific computers.

@robbygr
So the routes are added properly. Hence access to the pfSense LANs should be routed over the VPN.

The only reason I can think for not able to access the LAN IP is that it was blocked, namely something wrong with the firewall rules.

Did allow any protocol in the rule on OpenVPN, not only TCP?
Do you see any states / packets for the pass rule?

Or possibly do you have a floating rule in place, which is blocking the access?

Check the firewall log. If the logging of the default deny rule is enabled, you would see blocks if none of your custom rules matches.

@jkl123
the gateway ip is same as your OVPN network interface defined under the server settings
It is the OVPN server interface address

@thestormsoffury said in OpenVPN Peer to Peer - Only one way access:

Now, I do not have an IPV4 Tunnel Network setting, should it have the IP of the tunnel Client A site is using?

I've never configured a CSO without stating the tunnel network, but I needed static client IPs for firewalling.
And the hints doesn't mention the option to leave it blank. But I don't think that it is needed only for routing the clients networks to the other site.

Though this doesn't make any sense seeing as how Users at Server site can ping the default gateway of Client A.

However, this indicates if the server is able to route the clients LAN.

Any clue as to what might have been hung up?

No, these things usually work out of the box.

@proxmoxman glad you got it all sorted, and happy to be of assistance.

@upper-deck
As I got you, internet access on the client works well without the VPN, but doesn't if it is connected. So obviously the client set the default route to the server.

The server can push this route to the client if you have "redirect gateway checked. But the option exists on the server only in recent pfSense versions.
On the client you can check "don't pull routes" to avoid that the default route is set.