@gertjan You were very objective.

Thank you very much,

As I'm starting in PFsense it doesn't cost anything to put this CRON to restart at night.

like I mentioned to you very strange, this happens to some person or other and expected.

It seems that OPENVPN stops listening to that user, then when I restart it through the GUI, the client connects, but like, there are others connected and everything is working normally.

But it's fixed, thanks a lot for your support.

@fadushin +1

@philipt said in VPN to my home network without access to all resources:

I wouldn't be able to tell you if I am, I just followed a guide on IIRC the official wiki.

Typically people post screenshots of their configs with public IPs and keys/password redacted.

I suggest you want to do that at this point so we can point you in the right direction.

As for opening a port -- I wasn't suggesting opening a port to the Pi, but to the pfSense so that if you lock yourself out of the VPN you can still make changes until it is running how you want it. After that you turn off the firewall rule that allows remote access.

@viragomann said in Translate OPENVPN Firewall:

I need to update old pfsense 1.4.5 to 1.6.0.

None of them ever existed. You probably mean 2.4.5 to 2.6.0.

Yes, of course!

but doesn't work with the local (internal) network ( doesn't work even the ICMP ).

Are you sure, you local device does respond to outside access?
Try to ping the pfSense LAN IP.

The local addresse connot connect to OVPN address (on TAP interface) and vice versa, but all the rest works fine

I think it's a MAC problem of the virtual interface assigned to OPENVPN.

Why do you think this?
Becouse, it would be the only difference between the two server

Is the OpenVPN server in tun mode? A tun interface has no MAC as far as I know
I use, at the moment, a Tap mode. After the new server will start i'll change in tun mode the OpenVPN

Thank You, very much

@mat123 said in OpenVPN strange routing issue:

IPv4 Tunnel network: 10.100.255.0/24

Either change the tunnel subnet mask to /30 or configure a client specific override.

Sorry for late reply. I had Expressvpn running, not well and very very slow. Finally removed and reinstalled pfSense (now 2.6.2). Installed Expressvpn on wrt3200acm router that is connected to pfSense and all problems are gone and speed is much much faster (same as with no vpn). Downside is wrt3200acm router is wifi ac. Tried Nordvpn on rt-ax86u but was a total failure, slow, disconnects, etc. Back to wrt3200acm on pfSense and looking for good ax wifi card for pfSense, no luck yet. Hope 2.7 will have 2.5gb drivers and I will not have to install (it worked but I am not good at that). Many people here on the net helped me to get Expressvpn installed and even more to install 2.5gb drivers, Thanks all very much.

@mcouture said in Site-to-Site TLS - routes not populating at Client:

I do now see: ERROR: FreeBSD route add command failed: external program exited with error status: 1

Maybe you stated overlapping networks. The log should show the network which the error is referring to.

@jarhead
Yes, thank you. I remember now, it needs to be on same subnet like you told me before. I understand now why it’s not working. Just created a new vpn server instance on port 1195 using the tun mode. It works great now that way for my use. I just connect when I need to.

The other instance in tap mode that runs within a vlan on the home side is bridged on the same matching subnet as on the remote side. That works great for my dhcp needs for this specific computers.

@robbygr
So the routes are added properly. Hence access to the pfSense LANs should be routed over the VPN.

The only reason I can think for not able to access the LAN IP is that it was blocked, namely something wrong with the firewall rules.

Did allow any protocol in the rule on OpenVPN, not only TCP?
Do you see any states / packets for the pass rule?

Or possibly do you have a floating rule in place, which is blocking the access?

Check the firewall log. If the logging of the default deny rule is enabled, you would see blocks if none of your custom rules matches.

@jkl123
the gateway ip is same as your OVPN network interface defined under the server settings
It is the OVPN server interface address

@thestormsoffury said in OpenVPN Peer to Peer - Only one way access:

Now, I do not have an IPV4 Tunnel Network setting, should it have the IP of the tunnel Client A site is using?

I've never configured a CSO without stating the tunnel network, but I needed static client IPs for firewalling.
And the hints doesn't mention the option to leave it blank. But I don't think that it is needed only for routing the clients networks to the other site.

Though this doesn't make any sense seeing as how Users at Server site can ping the default gateway of Client A.

However, this indicates if the server is able to route the clients LAN.

Any clue as to what might have been hung up?

No, these things usually work out of the box.

@proxmoxman glad you got it all sorted, and happy to be of assistance.

@upper-deck
As I got you, internet access on the client works well without the VPN, but doesn't if it is connected. So obviously the client set the default route to the server.

The server can push this route to the client if you have "redirect gateway checked. But the option exists on the server only in recent pfSense versions.
On the client you can check "don't pull routes" to avoid that the default route is set.

@viragomann said in OpenVPN Behind NAT ISP Router:

Did you the packets capture on WAN as requested?
If you see nothing there the router doesn't forward the traffic properly.
Don't set any filter to ensure you see all traffic arriving on WAN!
Did you update the MAC in the port mapping to that one of pfSense WAN interface?

Yes, I did on the WAN Interface.
I see traffic only when I try from local network using the public IP. If I delete the port-forwarding I see nothing even if I try from the local network using the public IP.
I didn't set any Block rules on the WAN Interface to test it.
The first step I did is to update the MAC address in the port-forwarding on ISP router.

@laplacian said in second OpenVPN server does not route:

Okay, just did that. Now neither one of my servers work. I have 1 allow any rule on the OpenVPN server 1 interface, 1 allow any rule on the server 1 interface, and no rules on the auto-generated OpenVPN tab.

@Gertjan
Oops, I spoke too soon. Netgate documentation says you have to restart the servers after creating new interfaces. When I did that, I'm back to square 1: server 1 works as expected and server 2 (port 1195) does not seem to route.

I also did a diff of the server configs. The only things that differ are the port numbers and the interface IPs:
0d754854-45e5-4a95-91aa-42eb5e777838-image.png

The routing seems normal:
ae475855-da58-4802-8e8a-e0f19bd11152-image.png

Thanks for the tips so far, but is there anything else I can audit or compare between the two? This is really strange (and frustrating...)

@chris1284
No not all rules on all interface, but only interfaces which are included in the OpenVPN group. The group only includes OpenVPN instances, you cannot modify it.
Rules on an interface group even on OpenVPN tab have prio over rules on the OpenVPN instances.
You should consider this, when you have rules on this tab.

@cswroe Thanks for reply, pushed into right direction
It works now. I have deleted the old konfig and started again without wizzard.
I think the main problem was the firewall rule setup. In the first setup there where some rules missing. also i switched to ssl/tls + user auth.

I think my mistake was to think that "openvpn client" means one config for each client that i wish to connect to MY OpenVPN.

Now it is running and after some reading into dns in openvpn, this is also running.
I think now it is configured good
state.png