@renj said in Certificate Autority:

So, In the available packages window I have notting.

You don't see these :

537b2daf-9e3b-4a71-8fb2-235e4a1ef86e-image.png

?

@renj said in Certificate Autority:

I have, under Instaled Packages window; two isntalled Packages.
At the bodom of this window, I have a message in red:
Package is configured but not (fully) installed or deprecated.

We all have this :

a3d0d631-348e-418b-9c70-f850cfb5b53b-image.png

If an installed package is marked in red => now you know what that means.
If an installed package is marked in yellow => now you know what that means.

@chuck1968
No, don't push a DNS server. You cannot push a DNS server for the local domain only. If the branch uses Server01 for DNS resolution it uses it for all request.
You have to add a domain override for the local domain instead to only forward these certain requests to the main office.

In the branch OpenVPN settings enter 192.168.99.0/24 to the "Remote Networks".
On the main, presuming you are using a /30 tunnel network, enter 192.168.95.0/24 into the "Remote Networks" box.

There are no granular per-service privileges right now, so any user who must control a service requires access to status_services.php (WebCfg - Status: Services).

All of the service control links, even in the shortcut bar, use that page to manage service control.

@petri Turns out a real managed switch needed to be connected. Not the Unifi Lite I had. Now my IP isn't leaking out anymore.

@ppcm said in Local authentication with groups of users:

if the user changes groups, I will need to send a new config, not easy to manage

I'm running multiple OpenVPN servers with different CAs for different user groups for 10 years. Never need to move a user into another group till today.

Is there a way to use groups of pfSense?

No, not the local user groups in OpenVPN.

If you need to replace the functionality of AD you can install the FreeRADIUS package and use it in the OpenVPN servers for authentication.
Authenticating OpenVPN Users with FreeRADIUS

@gertjan yes, it was pfblockerng-devel v3.1.0_6.

I have blocklists set to prevent traffic coming from "non friendly countries", basically, asia region, russia, some northern countries + africa.

But I agree, it is quite weird.
I've now made several tests with pfblocker-ng enabled/disabled, etc.. and always see the BW drop when pfblocker-ng is enabled.

5c64470f-6054-465d-8153-9428ad13ba7a-image.png

@coyotekg The client certs use the CA as the issuer just like the server certs do so yes, you would need to change them.

@bingo600
Yeah, exactly.
You get an encrypted p12 file, when you download the Viscosity bundle and state the path to it at CA, user cert and private key in NM.

I discovered openVPN didn't upgrade with the OS. From a command prompt, I ran pfSense-upgrade -d and applied the missing updates. After installing the updates and rebooting the machine, openVPN started working correctly.

@aviatorpaal said in Peer to Peer routing unidirectionally:

Netgate docs, in their configuration example unfortunately uses a /24 as the tunnel network, which led to the confusion:

You should read the whole document:

130ee8d3-92f9-40b3-a6b8-4b1da618fa12-grafik.png

@norvik-it

Good news : your question isn't related to pfSense.
It's just that pfSense has also a OpenVPN server build in.
You could also use the OpenVPN server on your NAS, for example.

First things first : when you set up a OpenVPN server, you'll find a new interface on your pfSense, typically called "ovpns1". You have to assign it to an interface like :

8ffb780f-faa4-4002-835c-ef9c54e33ff3-image.png

Now, activate the 'go easy on yourself' mode, and add two rules :

e5f7a486-093d-4bfc-9b5d-dfe08e6b65ee-image.png

You can even combine these rules.
Or use just IPv4 if you don't use IPv6 yet.

Now, when your OpenVPN client connects to your your OpenVPN server, traffic will 'enter' this OPENVPN interface.

Another thing : OpenVPN is giving IPv4 to your OpenVPN clients. The DHCP server for your LAN and other LAN type intefaces has nothing to do with OpenVPN clients.
OpenVPN server is also doing what DHCP does : it also gives IPs to it's clients.

So, when I have this on the OpenVPN server settings page :

551ef7e7-ead9-4c25-af1f-3ea4999cca17-image.png

I know that my tunnel IP network is
192.168.3.0/24.
OpenVPN server will use the dot 1
My first openvpn client will have .2 etc - and again, it's not a DHCP server that gave this IP. You don't even set up a DHCP server that works for the 192.168.0/24 network !

Btw : Your first line (see above) that you should consider not using some LAN based device DHCP server (the 192.168.0.7).
Let pfSense handle DHCP for all your LAN networks, using the DHCP server. Make life easier on yourself.

Btw : with the firewall rules shown above, you can access pfSense itself, LAN(s) devices, and whatever you can find on the Internet.

edit :

Use this 7,5 minutes video to set up a server : Configuring OpenVPN Remote Access in pfSense Software
Only deviate from that setup up when one of these two conditions are met :

You have a solid understanding of an OpenVPN server (and client) (sorry, will take time, openvpn is utterly complex). You want to try out things, and know how to get back to working setup when done messing around (because, why not, we all love to test/play/etc)

@johnpoz That is exactly what I was thinking... How to keep track of all the tls keys... Now to figure out how to utilize some of the addins like nort...

I can't thank you enough for all your help!!