@rini
My giess is:
You would have to put a copy of the pfsense Root CA "public part" on the DSM too.
It has to know the full chain.

@viragomann said in openvpn doesn't connect if there was a power loss:

Switch of the power of pfSense only or even of a device like a router in front of it?

pfsense is installed in a computer so power of computer

@viragomann said in openvpn doesn't connect if there was a power loss:

And none of them is reconnecting?

none get auto reconnect, need to do manually for make reconnect

@viragomann They definitely are....up until it disconnects because it's working just fine other than the disconnect.

@amirat said in Ip forward with openvpn:

so how can i do routing?
and i also need to use vpn for my phone , how you say that it is irrelevant?

Many people seem to think a VPN is somehow different from any other IP connection. All the VPN does is set up a secure connection between two points. Years ago, that might have been done with frame relay.

As for routing, you have to let the various devises know how to reach some other device. With a VPN, you at least have a route to the VPN server and from there out to the Internet. If you want to go anywhere else, then you have to ensure there's a route configured to that point. It also doesn't matter what the client is. Whether a computer or a phone, it still works the same way.

What you have to do is determine what you want to reach and where it is, relative to your OpenVPN server. Then you have to decide whether you have to add routes. For example, pfSense knows about directly connected networks, so you don't need to specify a route to them. Beyond that, you have to.

Hi @viragomann thanks for your support on this.

I could get it working, I just removed Custom options

push "dhcp-option DNS 192.168.3.1"; push "dhcp-option DOMAIN local.lan";

I saved changes and restarted the whole pfsense, it just started working after that restart, I mean the machines which are using OpenVPN can reach the machines which are in the LAN network by dns instead of IP addresses, my suspicion pfsense needed to be restarted and there was not any need by adding the Custom options, after that I wanted to double check this in other to have repeatable steps and what I could find out is that those enabled options in Dns Resolver such as DHCP Registration, Static DHCP, OpenVPN Clients as DNS Default Domain and Dns Server 1 in OpenVPN server settings are mandatory options in order to get it working, I know there could be a lot of ways to do this, I am just sharing with you how I could do it in this way

@hugoeyng

7bbf42ad-b7b0-4f60-b77f-3abf915c57fb-image.png

4f7e418d-9e4e-4751-ba32-d1d20d8e1c26-image.png

23cc8ca3-714a-4c0d-91cb-980863fa2964-image.png

dc0ce8e6-9968-46db-9bb5-ec008302295f-image.png

83f9959c-8162-4eca-bb86-6e4338670481-image.png

de9ed4ff-d695-4451-95db-20688914109f-image.png

a14f4c94-0de3-4f53-8ac4-0d7344242003-image.png

35d6ebff-a693-42df-9466-096e4f55d11b-image.png

27c6c956-766d-4ebb-a113-ad0245145f32-image.png

Now OpenVPN setup is complete. Make some changes in the settings, for this click on the edit button and go to the "Tunnel Settings" Section And click on the checkbox as shown in the image.

fc374501-daf3-4e65-9bf7-681b077cb714-image.png

Now Create a user to log in to OpenVPN System > User Manager > +Add.

ef03d35a-7e57-4c27-a9aa-4144ad163a31-image.png

e8852f40-41b0-40a1-b7e3-105203b0cf30-image.png

Now go to the OpenVPN client Export and export the user file. Then install the setup file in the system login with username and password.

89873547-2daf-4bef-b82b-7784f80e01d9-image.png

Have A Great Day!!

I am on 22.05. It seems the upgrade didn't complete correctly. I found this post and tried the solution of running pfSense-upgrade -d. That showed 1 package to be installed and 40 to be upgraded. After completing the upgrades and rebooting, the OpenVPN service started and I am able to connect again.

@dragonfixed00

Packet capture on LAN using TCP and port 2222
Do the SSH packets arrive on LAN ?

This is my client config

dev tun
persist-tun
persist-key
data-ciphers AES-128-GCM:AES-256-CBC
data-ciphers-fallback AES-256-CBC
auth SHA256
tls-client
client
resolv-retry infinite
remote X.X.X.X 1194 udp4
nobind
verify-x509-name "X.X.X.X" name
auth-user-pass
pkcs12 pfsense-UDP4-1194-khodorb.p12
tls-auth pfsense-UDP4-1194-khodorb-tls.key 1
remote-cert-tls server
explicit-exit-notify
verb 4

@madfuzker said in CE-2.6.0 - Unable to disable OpenVPN Server if Interface is assigned:

@bob-dig I can confirm that in 22.05 this is NOT fixed.

Definitely not fixed. But not a problem for me anymore, I only use WireGuard.

@markedo hi , did you have luck resolving this ?

Hey everyone,

I found a very interesting Scenario.

Just to recap: my home pfSense Box has 1 OpenVPN Server and 4 OpenVPN Clients configured.

I needed to connect to my the pfSense at home via OpenVPN to check something and I noticed, that I was able to browse through the Internet. Which shocked me, and I thought well, maybe my reboot fixed it. Afteer a short investigation I noticed that my pfSense stopped the OpenVPN Client, so it wasn't connecting to the openVPN Servers which I configured.

b0390a99-44bc-468e-be9c-fa3a40947149-grafik.png

After starting the clients on my pfSense I connected to my pfSense via iPhpne: And then I wasn't able to browse the internet. Deactivating the clients helped: my iPhone had access to the internet.

Can anybody explain to me what on earth is happening?

Edit: Holy ... I fixed it!

After defining in the catch all Rule of the OpenVPN Interface the default gateway every client can now acces the internet.

87be3dd7-b8e1-4fd1-8126-5c4a24d90bee-grafik.png

@pourts said in OpenVPN Client working, but other ports & VLANs now offline:

because "policy routing" isn't an option in any of the GUI menus.

Sure it is ;) The gateway you want to send the traffic out of is policy routing ;)

Glad you got it sorted.

Hope you paid attention to the bypassing policy routing in that section, users always seem to fail to understand if you force traffic out say a vpn gateway, that it won't be able to get to your other vlans/networks that are local. So you have to have a rule above your policy route rule that allows for access you want locally.