@gertjan

Which OpenVPN video are you referring to? I had this roadwarrior vpn access working in 2.5.2 fine with no issues. It is only after I upgraded to 2.6.0 that it would not connect.

@gertjan Thank you for teaching me, i will look into throughput more

@bob-dig
this is the version distributed by the most current version of pfSense software.

@laserguidedcake
A site to site should have a /30 tunnel, otherwise the server doesn"t know, where to Route the packets for the client side LAN.

You can use a wider tunnel though if you want to connect multiple clients, but in this case you need to configure client specific overrides on the server to enable iroute in OpenVPN.

Egress from the branch should also work without NAT nö.

@jj5588
Basically you can access any client by its virtual IP. However, you have to allow the access on the clients firewall.

But for your purposes you can savely circumvent this with a masquerading rule on pfSense.

@damianhl
Ok, forget about the first question, that was like a bug with openVPN client, after restart it, does not happen again.
It seems it happen after you connected to a different WAN

I still have the doubt about how to check from the pfsense, which interface clients are using to connect. I cannot find any log related. In the dashboard appears the source public IP, not the destination IP.
Is there a way?

Thanks in advance.
Regards,
Damián

@viragomann It's working!

I had tried the static route on the VPN to the client side IP but it wasn't working, so I tried the server side. I ended up deleting the static route I made and going with your recommendation of letting OVPN do that. The pfsense client was already set to the /30 network.

For anyone else in a similar scenario, read this: OpenVPN: Including multiple machines on the client side when using a routed VPN (dev tun).

And I missed an "i" on the "iroute 192.168.0.0 255.255.255.0" in the client file in the CCD folder on the server. #Facepalm.

Big thank you to @viragomann and @rcoleman-netgate ! 👍

@viragomann that does make sense I’ll try that in the morning thank you

@bob-dig

Thank you so so much :)

Use topology subnet.

One can set static tunnel IP in Client Specific Overrides.
Common Name of the client cert must match username.

Fill in the user static tunnel IP in IPv4 Tunnel Network,
f.e.:
172.16.0.2/24 gives username1 a static tunnel IP .2
172.16.0.3/24 gives that username1 a static tunnel IP .3

172.16.0.1 is for the server and cannot be used.
.0 .254 .255 cannot be used either.

@scroll_dp said in redirecting local network to openvpn network:

OpenVpn network -- 192.168.1.0/24
local network -- 192.168.0.0/24

Best practice would be to not use these networks, since they are default on many routers and hence widely used.

But yes, it's possible to workaround the routing issue with an additional IP on the OpenVPN interface, which lies outside of these networks.
To set this up, assign an interface to the OpenVPN server instance and activate it, say it's OPT1.
Then go to Firewall > Virtual IPs and add an a new IP of type "IP alias" to this interface, e.g. 10.47.23.41/32.
Then add a port forwarding rule to OPT1 for the destination IP 10.47.23.41 and target it to the concerned server. So you can use 10.47.23.41 to connect to the server from the OpenVPN.

If you don't have "redirect gateway" in the OpenVPN server settings you have to add the virtual IP to the "Local networks", 10.47.23.41/32 in this example.

If you have multiple IPs to be redirected you can use a /24 subnet mask for the virtual IP and add a NAT 1:1 rule to redirect the whole subnet.

@hendi You have no Ping because that's ICMP and not TCP.

@jimbo123 I've since found this Redmine that seems to confirm that the option adds
"remote-cert-tls server" in the config for the client:

https://redmine.pfsense.org/issues/11865

This is the option that has been added to the "Cryptographic Settings" in OpenVPN client configuration options.

Screenshot from 2022-08-30 03-13-20.png

@litlelee9 Your first ping test seemed to be pinging itself - is that why it seemed to work but actually wasn't?

If you are policy routing and the FW rules are still using the old gateway can you just go change it? You should see in the gateway column on the LAN etc interface which rules have a GW defined. Sorry if that's stating the obvious.