@Gertjan

Thank you, the monitor IP (8.8.8.8) and compression is what I needed to make mine work!

@netblues im trying to optimize for performance with a good security balance. But that works for me too, thanks for the input

@dael-sutton said in OpenVPN client connections get dropped when rc.filter_configure_sync script runs (every 15min from crontab):

Yee-Haa. Unticking that "flush all states" tickbox seems to have done the trick. Thankyou @Silence for your patience while I grabbed at straws until the correct one appeared. 15:15 came and went and my test openvpv connection didn't drop, and my ssh session stayed running too.

Don't forget to like the comment that helped you.

@johnpoz OK thanks ... I have learn alot thanks to this forum ...

@viragomann this makes a lot of sense. Thank you for the information!

Just want to share one more thing if i connect LAN cable directly on my desktop internet is fine and working but when i use internet through the WIFI router there is no internet and i can't access the webgui either.

@to2020 I managed to resolve this issue myself.
I came across this article https://redmine.pfsense.org/issues/9511

So even thought my regular login to my pfSense has access to "WebCfg - All pages" which is inherited from admins, it does not include the advanced options.
Looking at the permissions for the "admin" user itself, I see nothing different, but that user still has access to these advanced settings.

@mgideon It boils down to how do you authenticate your users to deliver secure information.
pfsense doesn't have something automated in any case.

Does anyone have any thoughts around this?
Or maybe this is of no concern to most users or IT security admins?

@trever
So you fail to access VPN clients?

Consider that each client run its own firewall. And firewalls of different operating systems can have different default settings naturally.
Maybe you noticed that your issues concerns Android devices only.

Hi @viragomann,

You're my hero! I've added the certificate to the certificate manager and selected this certificate in de VPN config and that was the solution.

Thank for your help :-)

@scooter17 Thank you for this excellent solution. I can quite easily deploy an OpenVPN Linode. https://www.linode.com/docs/guides/openvpn-marketplace-app/

This seems much easier than loading BSD and PFsense, but I assume you found that you needed more than the OpenVPN capability.

I am relatively new to self hosting, and any learnings or reasons for one route or the other would help me.

@daveo132
👍
Possibly something messed up the interface settings.

@zz00mm

Oh good grief!

Thank you very much for the extra nudge which got me across the line...

You are right - I don't need to re-install, it works fine "when you get the syntax right".

In this case the "syntax" was collected from a post above in this thread, which appears to do the wrong thing.

This works:
/usr/local/sbin/pfSsh.php playback svc restart openvpn client 1

The syntax in the post above uses the keyword SERVER which may restart the server, but doesn't restart the client!

So I was also right when I remembered that it used to work previously - because I had the syntax right then, but I copied the wrong advice....what a muppet!

So now we have a mechanism to restart the OVPN client on demand, and the cron jobs in place to check & restart as required.

I do like your technique of changing locations daily - very sneaky 10/10.

I consider this issue closed, don't expect to add any updates as it will almost certainly be fine now.

Thanks.
"Permission to engage smug mode sir?" (Kryton)

@oguruma
In the OpenVPN server settings remove the check at "redirect gateway", instead enter the networks which the clients should be able to access into the "Local networks" box. If it's only that one server you can enter a single IP with a /32 mask.

Since the clients can apart from this route anything over the VPN on their own, it's a good advice to restrict your firewall rules accordingly. Instead of allowing access to any destination on the OpenVPN interface limit it to your needs.

Also you might have an Outbound NAT rule for the OpenVPN tunnel network (possibly added automatically by the wizard and removed again by unchecking "redirect gateway), which you can remove, if no WAN outbound is desired from VPN clients.

More on this - mostly for my own notes:

Jan 29 00:14:50 pfSense openvpn[75977]: Inactivity timeout (--ping-restart), restarting
Jan 29 00:14:50 pfSense openvpn[75977]: SIGUSR1[soft,ping-restart] received, process restarting
Jan 29 00:14:50 pfSense openvpn[75977]: Restart pause, 5 second(s)
Jan 29 00:14:55 pfSense openvpn[75977]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 29 00:14:55 pfSense openvpn[75977]: Re-using pre-shared static key
Jan 29 00:14:55 pfSense openvpn[75977]: Preserving previous TUN/TAP instance: ovpns1
Jan 29 00:14:55 pfSense openvpn[75977]: Socket Buffers: R=[42080->42080] S=[65507->65507]
Jan 29 00:14:55 pfSense openvpn[75977]: TCP/UDP: Socket bind failed on local address [AF_INET]99.229.125.21:6001: Can't assign requested address (errno=49)
Jan 29 00:14:55 pfSense openvpn[75977]: Exiting due to fatal error
Jan 29 00:14:55 pfSense openvpn[75977]: /sbin/route delete -net 192.168.110.0 10.0.8.2 255.255.255.0
Jan 29 00:14:55 pfSense openvpn[75977]: Closing TUN/TAP interface
Jan 29 00:14:55 pfSense openvpn[75977]: /usr/local/sbin/ovpn-linkdown ovpns1 1500 1561 10.0.8.1 10.0.8.2 init