Restricting access via OpenVPN to only TCP port 3389 (RDP) and possibly DNS (TCP/UDP53) to your internal DNS servers should reduce your exposure a fair bit.

@viragomann said in OpenVPN on another public ip address:

Requesting the whole config seems quite dubious to me.

It didn't ask him for his configuration, he asked for his wan-side firewall rules and I showed him how to make a backup since he asked.

@jptferreira said in OpenVPN on another public ip address:

@silence on pfsense I still can't find an easy way to export settings besides taking screenshots... any hints on how to do it?
Thanks

waiting firewall rules wan

@viragomann
The server routing table was missing the route for 192.168.2.0/24 . I added it in the OpenVPN server Custom Options box:
route 192.168.2.0 255.255.255.0

The server side is now able to access client-side local IPs. Thanks for your help!

Thanks for your solution. Now I have the problem that i can't filter the dhcp server for separate dhcp server in each site. In a non-virtualized environment it need 2 simple rules on vpnbridge in each site

@jamespedersen-brightpattern-com
Thanks! Will test your recommendation:

VPN > OpenVPN > Servers > Edit > Advanced Configuration > Custom options

push "route 192.168.1.0 255.255.255.0";
push "route 10.0.100.0 255.255.255.0";
reneg-sec 28800
auth-gen-token 43200

@someusername
If you were missing routes, you could not access the remote devices, even with a single connection.

A member wrote here that his Ubuntu client changes the default route and points it to the server, even if the server is not set to push "redirect gateway". But possibly one of your server is.
With former version of NetworkManager I'd experienced this as well, but I'm not on Ubuntu.

@jknott said in Quotom J1900 / ExpressVPN Performance:

I also have a Qotom computer (see sig)

You have an i5!! The TO is talking about a J1900 and OpenVPN troughput. The i5 has 5 times more power.

It would not surprising me, if this is due to CPU limits.

Well after hours of trying different things. I think I might have found the fix. I have no idea if this was the fix because of the number of things I was trying at the end but this makes since to me. I didn't have these boxes checked and when pfSense made the gateways it didn't check the boxes automatically.

24bde76f-16f2-4739-9ca8-a7ec475914ae-image.png

After further testing, it appears this issue is limited to FREEBSD v12.

I installed fresh instances of FREEBSD 12.2 & 12.3 and neither would resolve DNS over OpenVPN.

I then installed FREEBSD 13 and DNS worked no problem.

I still don't know why my hub's routing table looks like it does, with all remote OpenVPN subnets pointing to 172.27.120.2, but hey routing to all subnets seems to work so I guess I'll just ignore that.

@viragomann
Yeeees! It works!
I just added the destination in the first rule - local network.
Now clients get van1 and van2 ip addresses, as I wanted to separate and have access to the private network.

VPN_ OpenVPN_ Servers5.png

Thank you very much for the help!!!

@jknott
Yes i mean wan address.
the clients are pointed towards a dynamic dns address which updates correctly to the new ip every time.

@viragomann
Thats already ticked.

@kromek
The server assigns the pool IPs sequentially from the from the lowest up.
So the CSO you should begin with the highest down. Ensure that your tunnel pool is large enough for all users.

Also you may consider to uncheck "Duplicate Connection", so that a single client cannot grab multiple IPs.

@robato

I have gateways setup for my vpn tunnels. Gateway monitoring via dpinger is pinging across the tunnel. If pings fail at a rate set up under routing / gateway advanced, then I get an email from pfsense.

It sounds similar to what you would like to achieve.

Set up a client gateway and make sure it's pings go across the tunnel. If gateway fails, so should pings and you should get a notification.

-Devan

@wmw509
I'm talking about simple firewall rules. That's part of the basic setup of pfSense.

Start here: Rule Methodology

@tanguyims said in OpenVpn:

When I don't set the ifconfig-push 10.0.8.5 255.255.255.0;, my client gets an IP provided by OpenVPN DHCP

And what's the tunnel pool network?

Show your VPN firewall rules.

BTW: When configuring a CSO, you should better enter 10.0.8.5/24 (subnet topology presumed) into the "IPv4 Tunnel Network" field instead of using "ifconfig-push".

I found the solution as to how to bypass a vpn on the protonvpn [this is a real nologs vpn based in Switzerland] ln this page protonvpn.com/support/pfsense-vpn-setup/

Basically the idea is to go to the specific vlan , or if you have a single LAN and want to exclude an IP range or host from the vpn you create a rule in Firewall-->Rules for the VLAN/LAN and identify the interface (LAN or a specific VLAN) identify the source (host, alias, interface[vlan] etc.) go to Advanced and change the Gateway to WAN. Then go to Firewall-->NAT--Outbound and switch mode to auto save/apply and go back to Manual. It works. I tried setting my vlan to access the WAN directly, but that got me no connection outside my VLAN. I suspect that is because [ its somewhere in this massive trail of notes] that the settings for OpenVPN say something like "pull all connections" or something similar. Which seems to direct everything to the VPN. Anyway, although I am not connected to ProtonVPN in any way, I would recommend them for their veracity, clarity and support. And want to thank them for solving a problem that a whole trail of notes leading to 10 or more pages did not seem to answer.

I know this is an old post but it is directly relevant to my needs.

I've had a hub and spoke pfsense/openvpn for years but only using the basic config fields with no advanced 'push' or 'iroute' commands. For the most part routing works but sometimes there are issues and I'm wondering if this is a better way.

For reference my current setup is detailed in a recent post:

OpenVPN hub and spoke with AD/DNS on spoke

I'd like to try the configuration suggested in this thread but I don't have the luxury of changing to contiguous subnets - I have 5 spokes and their subnets are all over the place (mix of 192.168.x.x, 172.x.x.x & 10.x.x.x).

Therefore I'd like to understand if I have the config right in this case. Looking at the OP's original subnets, I'm wondering if the following config would have worked. I've added a third spoke for completeness. The only tweaks are in the server's IPv4 Remote Network/s field, the server's advanced 'push' commands, and the CSO 'iroute' commands.

OpenVPN Server:
LAN: 192.168.248.0/24
Tunnel: 172.16.0.0/24

Client A: 192.168.246.0/24
Client B: 192.168.249.0/24
Client C: 172.27.30.0/24

OpenVPN Server Config:

Server Mode: Peer to Peer ( SSL/TLS )
Protocol: UDP
Device Mode: tun
Interface: WAN
Local port: 1194
IPv4 Tunnel Network: 172.16.0.0/24
IPv6 Tunnel Network: blank
Redirect Gateway: blank
IPv4 Local Network/s: 192.168.248.0/24
IPv6 Local Network/s: blank
IPv4 Remote Network/s: 192.168.246.0/24,192.168.249.0/24,172.27.30.1
IPv6 Remote Network/s: blank
Compression: No preference
Type-of-Service: blank
Duplicate Connections: blank
Disable IPv6: blank

Advanced configuration:

push "192.168.246.0 255.255.255.0";
push "192.168.249.0 255.255.255.0";
push "172.27.30.1 255.255.255.0";

Client Specific Override

Client A:

Common name: (matching with certificate name)
Tunnel Network: blank
IPv4 Local Network/s: blank
IPv6 Local Network/s: blank
IPv4 Remote Network/s: blank
IPv6 Remote Network/s: blank
Redirect Gateway: blank
Advanced:

iroute 192.168.249.0 255.255.255.0;
iroute 172.27.30.1.0 255.255.255.0;

Client B:

Common name: (matching with certificate name)
Tunnel Network: blank
IPv4 Local Network/s: blank
IPv6 Local Network/s: blank
IPv4 Remote Network/s: blank
IPv6 Remote Network/s: blank
Redirect Gateway: blank
Advanced:

iroute 192.168.246.0 255.255.255.0;
iroute 172.27.30.0 255.255.255.0;

Client C:

Common name: (matching with certificate name)
Tunnel Network: blank
IPv4 Local Network/s: blank
IPv6 Local Network/s: blank
IPv4 Remote Network/s: blank
IPv6 Remote Network/s: blank
Redirect Gateway: blank
Advanced:

iroute 192.168.246.0 255.255.255.0;
iroute 192.168.249.0 255.255.255.0;

Any comments or advice is very much appreciated.

@viragomann Thanks for the reply and all the answers, I will research and continue to attempt to get it configured correctly. I almost got it, but am taking a break today, maybe tomorrow. There is an app for linux, I do have it installed, I see the open vpn configs, but I need to get the app configured and the firewall configured still, to get it working. I really appreciate the tips and clarification!