@detox how you handle vulnerabilities on the cheap routers ?
how you avoid sniffing traffic without encryption ?
how you get easy updates and renew the system without replacing hardware?
how you manage easily traffic routing and adding rules ?

The answer to all above is pfSense and OpenVPN. at least is what i learned from the good guys here.

@johnpoz the Log Level was set to Default.

I have changed it to 2 and now appear the TLS version.

Thankyou so much.

@whitetiger-it
The virtual IP of a client which is part of the tunnel network is that what the firewall is seeing as source address. So that is the way to do it.
But there is quite no need a assign an /24 tunnel to 2 clients at all. If you use net30 topology you need 4 IPs (/30) for one client, so for two a /29 subnet is sufficient.
If your server uses subnet topology a single IP is sufficient for each client.

John, instead, has a CSO to use 10.201.201.1/24
But then he is always assigned to 10.101.101.2, as before.

So obviously the CSO is not applied. If pfSense finds a matching CSO when establishing the connection a log line is written. If not the client gets an IP out of the servers tunnel pool.
I mentioned above what are the requirements for a CSO to get applied.

I change my openvpn firewall rule on the WAN interface destination to "WAN address" from "this firewall (self)" . It seems that the "this firewall (self}" does not update the state table correctly, that is why I can make small call and get my 302 but not send any real data. So use the "WAN address" for the destination for the openvpn rules.

@kesawi
I understand your question ....
Is this a server or client message ?

Maybe some OpenVPN client 'humor' :
I rephrase :

Profile uses BF-CBC which is not enabled

BF-CBC isn't referenced in your opvn config (profile).

If the client software is based on 2.4.x, then "BF-CBC" was a default cipher method.

The current pfSense (25.5.2 CE or comparable) uses OpenVPN 2.5.x not the 2.4.x series.

@gertjan Thank you for your response, But actually, I'm looking for a third party solution, sth like Splunk but a bit easier and cheaper, Cause products like Splunk are too expensive for implementing in these kinda simple situations,
I don't want to detect any problems, the main reason is security purposes.

Please let me know if you have any ideas abt this situation.

Regards

@audiobahn said in VPN Settings Sanity Check:

Hi All,

I'm trying to setup a VPN server on my PFsense to be able to remotely access my local network. I have managed to setup a server & client which connects fine BUT only when the client is within the network it tries to connect to. I feel I'm quite close to getting it but there's something I'm missing.

Some background info on my topology:

Public IP -> ISP Router (192.168.1.111) -> PFSense @ WAN Interface (192.168.1.210) -> Lan (10.10.x.x subnet).

I already created a NAT rule to push any traffic on port 1194 from the Public IP all the way to 192.168.1.210:1194 so in theory an external client searching for the server on the WAN interface should be able to find it.

I have screenshots of my settings but apparently the dimensions are too big to post, what's the best way to share these?

Thanks.

Nevermind, it got resolved now.

@helloha
You can direct only specific host names or IPs over the VPN by using aliases and Policy Routing.

@viragomann

I find myself in great difficulty for a random behavior.
Yet the configuration is the "basic" one, created with the Wizard and the same as many others described on the Internet.
For testing I use:

Browser with clean cache Browsing in private mode, not to save caches, cookies, etc. Online newspapers because they have a very dynamic content.

Well:

In pfSense there is the Redirect Gateway = ON I connect to the VPN, the tray icon turns green; a Win10Pro message appears telling me that an IP has been assigned for the tunnel; I can access the pfSense configuration page. I open the browser for the test; I open the online newspaper; I browse some articles; I ping using the newspaper domain. So, everything is OK.

After few minutes, the VPN is still active, but the pages are no longer reachable and the ping from the PC no longer works because it cannot resolve the domain, while if I do it from the GUI of pfSense, ping works correctly on all interfaces.

OpenVPN log reports:

Nov 15 07:00:40 openvpn 30979 IP-ROUTER:55664 peer info: IV_VER=2.5.4 Nov 15 07:00:40 openvpn 30979 IP-ROUTER:55664 peer info: IV_PLAT=win Nov 15 07:00:40 openvpn 30979 IP-ROUTER:55664 peer info: IV_PROTO=6 Nov 15 07:00:40 openvpn 30979 IP-ROUTER:55664 peer info: IV_LZ4=1 Nov 15 07:00:40 openvpn 30979 IP-ROUTER:55664 peer info: IV_LZ4v2=1 Nov 15 07:00:40 openvpn 30979 IP-ROUTER:55664 peer info: IV_LZO=1 Nov 15 07:00:40 openvpn 30979 IP-ROUTER:55664 peer info: IV_COMP_STUB=1 Nov 15 07:00:40 openvpn 30979 IP-ROUTER:55664 peer info: IV_COMP_STUBv2=1 Nov 15 07:00:40 openvpn 30979 IP-ROUTER:55664 peer info: IV_TCPNL=1 Nov 15 07:00:40 openvpn 30979 IP-ROUTER:55664 peer info: IV_GUI_VER=OpenVPN_GUI_11 Nov 15 07:00:40 openvpn 30979 IP-ROUTER:55664 peer info: IV_SSO=openurl,crtext Nov 15 07:00:41 openvpn 27557 user 'USERNAME' authenticated Nov 15 07:00:46 openvpn 30979 IP-ROUTER:55664 [USERNAME] Peer Connection Initiated with [AF_INET]IP-ROUTER:55664 Nov 15 07:00:46 openvpn 30979 USERNAME/IP-ROUTER:55664 MULTI_sva: pool returned IPv4=10.101.101.2, IPv6=(Not enabled)

Then follow dozens of reports all the same

Nov 15 07:00:56 openvpn 30979 USERNAME/IP-ROUTER:55664 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #163 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

Sometimes disconnecting and reconnecting is not useful and I have to close the OpenVPN client to reopen it again.

Now I am forced to work with three PCs:

One to access pfSense. One to test the VPN One connected directly to the router to be able to navigate so that you can always access the online documentation.

The OpenVPNclient GUI is v11.25.0.0
Installed with OpenVPN-2.5.4-I604-amd64.msi

This is the config (.ovpn)

dev tun persist-tun persist-key ncp-disable cipher AES-256-CBC auth SHA512 tls-client client resolv-retry infinite remote MYDDNS.duckdns.org 1194 udp4 setenv opt block-outside-dns lport 0 verify-x509-name "mynamepfsense-ovpn-rwa" name auth-user-pass remote-cert-tls server explicit-exit-notify <ca> -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- -----END PRIVATE KEY----- </key> key-direction 1 <tls-auth> # # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- -----END OpenVPN Static key V1----- </tls-auth>

@gertjan said in Redirect all Torrent traffic to a host:

@audiobahn

You can chose : On the clien using the VPN's app.
Or
Use the OpenVPN-client on pfSense, and use firewalls rules (policy rules) to select what traffic or which clients get routed over the VPN.

@gertjan said in Redirect all Torrent traffic to a host:

@audiobahn

You can chose : On the clien using the VPN's app.
Or
Use the OpenVPN-client on pfSense, and use firewalls rules (policy rules) to select what traffic or which clients get routed over the VPN.

@andyrh said in Redirect all Torrent traffic to a host:

On pfSense only allow the VPN port. For opening a port for torrents you will need a VPN that allows port forwarding. pfSense cannot help you with port forwarding to a VPN service.

Thanks both. I ended up shifting the vpn connection on the server side and it works fine now.

@mrwildbob
Do the firewall rules on A on the VPN interface allow the access from remote site?

Show the IPv4 routing table from A, please.

From what you described, I assume both VPN endpoints are the default gateway in their respective LANs, right?

@rbarbato
Nice.

With the Wizard there are two fields.
Instead, if the server is created, then if the checkbox is ON, the Tunnel Network field disappears.

I figured it out. It was not a firewall on the devices nor was it the pfsense. It was user error. The device behind the pfsense had manual IP's and no gateway setup. Once I changed them to DHCP things started working.

@viragomann I've removed the static routes and restarted things.

I have this setup in the OpenVPN config for both interfaces.

6545aeb1-6782-4570-ab9c-fe46ad927de3-{81ED3D47-5D8F-475C-9513-5A0C4810782C}.png

The bit I was missing was the IPv4 Tunnel Network IP, I just put that in and everything seems to be working!

I'm now going to back all this up and then grab a copy of this session as notes for if I ever need to add a third VPN.

Thanks very much for the help debugging this, it was more complex than I thought, but in the end it all makes sense I think. I'll re-read it all in the morning, it will probably have sunk in by then.