@tomhbp
I'm running an SSL/TLS peer to peer and this is selectable in the CSO.

However, basically I'd use a separate server for each site2site connection. But it's also possible with an access server as described here: https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-multi-purpose.html

They forwarded 1194 from the static IP to the private ip and I used ddns and everything is working now. Thanks for the tips!

@dholub
Unfortunately, no. Everything I've pulled up on both the "up" and "route-up" directives references info on running a script of some sort.

Have you found anything?

@viragomann

Thanks for this explanation. I was having similar challenges and checking "Don't Pull Routes" fixed my issue.

@emtechsg

The trick to route the packets correctly is on the pfSense at at the web servers site (83.82.88.1).
If it is on version 2.5.1 update it to 2.5.2.

If you didn't already, assign an interface to the OpenVPN instance and activate it.
This gives you a new tab in the firewall rules. Add a rule to this allowing the incoming traffic from the remote site.

Ensure that there is no rule on the OpenVPN tab matching to this traffic. If possible remove all rules if you don't need them for other OpenVPN instances.
Also ensure that no floating rule is matching that traffic.

On the other side simply port forward the traffic to the web server.

I've found that if I redirect all traffic through the VPN, traffic works normally across the VPN.

I used the following in the server config.
push "redirect-gateway def1"

So is this a client issue?

Route print on the client shows the local networks correctly in the clients routing table when I push "route x.x.x.x x.x.x.x"

But no traffic will traverse when when I push route. It only works when I push "redirect-gateway def1"

@shetu said in How to split openvpn config file:

When Grand stream connect openvpn, I can not browse GS web gui.

I have seen many GrandStream devices, for example my ATA stuff is GS HT802.
(I don't know yours specifically, but I guess the philosophy is the same)

There is a separate MGMT interface configuration option, maybe to use when OVPN is configured.

c606c79c-bfa1-497c-ab67-2c0bda60dabb-image.png

@viragomann Yup, that was it! Thanks! Now everything seems to work as it should. :D

@chrisjmuk

I get the impression you're heading in the wrong direction. With IPv6, most ISPs provide multiple /64s. I get /56, which contains 256 /64s from mine. I then assign a /64 to wherever I have a network. For example, I have 1 each for my main LAN, guest WiFi, test LAN, Cisco router and OpenVPN. I suspect you're still thinking in terms of IPv4, where is was necessary to use a hack, NAT, to make up for the address shortage. No need for that nonsense on IPv6.

@mmarco
If you set up a site2site OpenVPN select "peer to peer" server mode and use a /30 tunnel subnet.
So there is no need for a CSO.

I changed the option "Certificate Depth" from
"One (Client+Server)"
to
"Do not check"
and now I do not experience the issue anymore.

My question stays the same though:
Why is this happening on the SG-2100 and not on a virtual pfSense?

@issuehaver
Thanks for the feedback. Glad that you get it working at last.

@apara

From the url above , it seems that your vendor needs to sign with SHA instead of MD5
Getting new updated certificates would be the correct solution.

But with some vendors ... "Good luck w that" 👎

/Bingo

Can anyone offer any help debugging this please - I am not making any progress.

@viragomann
@viragomann
Thank you so much for your reply. I have managed to do some magic by following this forum discussion:

www.truenas.com/community/threads/truenas-12-openvpn-service-testing.85461/page-2

@hardikpfsense said in pfsense openvpn tunnelling issue:

Now from documentation we read that to do what we want to do we tried to set IPV4 to : 192.168.1.0/24 and foced
Redirect IPv4 Gateway using checkbox in tunnel settings.

Where did you read this?

It is sufficient to add the subnets where your internal services resides to the "Local networks" in the OpenVPN server settings.

"Redirect gateway" forces the whole clients upstream traffic over the VPN. Is that what you really wan?
Can the clients access your services with that option?

@viragomann said in OpenVPN client computer names:

So you will have to request the responsible admin to do this.
Can't think of any you can do on the OpenVPN server, since the clients use equal user accounts on the terminal server.

Maybe you got me wrong. Both our employees and subcontractors have their own individual OpenVPN accounts. However, they have one user account for the customer's system (another company). We connect to this client's network (another company) through the IPsec tunnel. When our employee tries to log into this system and the subcontractor is already logged in, a message appears that this user is already logged in to the computer (and the computer name appears here). If I could link an OpenVPN account with an unknown computer name of the subcontractor, I would know who to turn to, e.g. to log out.
Currently, subcontractors get static IP addresses from OpenVPN. So I am able to bind the user - ip account, but I am not able to bind the ip address - computer name.