Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN connection issue

    Scheduled Pinned Locked Moved OpenVPN
    13 Posts 2 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Stef93
      last edited by

      /var/etc/openvpn/server(your server id)/config.ovpn
      c4d2de8d-948e-4af0-b4dd-bcd80568351f-image.png

      example
      /var/etc/openvpn/server1/config.ovpn

      1 Reply Last reply Reply Quote 1
      • J
        jonh001
        last edited by

        server1.ovpn
        dev ovpns1
        disable-dco
        verb 3
        dev-type tun
        dev-node /dev/tun1
        writepid /var/run/openvpn_server1.pid
        #user nobody
        #group nobody
        script-security 3
        daemon
        keepalive 10 60
        ping-timer-rem
        persist-tun
        persist-key
        proto udp4
        auth SHA256
        up /usr/local/sbin/ovpn-linkup
        down /usr/local/sbin/ovpn-linkdown
        client-connect /usr/local/sbin/openvpn.attributes.sh
        client-disconnect /usr/local/sbin/openvpn.attributes.sh
        local 2x.xx.xx.x5
        engine devcrypto
        tls-server
        server 192.168.222.0 255.255.255.0
        client-config-dir /var/etc/openvpn/server1/csc
        plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user TG9jYWwgRGF0YWJhc2U= false server1 1194
        tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'openvpn_server' 1"
        lport 1194
        management /var/etc/openvpn/server1/sock unix
        max-clients 5
        push "route 192.168.22.0 255.255.255.0"
        duplicate-cn
        remote-cert-tls client
        capath /var/etc/openvpn/server1/ca
        cert /var/etc/openvpn/server1/cert
        key /var/etc/openvpn/server1/key
        dh /etc/dh-parameters.2048
        tls-auth /var/etc/openvpn/server1/tls-auth 0
        data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
        data-ciphers-fallback AES-256-CBC
        allow-compression no
        persist-remote-ip
        float
        topology subnet
        explicit-exit-notify 1
        inactive 300

        CLIENT.ovpn
        dev tun
        persist-tun
        persist-key
        data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
        data-ciphers-fallback AES-256-CBC
        auth SHA256
        tls-client
        client
        resolv-retry infinite
        remote FQDN_to_WAN 1194 udp4
        nobind
        verify-x509-name "openvpn_server" name
        auth-user-pass
        remote-cert-tls server
        explicit-exit-notify

        <ca>
        -----BEGIN CERTIFICATE-----
        MIID8TCCAtmgAwIBAgIIWHUO2JAZN+wwDQYJKoZIhvcNAQELBQAwVTEUMBIGA1UE
        -----END CERTIFICATE-----
        </ca>
        <cert>
        -----BEGIN CERTIFICATE-----
        MIIEOzCCAyOgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBVMRQwEgYDVQQDEwtpbnRl
        -----END CERTIFICATE-----
        </cert>
        <key>
        -----BEGIN PRIVATE KEY-----
        MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC+XaVPf5oMFoPc
        -----END PRIVATE KEY-----
        </key>
        key-direction 1
        <tls-auth>

        2048 bit OpenVPN static key

        -----BEGIN OpenVPN Static key V1-----
        5cb31652d73c24ad65db0b111fbb68eb
        -----END OpenVPN Static key V1-----
        </tls-auth>

        S 1 Reply Last reply Reply Quote 0
        • S
          Stef93 @jonh001
          last edited by

          @jonh001 said in OpenVPN connection issue:

          push "route 192.168.22.0 255.255.255.0"
          duplicate-cn

          Remove route 192.168.22.0 255.255.255.0 and disable duplicate-cn

          Client Specific Overrides there is?

          Has the interface been added?
          3eade580-0bbe-48ce-90a3-ea93dd0ed8b4-image.png
          after everything restart opevpn

          I still advise you to read it, netgate writes excellent instructions and even offers examples with pictures)
          https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-ra.html

          J 1 Reply Last reply Reply Quote 0
          • J
            jonh001 @Stef93
            last edited by

            @Stef93
            I did review all the documentation and watched several YouTube videos before posting in the forums.
            I was under the impression that the wizard would take care of 99% of the configurations for a basic scenario.

            The interface has been added (I think) - when I look at OpenVPN status, the header shows "ovpns1: SSL VPN in UDP4:1194 / Client Connections: 0" where I believe ovpns1 is the interface name. It also shows up under the Firewall Rules section. However I don't see it specifically listed under Interface Assignments - I only see the usual WAN, LAN and OPT1 (which is my DMZ).

            I have since deleted the VPN config and associated rules and rebuilt it - same issue.

            S 1 Reply Last reply Reply Quote 0
            • S
              Stef93 @jonh001
              last edited by

              @jonh001 said in OpenVPN connection issue:

              However I don't see it specifically listed under Interface Assignments

              8eea3c2d-8955-4468-902a-04ec364047d3-image.png

              7a54ab30-6c2e-4fc7-882a-cf301885018d-image.png

              1 Reply Last reply Reply Quote 0
              • J
                jonh001
                last edited by

                I think the OpenVPN interface is created automatically even though it doesn't show up in Interface Assignments as there is a "OpenVPN" item in the Firewall rules.
                If I go to Interface Assignments and create a new one, it will show up in the Firewall rules as well.
                2023-09-10_14-29-47.jpg
                2023-09-10_14-31-01.jpg
                2023-09-10_14-31-51.jpg

                Even if I create a new rule for the new interface, I still have the same issue

                S 2 Replies Last reply Reply Quote 0
                • S
                  Stef93 @jonh001
                  last edited by

                  @jonh001
                  That's not all, you can add a rule that allows everything on the new interface.
                  Did you get the user settings through the wizard?
                  Get it again through Packages - openvpn-client-export, only there it is possible to specify the connection interface you will need

                  J 1 Reply Last reply Reply Quote 0
                  • S
                    Stef93 @jonh001
                    last edited by

                    @jonh001

                    I'm confused by your client settings, since such settings are only for the mobile application, are you going to use it on the phone?

                    J 1 Reply Last reply Reply Quote 0
                    • J
                      jonh001 @Stef93
                      last edited by

                      @Stef93
                      Yes everything was through the wizard. And the client portion was via the client export utility.

                      1 Reply Last reply Reply Quote 0
                      • J
                        jonh001 @Stef93
                        last edited by

                        @Stef93
                        It gets stranger. When I use the client export utility to get the IOS config and then import it into the OpenVPN app on my iPad, it DOES connect, although I still cannot see anything on the permitted subnet. The iPad was just a test, I don't plan on using this via a mobile device.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.