issues wth openvpn client connectivity
-
Ok so you are connecting an OpenVPN client in pfSense to some external server?
And your ISP device is presumably acting as a router if it can firewall the traffic rather than passing a public IP to the pfSense WAN?
What version of pfSense does it show as running currently?
-
@stephenw10 correct and correct.
23.09-RELEASE (arm64)
-
Ok well it sounds like your ISP router is filtering outbound traffic when it's in 'high' mode. You might be able to add an exception for the OpenVPN traffic.
It sounds like it's not upgrading to 23.09.1. You can check the upgrade log in /conf.
If it's just one package not upgrading you might just update that. Try running at the command line:
pkg-static upgradeSee what packages it offers as upgradable.
Steve
-
@stephenw10 any idea on how to add the exception for the openvpn traffic?
thank you, it shows i have 8 upgrades available.
Proceed with this action? [y/N]: but i don't have access via console. is there any way for me to command yes through web interface?
-
What specific upgrades does it show available?
You should connect via SSH to get a real command line if you can.
Adding an exception to the ISP router would be specific to whatever OS that is running. That said if you can switch it to just being a modem and passing the public IP to pfSense that would avoid that issue.
Are you using the ISP router for anything other than connecting the pfSense WAN? -
@stephenw10 curl, pfsense upgrade, unbound, openvpn, and dhcp
i have PL downloaded but cant seem to bring up the menu through command on terminal
i am not exactly sure what OS my router is using? but no only for pfsense wan.
-
Ok, yes it should be safe to accept those upgrades. Though that's only 5 not 8?
Did you enable SSH in pfSense?
If you're unable to connect you can upgrade those packages at the gui command prompt using:
pkg-static upgrade -yIf you are not using the ISP router to do anything but pass traffic to pfSense then you don't need it to filter anything. You could just set the security to low. It doesn't matter since pfSense is filtering everything anyway.
-
@stephenw10 the other 3 are additional dhcp, openvpn client export and pfsense pkg ovpn.
just did right now, thank you. so it should be safe to update?
i am using a vpn server configured with openvpn not sure if i should have specified that but when its set on low it seems the vpn is not effective?
-
What VPN server are you using? Some commercial provider?
The ISP router does nothing in that setup except potentially block the client from connecting out to the server.
-
@stephenw10 yes, commercial provider.
i get regular speeds with the setting on low and low vpn speeds with the settings on high?
-
Oh so it still connects just passes traffic slowly?
Either way you don't need any security on the ISP router when all your client machine are behind pfSense.
-
@stephenw10 correct
interesting. maybe i misconfigured some setting
-
@stephenw10 would a firewall floating rule to block tagged traffic from using wan be all i need?
-
To do what exactly? What are you are trying to achieve?
-
@stephenw10 all traffic go through vpn servers. security being top priority
-
OK well that's all in pfSense, it has nothing to do with whatever the ISP router is doing.
Yes, you could use a floating outbound rule to prevent unencrypted traffic leaving the firewall via the WAN. Commonly that is done by removing the NAT rule on WAN so only traffic via the VPN is NAT'd.
-
@stephenw10 thank you very much. i will look into all this
