PFSense doesn't route more than one OpenVPN user

Rico

Creating only a few handful would not be any performance problem. I have pfSense boxes running with ~50 OpenVPN Server instances (one per S2S, not one per RAS User ;-))
But I'd not go that way, seems you have a general config problem there and probably hitting the next issue mid/long run.
Did you work through the OpenVPN Troubleshooting Guide?
Please share the whole OpenVPN config (screenshots).

-Rico

Stefan-Cplanet

@Rico Thank you for response,
Here are the full configuration screenshots:

Also besides that, I compared ovpn files of 2 different users I exported with export utility, and 2 out of 4 sections are the same. Is that okay or is there some error in exporting?

Thanks again for all the help

Rico

Server settings look Okay to me, but wipe the Custom options box, you are pushing the route twice because IPv4 Local network(s) is already pushing the route.
No idea if that could cause any client problems but it's botchy anyway.
Can you ensure the problem is not Client related?
Say your user Bob is working using device A, Sandra using device B not working. Now what happens if you take Bobs .ovpn and try with device B, working or not?

-Rico

Stefan-Cplanet

@Rico said in PFSense doesn't route more than one OpenVPN user:

ur user Bob is working using device A, Sandra using device B not working. Now, what happens if you take Bobs .ovpn and try with device B, working or not?
-Rico

Thanks for your response. Unfortunately, that didn't help either I tried multiple OS'es and nothing helps, whichever user (or device) gets the IP address 1st ( 192.168.90.2) gets routed to wan and lan interfaces. The next one (192.168.90.3) cannot reach anything. The strange thing about it is that 192.168.90.2 will be able to ping 192.168.90.3 meaning that the 2nd client is indeed properly connected, just cannot reach anything as for some reason only 1st client gets routed.

Do you think changing topology would help?
Thanks

Rico

Post a Client Log device A (working) and device B (not working).

-Rico

Stefan-Cplanet

@Rico I am not really sure how to get actual client logs, I got logs from OpenVPN and firewall. In this case, user lor... is user no1 with ip of .2 and user ste.. with IP of .3
I connected both and attempted traffic so that you can see.

and open vpn:

Do you see anything wrong? Thanks

Stefan-Cplanet

@Rico I got the client logs aswell:
not working: cryptobin.co/i741w6y4
working: cryptobin.co/9032o7y4

Do you see anything wrong? Thanks

Gertjan

@Stefan-Cplanet said in PFSense doesn't route more than one OpenVPN user:

not working: cryptobin.co/i741w6y4

It's the client that initiates the disconnect.
But why ?

Stefan-Cplanet

@Gertjan
I did the disconnect, I connected them both and then ones the connection couldn't be established I disconnected.

You see any other issue? Thanks

Gertjan

@Stefan-Cplanet said in PFSense doesn't route more than one OpenVPN user:

I did the disconnect, I connected them both and then ones the connection couldn't be established I disconnected.

The one that doesn't work is MAC / iPad / iPad based ?
Rather old build, october 2019 .... Is it OpenVPN 2.4.x compatible ?

What about using another OpenVPN client ?

I'm using a OpenVPN app on my iPhone, using the mar 5, 2020. Works fine.

Stefan-Cplanet

@Gertjan The APP's is newest version on MAC, but that is not the issue, the second device doesn't work on any device. ( Tested MacOS Catalina, IpadOS13.4, Windows10, Kubuntu, DeepinOS ). IT does, however, work as a 1st device on any of them

Stefan-Cplanet

@Gertjan @Rico SOLVED
What worked is very strange, but changing 2 things

1. Hardware Crypto I changed from no Hardware Crypto acceleration to Intel one
2. I checked Type-of-Service checkbox,

aaand it WORKS.

however, there are some performance issues with RDP servers, speed can be counted in seconds for the frame instead of frames per second even with CPU usage staying on 5% and Memory usage on 3%. Is there anything I can do to dedicate more performance to OpenVPN?

Stefan-Cplanet

@Stefan-Cplanet said in PFSense doesn't route more than one OpenVPN user:

@Gertjan @Rico SOLVED
What worked is very strange, but changing 2 things

1. Hardware Crypto I changed from no Hardware Crypto acceleration to Intel one
2. I checked Type-of-Service checkbox,

aaand it WORKS.

however, there are some performance issues with RDP servers, speed can be counted in seconds for the frame instead of frames per second even with CPU usage staying on 5% and Memory usage on 3%. Is there anything I can do to dedicate more performance to OpenVPN?

@Rico @Gertjan Nope, rebooting the PFSense reverted to the same issue. At this point I think its software issue rather than configuration one.

Rico

Can you try to hand out fixed IPs out of your OpenVPN tunnel net and check if this would make any difference?
VPN > OpenVPN > Client Specific Overrides
Common Name: Add the User Cert Name
IPv4 Tunnel Network: 192.168.90.11/24 for your first User, 192.168.90.12/24 for your second User and so on.
Leave all the other boxes blank, reconnect both Clients, check if the correct fixed IP gets assigned and check the connectivity.

-Rico

Stefan-Cplanet

@Rico sadly doesn't seem to solve the issue.

I deployed the OpenVPN on ubuntu behind the firewall and forwarded the port, now I got it working.
I am not sure why it's not working, to be honest, but the fact that it worked for a while and that its very slow without using any resources makes me believe something is unstable there, possibly with how my hosting solution manages VM's.

Anyway thank you for all the help.