@jeffreyn said in No Clients Can Connect To OpenVPN Due to CRL Expiry:

@jimp I applied the patch when it was released. I'm reading the release notes for 23.01 and see Issue #13424 has been addressed in the new version. Do I need to do anything like remove the patch before or after I upgrade? Or does everything take care of itself?

You do not need to do anything with the patch after upgrading. You can delete the entry from the system patches package.

@joshopkins
Seems all the settings you did are correct, apart from the push-route commands in the default options. These do the same as the "local networks" setting does, which is the preferred way. You shouldn't have both settings.

Ensure that the access is allowed by rules on all incoming interfaces. Means on the OpenVPN interface at B and on the IPSec of A and C.

To see what's going on, sniff the traffic on the involved interfaces, while you try to access a remote IP from an OpenVPN client.

I agree, pfSense could be much easier. But it is not a consumer product, it is for the enterprise and those are the ones who are willing to pay the money its cost.

Thank you @bingo600 for your help, advice and clear information. I will implement it like you advice and give you a feedback :-)

Thank you

@bobby121418

As long as the ends have different addresses, within the same subnet, it should work. PfSense does that for you automagically. It assigns the first usable address to itself and subsequent addresses to the client(s). All you have to do is pick the subnet.

So the P2 will effectively end up being (in my example) 10.200.10.0/24 to 10.100.10.0/24.
Each side 'hides' it;s local 10.10.10.0/24 subnet behind another, same sized, subnet. You could use any unused subnet for that I just chose 10.100.10.0 and 10.200.10.0.

So on each side that would be the Binat address.

https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/phase-2-nat.html

However if you do not need access between the two subnets dircetly but only from the pfSense_1 OpenVPN subnet this becomes easier. You only need to BiNAT on the pfSense_2 side like:

Screenshot from 2022-05-12 14-02-05.png

On the pfSense_1 side the P2 would be just be 172.10.10.0/24 to 10.100.10.0/24

To access the remote side VPN clients would need to use the equivalent NAT address.

Steve

@mrDick гляньте тут - https://forum.netgate.com/topic/131401/%D0%BC%D0%B0%D1%80%D1%88%D1%80%D1%83%D1%82%D0%B8%D0%B7%D0%B0%D1%86%D0%B8%D1%8F-openvpn/75 настроено не по феншую, а переделать не получается. Но сколько лет работает на 3 офиса.

UPD по новым требованиям отключите сжатие и поставьте алгоритм на 512

UPD2 тьфу, забыл. Может уже и не актуально, но в Keenetic в ПЕРВУЮ ОЧЕРЕДЬ отрубите свой OpenVPN от других интерфейсов через CLI (там мануал есть в их хелпе), иначе эта пакость будет туннель пихать и в WI-Fi, даже если там гостевая сеть настроена!!!

Still following the thread I mentioned above, I saw that the eval previously was right before RESULT=.
I have tried to comment the if statement block and move eval, so this way

# eval serial="\$tls_serial_${check_depth}" # if [ -n "$serial" ]; then eval serial="\$tls_serial_${check_depth}" RESULT=$(/usr/local/bin/php-cgi -q /etc/inc/openvpn.tls-verify.php "servercn=$2&depth=$3&certdepth=$4&certsubject=$5&serial=$serial&co nfig=$config") if [ "${RESULT}" = "FAILED" ]; then exit 1 fi # fi

and I don't get anymore the error on the certificate!
I don't know if I need to open an issue about this.

However, now I get the error about the user authentication

SENT CONTROL [spike]: 'AUTH_FAILED' (status=1)

like I was getting when I set "Certificate Depth = Do Not Check".
I looks like I'm not the only one having this issue.

@johnsheridan Thanks for the info and testing. That makes sense. I’ll have a look at those files and patch.

This will be probably fixed in one of the next releases then.

@stephenw10 I didn't realize that I was able to create an interface for VPN. I did that (and it booted the remote users, lol), and was able to configure the FTP Proxy Client plugin to work with it. Thank you for your help!

@benjaminpc said in PfSense AWS OpenVPN kein Internet:

Wenn ich mich aber nun via OpenVPN verbinde kann ich zwar die PfSense pingen aber nicht die Server im LAN Netz
Ebenso haben die Server kein Internet

Beide Symptome könnten hier dieselbe Ursache haben, aber auch verschiedene.
Ich würde die Internet Verbindung der VMs als erstes in Angriff nehmen. Scheint mir leichter zu klären zu sein.

Nachdem die pfSense aus dem Internet erreichbar ist und ihrerseits die Server erreichen kann, besteht mal "physisch" eine durchgehende Verbindung.
Ich nehme an, vom LAN ist nach wie vor alles erlaubt, also die standardmäßige any-to-any Regel aktiv.

Dann versuche mal von einer VM einen Ping auf 8.8.8.8. Wenn das funktionieren sollte, liegt es vermutlich daran, dass die VMs keine Hostnamen auflösen können.

Falls der Ping auch scheitert, könnte das Outbound NAT nicht funktionieren. Dann würde ich die Frage stellen, wie dein WAN konfiguriert ist. Wenn manuell, hast du in den Interface Einstellungen auch das Gateway angegeben?

@mdomnis I have since upgraded to 22.01 with FRR version 1.1.1_6. In my preliminary testing, the routes seems to be working closer to what is expected. I still have a weird issue where sometimes the neighbors don't like to peer fully and I have to force restart FRR, but from some quick tests, it looks like at least the route is being added to the table correctly. For now at least.

@mpcjames glad I could help.