Thoughts anyone?

2nd vote for an SG-5100.

Show your OpenVPN Config and Firewall Rules (Screenshots).

-Rico

This is one of many reasons I dropped pia and nord.

Either way I suggest reading up on the remote host command
https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/

@mlohr said in Possible bug: Newline stripped on saving:

Yeah, this way it works. But why are some newlines stripped and some not?

It doesn't matter, because newlines are not supported in that box. Use semicolons to separate entries and you'll never have to worry about it again.

As to the why, it's probably a difference in browsers and UNIX/Windows newline styles, or who knows what. They're unreliable, hence the semicolon requirement.

For the record: I neglected to include this:

OpenVPN 2.4.7 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on May 22 2019

2019-05-26 20:02:35.129809 library versions: OpenSSL 1.0.2r 26 Feb 2019, LZO 2.10

Tunnelblick: macOS 10.14.5; Tunnelblick 3.7.9 (build 5320)

Yeah Rico hit it on the head.. Where you can run into problems is when the site could be really any IP owned by the CDN its being hosted on.. So the specific IP you use could change all the time..

And some of these have ttls as short as 60 seconds for example... So when the filterdns process runs (every 5 minutes by default) that populates your alias for www.somedomain.com you get IP 1.2.3.4... But then 3 minutes your client wants to go there and you get 4.5.6.7 which is not in your alias.

Even if you put in the whole swath of IPs that are owned by CDN.. you now get sites that you might not want going through the vpn since they are hosted on the same CDN, etc.

So while yes you can do it.. Be aware that there could be complications based upon if that fqdn is hosted on CDN..

@johnpoz
I use IPSec to create a site-to-site tunnel should the wireless bridge go down. (Hilariously, this is no longer working, but that is a different problem for a different day).

I wanted to use the pfSense for the VPN clients but had too much problems setting it up with the win 10 clients. I only have two VPN clients so it is not really a problem at the moment.

But I will probably sit and redesign the whole network. Or I should just get some hardware routers. The win 10 hosts are giving me hell as well.

Well, I have just got it working. The solution may be very specific to my scenario.

First, I need to go through and test all the individual changes I made to ensure each one was needed, remove the cruft that was not needed and I will post the final solution here there after.

What I had to do in this scenario was go Pfsense A, go to advance settings of IPsec, From there:

Auto-exclude LAN address Enable bypass for LAN interface IP Exclude traffic from LAN subnet to LAN IP address from IPsec.

This box was checked by default.

I cleared it and traffic is now working both ways.

I suspect what mattered here was the fact that Pfsense A didn't have a LAN subnet, and OpenVPN client subnet may have been seen as a LAN by this rule. I am sure one of the Pfsense developers could provide an explanation.

Now I just need to check all the routes, rules, Phase 2 parts to ensure they are needed.

If you have all tunnels up together you could policy route using Firewall Rules with timers (Schedule) to loop the traffic.

-Rico

@viragomann said in OpenVPN Client Mode Zugriff Lokaler Webserver:

Nein, die Clients müssen ohne Gateway auf den Webserver kommen.
Dann musst du für diese Verbindung eine eigene Regel definieren, die kein GW erzwingt.
Also Quelle: LAN net, Ziel: Webserver
und diese Regel oberhalb der anderen positionieren, damit sie auch angewandt wird.

Grüße

Genau diese Regel hat in meiner Konfiguration gefehlt. 😃
Vielen Dank nochmal an alle Beteiligten für die Lösung meines Problems. 👍

Thank you for your reply. When I check the widget, it only shows me the default gateway
WAN_DHCP and does not show the openvpn gateway as a choice.

No there were not.

I have deleted everything related to the RoadWarrior Server now and recreated it with another cipher, but same settings/TunnelNetwork/Buffer/Rules. It seems to work now. Could it be that pfSense sometimes doesn't activate rules unless you recreate them? It felt like that, though I dont really know why it didn't work and now works.

I was talking about the rules on pfSense, of course.
As mentioned, such traffic must not be handled by floating rules. I don't know if you've set up some.

You may also do a workaround with an SNAT rule for that traffic on the Debian system to get the routing work. But maybe that's not the best solution.

@rico
Thanks will take a look

Everything depends on your setup. Would need more details. Post a network map. Are your VLANs terminated on PFsense or your switch?

Post your server1.conf

What are the IP's in the VLAN you're trying to access?

What do the rules look like on your LAN and OpenVPN tab?

@leonardo-fernandes You are my hero. Thank you very much. My OpenVPN with AWS works perfectly now