PFSense doesn't route more than one OpenVPN user

Stefan-Cplanet · Apr 14, 2020, 1:57 PM

Hello, I have PF sense deployed on hetzner cloud by following this tutorial , and OpenVPN installed following this one.

Idea is that I have:
LAN :10.0.0.16
WAN: x.x.x.x/32
OpenVPN: 192.168.90.0/24
Where the servers are in lan network, VPN Clients in OpenVPN one, you connect to VPN, and you can use servers.

My issue is that I get it to work, but only for 1 user. The user that gets 192.168.90.2 can access the lan, and wan , but the next guy (192.168.90.3) cannot leave his network. that means that 192.168.90.3 can ping 192.168.90.2 for example, but nothing in 10.0.0.0 or on the internet.
I tried enabling all the communication but still same issue.
It's set to allow 100connections at the same time and to allow with same hostname.

What am I doing wrong?
Any help is appreciated.
Thank you

Screenshots to show configuration:
login-to-view login-to-view login-to-view login-to-view login-to-view login-to-view login-to-view login-to-view

Rico · Apr 14, 2020, 2:40 PM

Did you work through the OpenVPN Troubleshooting Guide? https://docs.netgate.com/pfsense/en/latest/book/openvpn/troubleshooting-openvpn.html
Which OpenVPN mode are you running? Show screenshots...
Those Static routes look nasty.

-Rico

Stefan-Cplanet · Apr 14, 2020, 2:55 PM

@Rico Hi, thank you for your response.

I checked all the documentation I can find, can't find an issue like this one. It seems that it creates the route for the 1st vpn user and the gateway, but not the ones after it:
login-to-view
It's running in Remote Access (SSL/TLS + User Auth ), Protocol UDP on IPv4 and Layer 3 tunnel mode.

I am aware of the routes :) , however on Hetzner Cloud (where I host servers) all when you create a network (LAN) it comes with its own gateway ( which you cannot control) , but can only put static routes :
login-to-view
So basically how it works is that server on 10.0.0.3 (example) to access the internet has 10.0.0.1 as a gateway (Hetzner prebuilt) , from there it gets forwarded onto pfsense, that routes it outside, those routes are there to return network inside.
( not the nicest solution, but the only one that works sadly).

You think you can help? Thanks

Rico · Apr 14, 2020, 4:33 PM

A common mistake we see very often is to run Remote Access (SSL/TLS + User Auth) and share the cert with all users. This will result in the exact same problem as you see there.
Do you have each user with a unique cert?

-Rico

Stefan-Cplanet · Apr 15, 2020, 7:58 AM

@Rico Unfortunately that is not the issue, I have different users created, like bob , sandra ... and when I go into user settings they all have their certificates like bob_user_cert, sandra_user cert. The only thing that is the same i CA (as in the router). Here are the screen shots:
login-to-view login-to-view

Also worth noting I used export tool to export certs, and they work individually, but only the one that gets IP of 192.168.90.2 gets routed, others cant leave OpenVPN network and access lan or wan.

Thank you for all the help.

Stefan-Cplanet · Apr 15, 2020, 2:41 PM

@Rico or alternatively if this won't work if I add another server to listen on different port 1195 for example for another user to connect how would the performance be?
I really need it to start working with this Covid19 situation but I'm hitting the wall.

Thanks for all the help

Rico · Apr 15, 2020, 2:49 PM

Creating only a few handful would not be any performance problem. I have pfSense boxes running with ~50 OpenVPN Server instances (one per S2S, not one per RAS User ;-))
But I'd not go that way, seems you have a general config problem there and probably hitting the next issue mid/long run.
Did you work through the OpenVPN Troubleshooting Guide?
Please share the whole OpenVPN config (screenshots).

-Rico

Stefan-Cplanet · Apr 15, 2020, 3:05 PM

@Rico Thank you for response,
Here are the full configuration screenshots:
login-to-view
login-to-view
login-to-view
login-to-view
login-to-view
login-to-view
login-to-view
login-to-view

Also besides that, I compared ovpn files of 2 different users I exported with export utility, and 2 out of 4 sections are the same. Is that okay or is there some error in exporting?
login-to-view
login-to-view

Thanks again for all the help

Rico · Apr 16, 2020, 7:12 AM

Server settings look Okay to me, but wipe the Custom options box, you are pushing the route twice because IPv4 Local network(s) is already pushing the route.
No idea if that could cause any client problems but it's botchy anyway.
Can you ensure the problem is not Client related?
Say your user Bob is working using device A, Sandra using device B not working. Now what happens if you take Bobs .ovpn and try with device B, working or not?

-Rico

Stefan-Cplanet · Apr 16, 2020, 7:26 AM

@Rico said in PFSense doesn't route more than one OpenVPN user:

ur user Bob is working using device A, Sandra using device B not working. Now, what happens if you take Bobs .ovpn and try with device B, working or not?
-Rico

Thanks for your response. Unfortunately, that didn't help either I tried multiple OS'es and nothing helps, whichever user (or device) gets the IP address 1st ( 192.168.90.2) gets routed to wan and lan interfaces. The next one (192.168.90.3) cannot reach anything. The strange thing about it is that 192.168.90.2 will be able to ping 192.168.90.3 meaning that the 2nd client is indeed properly connected, just cannot reach anything as for some reason only 1st client gets routed.

Do you think changing topology would help?
Thanks

Rico · Apr 16, 2020, 7:31 AM

Post a Client Log device A (working) and device B (not working).

-Rico

Stefan-Cplanet · Apr 16, 2020, 8:04 AM

@Rico I am not really sure how to get actual client logs, I got logs from OpenVPN and firewall. In this case, user lor... is user no1 with ip of .2 and user ste.. with IP of .3
I connected both and attempted traffic so that you can see.
login-to-view
login-to-view
login-to-view

and open vpn:
login-to-view

Do you see anything wrong? Thanks

Stefan-Cplanet · Apr 16, 2020, 9:58 AM

@Rico I got the client logs aswell:
not working: cryptobin.co/i741w6y4
working: cryptobin.co/9032o7y4

Do you see anything wrong? Thanks

Gertjan · Apr 16, 2020, 8:24 AM

@Stefan-Cplanet said in PFSense doesn't route more than one OpenVPN user:

not working: cryptobin.co/i741w6y4

It's the client that initiates the disconnect.
But why ?

Stefan-Cplanet · Apr 16, 2020, 8:36 AM

@Gertjan
I did the disconnect, I connected them both and then ones the connection couldn't be established I disconnected.

You see any other issue? Thanks

Gertjan · Apr 16, 2020, 8:44 AM

@Stefan-Cplanet said in PFSense doesn't route more than one OpenVPN user:

I did the disconnect, I connected them both and then ones the connection couldn't be established I disconnected.

The one that doesn't work is MAC / iPad / iPad based ?
Rather old build, october 2019 .... Is it OpenVPN 2.4.x compatible ?

What about using another OpenVPN client ?

I'm using a OpenVPN app on my iPhone, using the mar 5, 2020. Works fine.

Stefan-Cplanet · Apr 16, 2020, 8:46 AM

@Gertjan The APP's is newest version on MAC, but that is not the issue, the second device doesn't work on any device. ( Tested MacOS Catalina, IpadOS13.4, Windows10, Kubuntu, DeepinOS ). IT does, however, work as a 1st device on any of them

Stefan-Cplanet · Apr 16, 2020, 10:03 AM

@Gertjan @Rico SOLVED
What worked is very strange, but changing 2 things

Hardware Crypto I changed from no Hardware Crypto acceleration to Intel one
I checked Type-of-Service checkbox,

aaand it WORKS.

however, there are some performance issues with RDP servers, speed can be counted in seconds for the frame instead of frames per second even with CPU usage staying on 5% and Memory usage on 3%. Is there anything I can do to dedicate more performance to OpenVPN?

Stefan-Cplanet · Apr 16, 2020, 11:57 AM

@Stefan-Cplanet said in PFSense doesn't route more than one OpenVPN user:

@Gertjan @Rico SOLVED
What worked is very strange, but changing 2 things

Hardware Crypto I changed from no Hardware Crypto acceleration to Intel one

I checked Type-of-Service checkbox,

aaand it WORKS.

however, there are some performance issues with RDP servers, speed can be counted in seconds for the frame instead of frames per second even with CPU usage staying on 5% and Memory usage on 3%. Is there anything I can do to dedicate more performance to OpenVPN?

@Rico @Gertjan Nope, rebooting the PFSense reverted to the same issue. At this point I think its software issue rather than configuration one.

Rico · Apr 16, 2020, 2:01 PM

Can you try to hand out fixed IPs out of your OpenVPN tunnel net and check if this would make any difference?
VPN > OpenVPN > Client Specific Overrides
Common Name: Add the User Cert Name
IPv4 Tunnel Network: 192.168.90.11/24 for your first User, 192.168.90.12/24 for your second User and so on.
Leave all the other boxes blank, reconnect both Clients, check if the correct fixed IP gets assigned and check the connectivity.

-Rico