Topics tagged with openvpn

Digital River is now making connections to OpenVPN users again with 143.198.176.141 now

JonathanLee — Invalid Date

@Gertjan It was a real issue and it's this is the Snort rules that generated it spotted it, I think that because it is a home network the bad guys assumed they could get away with it and pfSense plus stopped it cold and gave me the logs to report them. I have it on the WAN side the rules below. # === VPN SECURITY (OpenVPN UDP 1194) === # NOTE: Port corrected from 1192 to 1194 to match actual firewall # VPN connection from non-Approved source alert udp !approved source any -> MY IP1194 (msg:"CRITICAL: VPN Connection from Non-Approved Source"; classtype:policy-violation; priority:1; sid:1000010; rev:2;) # VPN brute force from MetroPCS alert udp approved source any -> MY IP1194 (msg:"OpenVPN Brute Force from MetroPCS"; threshold:type both, track by_src, count 10, seconds 60; classtype:attempted-admin; sid:1000011; rev:2;) # VPN connection flood (DoS) alert udp !Approved source any -> My IP 1194 (msg:"OpenVPN Connection Flood"; threshold:type threshold, track by_src, count 50, seconds 10; classtype:attempted-dos; sid:1000012; rev:2;) # OpenVPN malformed packet alert udp any any -> My IP 1194 (msg:"Malformed OpenVPN Packet"; dsize:<14; classtype:protocol-command-decode; sid:1000013; rev:2;) I reported it to IC3 and someone actually called me said it was really good stuff that I had, that it is a big problem in our area the last 8 or so months I think he said. This firewall caught something and it contributed to local cyber security. After he called, I have not seen as many of them anymore also. I also reported it to Digital Ocean and they responded to my report and thanked me for it. I have never had someone call me about a report before. The data was the combination of how many attempts and what was occurring they must have seen it before, maybe if you guys see vpn attempts from them we should start to report at least the VPNs that is like breaking and entering its no longer scans at that point. I feel like we see so much noise that when we start to see something that is real it get questioned, I was even thinking it was nothing, but they kept doing it.

OpenVPN Client Specific Overrides ot updated until server restarted

Gertjan — Invalid Date

@Lagan said in OpenVPN Client Specific Overrides ot updated until server restarted: I would like the new override to take effect when I restart the client. Hummm. It's possible that a save on the "Client Specific Overrides" page doesn't restart the OpenVPN server - I doesn't seem to do that. Maybe it isn't needed, as the server has a setting : client-config-dir /var/etc/openvpn/server1/csc/ that tells the server to look into that folder for client special settings, the "Client Specific Overrides". Anyway, I did restart the server, then connected the client and it got the '.30' IP.

openvpn.conf is not readable

Varmandra — Invalid Date

Hello

I am not sure why it happens but after some day or weeks OpenVPN stops working,

The GUI shows me:

So I thoght why not start the openvpn service over shh

[24.11-RELEASE][]/home/theodor: service openvpn status
openvpn is not running.
[24.11-RELEASE][]/home/theodor: service openvpn start
Cannot 'start' openvpn. Set openvpn_enable to YES in /etc/rc.conf or use 'onestart' instead of 'start'.
[24.11-RELEASE][]/home/theodor: service openvpn onestart
/usr/local/etc/rc.d/openvpn: WARNING: /usr/local/etc/openvpn/openvpn.conf is not readable.
/usr/local/etc/rc.d/openvpn: WARNING: failed precmd routine for openvpn

I tried to take a look to the folder /usr/local/etc/openvpn bit there is nothing with openvpn in /usr/local/etc

I set up openvpn close to this toturial

There are some warnings inside the log and this repeats many times

Mar 7 23:54:55 	openvpn 	7621 	WARNING: experimental option --capath /var/etc/openvpn/server1/ca
Mar 7 23:54:55 	openvpn 	7621 	SIGTERM[hard,init_instance] received, process exiting
Mar 7 23:54:56 	openvpn 	24611 	OpenVPN 2.6.12 amd64-portbld-freebsd15.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] [DCO]
Mar 7 23:54:56 	openvpn 	24611 	library versions: OpenSSL 3.0.14 4 Jun 2024, LZO 2.10
Mar 7 23:54:56 	openvpn 	24611 	DCO version: FreeBSD 15.0-CURRENT #0 plus-RELENG_24_11-n256407-1bbb3194162: Fri Nov 22 05:08:46 UTC 2024 root@freebsd:/var/jenkins/workspace/pfSense-Plus-snapshots-24_11-main/obj/amd64/AKWlAIiM/var/jenkins/workspace/pfSense-Plus-snapshots-24_11-main/sources/FreeBS
Mar 7 23:54:56 	openvpn 	24645 	WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
Mar 7 23:54:56 	openvpn 	24645 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mar 7 23:54:56 	openvpn 	24645 	WARNING: experimental option --capath /var/etc/openvpn/server1/ca
Mar 7 23:54:56 	openvpn 	24645 	SIGTERM[hard,init_instance] received, process exiting
Mar 7 23:54:56 	openvpn 	41894 	OpenVPN 2.6.12 amd64-portbld-freebsd15.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] [DCO]
Mar 7 23:54:56 	openvpn 	41894 	library versions: OpenSSL 3.0.14 4 Jun 2024, LZO 2.10
Mar 7 23:54:56 	openvpn 	41894 	DCO version: FreeBSD 15.0-CURRENT #0 plus-RELENG_24_11-n256407-1bbb3194162: Fri Nov 22 05:08:46 UTC 2024 root@freebsd:/var/jenkins/workspace/pfSense-Plus-snapshots-24_11-main/obj/amd64/AKWlAIiM/var/jenkins/workspace/pfSense-Plus-snapshots-24_11-main/sources/FreeBS
Mar 7 23:54:56 	openvpn 	41896 	WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
Mar 7 23:54:56 	openvpn 	41896 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mar 7 23:54:56 	openvpn 	41896 	WARNING: experimental option --capath /var/etc/openvpn/server1/ca
Mar 7 23:54:56 	openvpn 	41896 	TUN/TAP device ovpns1 exists previously, keep at program end
Mar 7 23:54:56 	openvpn 	41896 	TUN/TAP device /dev/tun1 opened
Mar 7 23:54:56 	openvpn 	41896 	/sbin/ifconfig ovpns1 10.10.10.1/24 mtu 1500 up
Mar 7 23:54:56 	openvpn 	41896 	/usr/local/sbin/ovpn-linkup ovpns1 1500 0 10.10.10.1 255.255.255.0 init
Mar 7 23:54:56 	openvpn 	41896 	Could not determine IPv4/IPv6 protocol. Using AF_INET6
Mar 7 23:54:56 	openvpn 	41896 	setsockopt(IPV6_V6ONLY=0)
Mar 7 23:54:56 	openvpn 	41896 	UDPv6 link local (bound): [AF_INET6][undef]:1194
Mar 7 23:54:56 	openvpn 	41896 	UDPv6 link remote: [AF_UNSPEC]
Mar 7 23:54:56 	openvpn 	41896 	Initialization Sequence Completed
Mar 7 23:55:22 	openvpn 	41896 	event_wait : Interrupted system call (fd=-1,code=4)
Mar 7 23:55:24 	openvpn 	41896 	/sbin/ifconfig ovpns1 10.10.10.1 -alias
Mar 7 23:55:24 	openvpn 	41896 	/usr/local/sbin/ovpn-linkdown ovpns1 1500 0 10.10.10.1 255.255.255.0 init
Mar 7 23:55:24 	openvpn 	19127 	Flushing states on OpenVPN interface ovpns1 (Link Down)
Mar 7 23:55:24 	openvpn 	41896 	SIGTERM[hard,] received, process exiting
Mar 7 23:55:31 	openvpn 	32846 	OpenVPN 2.6.12 amd64-portbld-freebsd15.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] [DCO]
Mar 7 23:55:31 	openvpn 	32846 	library versions: OpenSSL 3.0.14 4 Jun 2024, LZO 2.10
Mar 7 23:55:31 	openvpn 	32846 	DCO version: FreeBSD 15.0-CURRENT #0 plus-RELENG_24_11-n256407-1bbb3194162: Fri Nov 22 05:08:46 UTC 2024 root@freebsd:/var/jenkins/workspace/pfSense-Plus-snapshots-24_11-main/obj/amd64/AKWlAIiM/var/jenkins/workspace/pfSense-Plus-snapshots-24_11-main/sources/FreeBS

Installed Packages:

acme
Cron
haproxy
Netgate_Firmware_Upgrade
openvpn-client-export
pfBlockerNG

In the moment I don't realy know where to start searching for this error, could some

OpenVPN and MTU questions? Vs vpn packet processing settings

JonathanLee — Invalid Date

@nattygreg Thanks I have attempted many trail and error tests, another one that gave me speed boosts was changing these settings. Screenshot 2025-03-03 at 21.50.05.png

No connection after certificate renewal

seArs — Invalid Date

I have an OVPN client on my pfsense box (2.7.2) and a remote server. The connection worked very well until my (self-signed) client and server certificates expired.

I renewed both the used client and server certificates incl. the keys. Restarted both the VPN server and the client service in pfsense multiple times but the connection won't come back up.

The (server-side) log shows a TLS handshake error. Even exchanging the entire set of certificates doesn't solve the problem.

RADIUS authentication failing (timed out) and dumping core

opoplawski — Invalid Date

@Gertjan So I used both tcpdump and radsniff to look at packet traces, but I can't see any issues. In both cases (working and non-working) the radius server sends back an Access-Accept message with the same set of fields.

Comcast started blocking SMB Port 445 in an VON tunnel…?!

ozus82 — Invalid Date

@Draco By any chance you upgraded the pfsense (and or openvpn package) recently ? I got 'similar issue' that left me baffled till this day see here , maybe it is similar with what you experiencing.

Virtual PFsense behind physical router

Dante4 — Invalid Date

Problem 2 fixed by adding route to 192.168.5.0/24 on Mikrotik side

Portforward configuration for pfSense

viragomann — Invalid Date

@kstlan02 First off, it's not wise to use public IP ranges in the local network, even for docker. Then I'm wondering, why don't you run the OpenVPN server on pfSense. Do I have to do the port forwarding from the WAN to the LAN or do I have to do it from the WAN to the Docker container that is running OpenVPN? "LAN address" is the wrong destination here for sure. This is an IP assigned to pfSense itself. Hence forwarding to it, is not that, what you want. The question is then, how can pfSense reach the container? I'd expect, that the container gets its traffic forwarded inside the VM. But don't know, how you did configure it. So you have to forward the OpenVPN traffic either to the VM address or to the container IP. In the latter case, you would need to add a static route for it on pfSense of course.

OpenVPN client authentication base on LDAP and certificate from domain CA

wojciech__ — Invalid Date

Hey, In here I've decribed my work on this topic :) https://forum.netgate.com/topic/189447/openvpn-ssl-tls-user-auth-over-ldap/3

Ca and Server certificate expiring soon

andrew98 — Invalid Date

@jimp I tried but unfortunately it didn't work, because the User Certificate that I use for export the OpenVPN Client have the same CA that the server certificate (I think). The final solution was to reinstall all OpenVPN clients on all devices, hard work but at least all users continue to work! Thanks for the support

LEDs and OpenVPN state established LED program short simple bash script

JonathanLee — Invalid Date

Hello fellow Netgate community members,

I wanted to share with you some cool code I have been working on for some time now. This code will check for specific states and adapt the LED's on an official Netgate appliance. Mine is a 2100.

My VPN rule is 57 my guest wifi is rule 110

Here is the code...

#!/bin/sh
check_current_states=$( pfctl -vvss | grep -e ', rule 110' -e ', rule 57' -e '192.168.1.11' -e '192.168.1.15' )
res=1
resb=1
resc=1
resd=1
case "$check_current_states" in 
  *", rule 110"* ) res=0 ;;
esac
case "$check_current_states" in
  *192.168.1.11* ) resb=0 ;;
esac
case "$check_current_states" in
  *192.168.1.15* ) resc=0 ;;
esac
case "$check_current_states" in
  *", rule 57"* ) resd=0 ;;
esac
if [ $res = 0 ] && [ $resb = 0 ]; 
then
  sysctl -q dev.gpio.2.led.1.pwm=1
  gpioctl -f /dev/gpioc2 3 duty 50 >/dev/null
  sysctl -q dev.gpio.2.led.2.pwm=1
  gpioctl -f /dev/gpioc2 7 duty 0 >/dev/null
  gpioctl -f /dev/gpioc2 6 duty 50 >/dev/null
elif [ $res = 0 ];
then
  sysctl -q dev.gpio.2.led.1.pwm=1
  gpioctl -f /dev/gpioc2 3 duty 0 >/dev/null
  sysctl -q dev.gpio.2.led.2.pwm=1
  gpioctl -f /dev/gpioc2 7 duty 0 >/dev/null
  gpioctl -f /dev/gpioc2 6 duty 50 >/dev/null
elif [ $resb = 0 ];
then
  sysctl -q dev.gpio.2.led.2.pwm=1
  gpioctl -f /dev/gpioc2 7 duty 0 >/dev/null
  gpioctl -f /dev/gpioc2 6 duty 0 >/dev/null
  sysctl -q dev.gpio.2.led.1.pwm=1
  gpioctl -f /dev/gpioc2 3 duty 50 >/dev/null
else
  sysctl -q dev.gpio.2.led.1.pwm=1
  gpioctl -f /dev/gpioc2 3 duty 0 >/dev/null
  sysctl -q dev.gpio.2.led.2.pwm=1
  gpioctl -f /dev/gpioc2 6 duty 0 >/dev/null
  gpioctl -f /dev/gpioc2 7 duty 50 >/dev/null
  
fi
if [ $resc = 0 ] || [ $resd = 0 ];
then
  sysctl -q dev.gpio.2.led.0.pwm=1
  gpioctl -f /dev/gpioc2 2 duty 50 >/dev/null
  gpioctl -f /dev/gpioc2 0 duty 50 >/dev/null
else
  sysctl -q dev.gpio.2.led.0.pwm=1
  gpioctl -f /dev/gpioc2 2 duty 0 >/dev/null
  gpioctl -f /dev/gpioc2 0 duty 0 >/dev/null

fi

Overview:

This area below is my variable that will store output from a pfctl and grep to any rule you want I have rule 110 and 57 as well as some private ip addresses.
pfctl lists the current states on the firewall.

What this code does for me is check for guest wifi use and if someone is on the guest network change first led to red, if my 192.168.1.11 is running enable and set the second LED to red and if 192.168.1.15 or a VPN is in online change the thrid LED to purple (meaning do not restart the firewall) if non of this occurs set first LED to green and turn off the others.

check_current_states=$( pfctl -vvss | grep -e ', rule 110' -e ', rule 57' -e '192.168.1.11' -e '192.168.1.15' )

This next section is my variables I use them as flags they are all set to one to instantiate them:

res=1
resb=1
resc=1
resd=1

This next section checks for my conditions within the variable:

case "$check_current_states" in 
  *", rule 110"* ) res=0 ;;
esac

case "$check_current_states" in
  *192.168.1.11* ) resb=0 ;;
esac

case "$check_current_states" in
  *192.168.1.15* ) resc=0 ;;
esac

case "$check_current_states" in
  *", rule 57"* ) resd=0 ;;
esac

This next section is where I have my if else rules that set the LEDS

if [ $res = 0 ] && [ $resb = 0 ]; 
then
  sysctl -q dev.gpio.2.led.1.pwm=1
  gpioctl -f /dev/gpioc2 3 duty 50 >/dev/null
  sysctl -q dev.gpio.2.led.2.pwm=1
  gpioctl -f /dev/gpioc2 7 duty 0 >/dev/null
  gpioctl -f /dev/gpioc2 6 duty 50 >/dev/null
elif [ $res = 0 ];
then
  sysctl -q dev.gpio.2.led.1.pwm=1
  gpioctl -f /dev/gpioc2 3 duty 0 >/dev/null
  sysctl -q dev.gpio.2.led.2.pwm=1
  gpioctl -f /dev/gpioc2 7 duty 0 >/dev/null
  gpioctl -f /dev/gpioc2 6 duty 50 >/dev/null
elif [ $resb = 0 ];
then
  sysctl -q dev.gpio.2.led.2.pwm=1
  gpioctl -f /dev/gpioc2 7 duty 0 >/dev/null
  gpioctl -f /dev/gpioc2 6 duty 0 >/dev/null
  sysctl -q dev.gpio.2.led.1.pwm=1
  gpioctl -f /dev/gpioc2 3 duty 50 >/dev/null
else
  sysctl -q dev.gpio.2.led.1.pwm=1
  gpioctl -f /dev/gpioc2 3 duty 0 >/dev/null
  sysctl -q dev.gpio.2.led.2.pwm=1
  gpioctl -f /dev/gpioc2 6 duty 0 >/dev/null
  gpioctl -f /dev/gpioc2 7 duty 50 >/dev/null
  
fi
if [ $resc = 0 ] || [ $resd = 0 ];
then
  sysctl -q dev.gpio.2.led.0.pwm=1
  gpioctl -f /dev/gpioc2 2 duty 50 >/dev/null
  gpioctl -f /dev/gpioc2 0 duty 50 >/dev/null
else
  sysctl -q dev.gpio.2.led.0.pwm=1
  gpioctl -f /dev/gpioc2 2 duty 0 >/dev/null
  gpioctl -f /dev/gpioc2 0 duty 0 >/dev/null

Now save your code into your pfSense. chmod the bash script so it can execute this file...

Now set a cron job to run this every couple minutes or so.

For more help with how the colors on the LEDs work please reference this URL below. It is great I can't thank this guy enough. I hope he sees my code I made to work with the LED info he posted.

https://www.zacharyschneider.ca/2019/12/customizing-leds-netgate-sg-3100/

Bingo now you got custom LEDs that change when your states establish. You could set it to glow any color you want when OpenVPN connects.

How do you get your state number.... Simple just click on the rule states area you made in your firewall and see what shows..

Example:

Click here and it will show what rule id it is

Guest wifi for me is rule 105

OpenVPN recommended Data Encryption Algorithms when using SG-2100 appliance's crypto engine?

JonathanLee — Invalid Date

@kprovost The speed difference is substantial with only having one enabled so much so I would say this would need a Redmine to only allow one to be selected at a time. Anyone else agree?

RESOLVED: ---> remote_list_error: current remote server endpoint is undefined

DBEEE — Invalid Date

@JonathanLee Thanks this fixed worked for me. My iPhone would not connect without it.

OpenVPN site to site not working both ways

viragomann — Invalid Date

@Pablomdli said in OpenVPN site to site not working both ways: The only weird things is that it gives the ip 10.0.8.0 to de office#2 openvpn client So I'd suspect, that you stated this IP in the CSO. You should enter an IP out of the tunnel network there, but it have to be one from the second upwards.

Openvpn changing IP address when reconnected with RDP

greenlight — Invalid Date

@cezar_a your welcome

OpenVPN profile Distribution from intunes

optimusprime — Invalid Date

Hi,
We are looking to deploy openvpn profile settings from intunes into the open vpn client app which is already installed in the computers.

Can someone guide me !

HAProxy and OpenVPN: Client IP forwardfor to network backend

SimpleTechGuy — Invalid Date

Trying to find a solution to this as well. It doesn't seem OpenVPN has an option to forward headers which basically makes it impossible to use openvpn as the primary on port 443 if you need to see client IP addresses on haproxy.. As an alternative, I wondered if it might make sense to set haproxy listening on 443 and OpenVPN as a backend on a different port. Has anyone tried this yet? Does this cause double encryption (slow down the connection too much)? Here is an example of one guy who claims to have got it working: https://discourse.haproxy.org/t/haproxy-with-openvpn-over-tcp-443-on-pfsense/4731/2 EDIT It looks like he create a TCP frontend on 443 with a default backend going to OpenVPN:TCP:1194 and an acl that checks for SSL and sends SSL traffic to an HTTPS Backend set to localhost:9443. Then he configured localhost:9443 as a Frontend that handles the forwarded Web Traffic. That looks like it should work, but It's a bit too complicated for me to test on my live server right now and I don't have a lab setup. Happy to help anyone else who might have a lab environment setup for testing.

How to Monitor and Restart VPNs

MartynK — Invalid Date

I have a OpenVPN configured on my device to router traffic for a number of devices over a NordVPN to another country.

Every now and the latency and packet loss on the VPN gets to the point where its not usable.

All I have to do is restart the VPN and it seems to clear the errors and everything works again.

Is there a way that I can automatically monitor the latency / packet loss and if it gets over a certain %age automatically restart the VPN connection ?

PIA OpenVPN: Packet Loss and Buffer Size

stephenw10 — Invalid Date

I could certainly image that the faster you push traffic the more is lost, though not necessarily as a percentage. Do you see the same when connected to other servers? Is that server in London far from you, is the latency high? Steve

Strange behaviour after update from 2.6.0 to 2.7.0

stephenw10 — Invalid Date

Hmm, strange indeed! Do you have an OpenVPN server running on the firewall? Does it show the clients connecting to it? What are they supposed to be connecting to? What do you see logged when the webgui cert changes? Steve

Looking for ideas on troubleshooting an OpenVPN file transfer speed problem.

johnpoz — Invalid Date

@BFost said in Looking for ideas on troubleshooting an OpenVPN file transfer speed problem.: is getting 60-70ms latency which seems totally fine to me You understand with that latency, your 8mbps is right in the ball part for a window size of 64k.. So you really need to look what is going on. [image: 1693163421159-math.jpg] I take it they are downloading, and not uploading - because upload they have a max of 10 per their isp anyway.. Are they on wifi.. We have lots of users report bad vpn performance - they were just on a shit wifi connection. If they plugged in a wire, no issue with their performance.

Dual OpenVPN-Setting, CARP & Failover (HA, MultiWAN)

JeGr — Invalid Date

@Sperber said in Dual OpenVPN-Setting, CARP & Failover (HA, MultiWAN): (Vorkbaard hat das bereits beschrieben: https://vorkbaard.nl/openvpn-in-a-pfsense-carp-cluster/ ) Die Info ist aber relativ alt und nicht zutreffen. Wir haben da sehr verschiedene und komplexe Services laufen und keiner braucht irgendwelche seltsamen Settings mit "local " o.ä. - das sollte heute überhaupt nicht mehr nötig sein. Macht im CARP Setup auch keinen Sinn, da die CARP VIPs alle auf dem Master laufen und man diese so nicht ansprechen kann. Split CARP mit Master/Backup auf dem selben Node ist in der FreeBSD Variante von CARP/pf nicht enthalten, das ist leider nur in OpenBSD enthalten. Mich interessiert allerdings auch wie @viragomann wie man überhaupt auf der 2. pfSense im CARP die Annahme von OpenVPN erlauben will. Der Traffic kommt ja nicht bei ihr an, weil der via CARP IMMER zur primären läuft, nicht auf den sekundären Node. Und wenn man das forwarden sollte auf Node 2, würde der Node versuchen asymmetrisch zu antworten (oder es läuft alles wieder über Node1), was auch wieder nicht sehr schön ist. Wie ist das also realisiert, dass die Clients sich auf Node2 connecten und das auch funktioniert, wenn Node2 mal aktiv wird und Node1 passiv weil vlt. gerade gewartet wird o.ä.? Ansonsten wäre mir schleierhaft wie das im Redundanzfall wirklich sauber funktionieren sollte ohne dass manuell eingegriffen wird? Cheers \jens

cert delete / revoke - breaks openvpn?!!

MrPete — Invalid Date

I created a bad cert for openVPN, "pete".
Apparently I cannot delete a cert once made?!

1a) Workaround: I renamed it so I can be certain of what I am looking at everywhere.
1b) I revoked it.

I created a new cert, "pete2307"...
OpenVPN ONLY sees the REVOKED cert. NOT the 100% valid new one?!!

Is there a workaround for this?

PFSense 2.7.0 OpenVPN problems

jimp — Invalid Date

Start your own thread, it's unlikely to be the same issues others have hit. While symptoms may be similar, there are numerous possible causes that can look the same, and trying to diagnose multiple people's issues in a single thread is not feasible.

OpenVPN not starting after update!

TXDS — Invalid Date

@steveits /facepalm - Again, I am new to this and I see what I needed to do! I installed the patches package and applied all, did the reboot, and bingo! Back in business! Thank you so much!

OpenVPN client TAP bridge - reconnect problem

brepo — Invalid Date

@brepo I feel a little sorry for myself, because I spent more than 10 years with pfsense and everything suited me before :)

RDP to Local LAN desktop - Unable to find

StationEleven — Invalid Date

Solved! Followed a lot of rabbit holes down until I found these: https://serverfault.com/questions/1064935/openvpn-server-connexion-ok-but-no-access-to-remote-lan which lead to: https://openvpn.net/community-resources/how-to/#expanding-the-scope-of-the-vpn-to-include-additional-machines-on-either-the-client-or-server-subnet Main take away was that I needed to add push "route [Local LAN subnet] 255.255.255.0" to the advanced configuration on the server setup. Still reading a bit more to understand how this worked, but I'm able to ping my local machine as well as remote into it. Happy days.

Proper site to site routed openvpn setup

semiraue — Invalid Date

Hi all,

I have two sites connected with single openvpn tunnel as follows.

Pfsense fw hosted in Digital Ocean cloud.
Site A Edgerouter-X behind broadband NAT
Site B Teltonika Rutx11 behind mobile cgnat

I setup this few years back to access the remote site B LAN from my local site A lan. this works without much issues to date.

But as I read this is not the proper setup as routing not properly works between two locations as those are in the same openvpn subnet (192.168.166.0/24)

I.e when I try to ping to either 192.168.55.0/24 or 192.168.77.0/24 networks from mobile phone with VPN on (192.168.166.13/24) I always get ICMP redirect message. which indicates potential routing issues or the some upstream network that I try to reach resides on the same network as I'm in now. Which is correct behavior based on the setup.

And even though this setup is working, I'm still confused how pfsense able to route traffic between gateways resides in the same subnet (192.168.166.2 and 192.168.166.3)

Now my issue comes when i try to do this proper way.

I created two openvpn p2p tunnels from both site A and B to Pfsense box. then I add appropriate static routes to the both ends. After this the routing works perfectly and there is no ICMP redirect messages when I try to ping from my mobile.

SITE A-> PFSENSE (172.18.18.0/30)
SITE B-> PFSENSE (172.19.19.0/30)

But the remote site B is connected to terribly bad mobile network, which is already slow without any VPNs. (I only use split tunneling. not all traffic go through VPN) but with this added site to site routed VPN setup, connections from site A to site B becomes unusable. All my camera live feeds are broken and most of the hosts behind site B router is not reachable or very slow to access.

I double checked everything like static routes/p2p IP ranges/firewall rules from all sites and all are correct. I really cannot get the reason behind this. Is the slowness because of the pfsense inter vpn routing ? or is there any other factor applying ?

What is the best way to accomplished proper routed connection between these two sites without compromising the performance or without involving any NAT ?

Appreciate your inputs

Thanks

Ruch pomiędzy hostami openVPN

Przemyslaw85 — Invalid Date

@kamil-0 opcjach serwera OpenVPN odchacz opcję "Inter-client communication". Komunikacja między klientami nie powinna działać. Ale jak wrócę do domu to sprawdzę.

Problem authenticating to Active Directory LDAP server

m1systems — Invalid Date

I have set up a LDAP authentication server for my Windows Domain Controller to use with my OpenVPN server. Since I'm able to enumerate a list of containers with the Select a container button in the settings I know I'm able to successfully communicate with the server. However when I go the authentication tester in diagnostics and try to authenticate a login I get an error that only says Authentication failed with no other information and I don't see anything in the logs. I've tried both username and username prefixed with the domain name like domain\username and neither works. I'm using a Netgate 1100 if that matters.

Network LAN machine not accessible via OpenVPN

kermiaamar — Invalid Date

@viragomann it's ok problem solved i can ping Local machine on LAN network after configuring check box redirect gratway

Network Drive Slow Performance?

johnpoz — Invalid Date

@wingrait said in Network Drive Slow Performance?: 10Mbps = 1.25MB/s with no other overhead. hahaha - well problem solved ;) Glad you got it figured out.. Bytes vs bits is hard sometimes hahahah edit: btw thanks for pointing out the actual issue, vs just walking away leaving the thread hanging to keep egg off your face.. The B vs b thing bites everyone in the butt at some point, reminds me of still the constant question about wireless, but the router says it can do 1900mbps on the box - why am I only see 200 ;) hehehe

Google Meet going through my VPN connection.

moadmin — Invalid Date

@moadmin Hey guys, can i get any suggestion on this, its still happening even with split tunnel config. When VPN is on and connected, google meet calls are choppy and distorted, when we turn it off the video is smooth and in good quality. This happened after we updated our pfsense to 2.6.

pfSense Plus crash after adding OVPN as interface

stephenw10 — Invalid Date

Yes, it could be. I'll try to replicate and open something if there isn't anything already open.

OpenVPN renew CA and Server cert without renewing client certs?

Jarhead — Invalid Date

@coyotekg The client certs use the CA as the issuer just like the server certs do so yes, you would need to change them.

Reports OPENVPN connections

Help Group — Invalid Date

hola, es posible exportar un reporte de tiempo total de la conexion de una vpn o de usuario

OpenVpn with NPS , ensure client health check

tbaror — Invalid Date

Hello,

I am using Pfsense with Openvpn along with ms radius nps authentication , i have new requirement form our organization to validate clients health check on vpn connection to ensure remote users have there updated AV running , latest update etc , in brief set of standard checks that assure any connection health, my question is there any way to assure this ? did any one had experience with such requirement?

Please advice

Thanks

FreeRadius/OpenVPN not working on secondary PFSense - HA cluster

eddgar9 — Invalid Date

We have an architecture of 2 PFSense in High Availability Configuration on cloud.
We always managed the single node PFSense and everything working well. We have a FreeRadius package to login our VPN users using pin + Google Authenticator.

Now we deployed a secondary PFSense with completely HA and it's fully sync. I checked the configuration files, certificates and everything is exactly the same.

FreeRadius gives an option to sync to a secondary unit and this is enabled too.

While testing (shutdown primary) we noticed that the PFSense is not able to login VPN users (authentication failed). Again checked FreeRadius config, users, passwords and everything looks exactly like the primary node but always with the same error message from the OpenVPN client and Firewall logs (Authentication failed).

Does anyone has any idea for further troubleshooting or any possible reasons?
Thanks in advance.

Some Pics:

Pfsense nao comunica com outro pfsense usando OPENVPN

allancarlos — Invalid Date

@marcelobeckmann O problema foi resolvido quando liberei as portas 1194 na LAN e no OPENVPN, nas regras do firewall dos dois PFsenses. Após isso, as VPN começaram a fechar a conexão e consigo pingar entre os servidores. Muito obrigado pela ajuda.