You still havent (or at least said you have) done what I told you to do for 3 straight posts now. Check the firewall log under Status ---> System Logs ---> Firewall and look for something in the destination column that is connecting on port 1194. Do this while the client is trying to connect.When doing the openvpn setup it did make it's own rule in the firewall. I set that to logging and I dont see much when looking at the logging. I'm going to reboot the box as suggested earlier, but this is very weird. It's like being 100% in the dark.
I specified the range in the OpenVPN config, did not enabled the DCHP server. If not connect at the same time, the connection is working fine.Two different clients attempt to connect and they both grab the same IP?
What does Status ---> OpenVPN say?
Is an internal server doing the DHCP, or are you specifying the range in the OpenVPN config?
You mentioned this happens when they connect at the same time. What if they dont connect at the same time?
There is a check box in the server config to allow multiple connections for this. Is that checked?Yes.
My experience is that anything pfsense does is limited by hardware. How many users it can sustain will probably be directly related to clock speed of the processor. Keeping in mind that pfsense and openvpn are single threaded so the faster the clock speed tue better.this guide seems to be good for making an openvpn server out of pfsense too... i want to do that as well, does anybody know how many openvpn users this can handle? i like to install openvpn client as a service makes it easier for the users...
i would virtualize pfsense and just use a single nic.... i would forward openvpn port to that box...
C:\Users\Frank>nslookup Default Server: pfsense.ad.home.lan Address: 192.168.1.21 > frank-haf Server: pfsense.ad.home.lan Address: 192.168.1.21 Name: frank-haf.ad.home.lan Address: 192.168.1.13 > acer-pc Server: pfsense.ad.home.lan Address: 192.168.1.21 Name: acer-pc.ad.home.lan Address: 192.168.1.12
Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 192.168.7.1 0.0.0.0 UG 0 0 0 tap0 extIP2 192.168.X.1 255.255.255.255 UGH 0 0 0 wlan0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 wlan0 192.168.7.0 0.0.0.0 255.255.255.0 U 0 0 0 tap0 192.168.X.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 192.168.X.1 0.0.0.0 UG 0 0 0 wlan0 192.168.X.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 wlan0
I'm having the same issue after updating to 2.1.1...it will connect but it doesn't get an IP address and then it disconnects. pfSense shows the VPN interface is down, but I don't remember if it was always down.After I did pfsense update to 2.1.1-RELEASE it will connect to the OpenVPN server but there is no access to the LAN
Is pfsense able to talk to the servers?These steps are fantastic! I tried them, but it didn't work pfSense 2.3.2-RELEASE-p1 (amd64) on a NetGate SG 4860.
So, I opened a support ticket with NetGate.
Their response was that this is an insecure method. "First option I would not consider because it is not secure - letting vpn users in servers subnet may lead to security problems like ip spoofing, arp poisoining... "
I've got a Cisco ASA set on 192.168.10.1 and a pfSense box I set on 192.168.10.254, as a DHCP server as well. The idea was for redundancy, but of course if I VPN in, I can only access any PC's that the pfSense machine has given DHCP addresses to (ironically, the CIsco is faster usually) and the static IP servers in the system. The goal of course is for OpenVPN users on the pfSense box to access the entire network.
I figured the bridge would work great, give VPN users a 192.168.10.X address. Netgate apparently considers the entire reason we bought the pfSense box to be beside the point, so we may be returning it on Monday. LOL.
Symptoms: I could get it to work with these excellent instructions, but still had the same problem that I could only access servers that were using the pfSense DHCP server. None of the other devices were contactable. This makes no sense to me. I can post more detailed logs. I'll give it a go yet again.
NetGate recommended that I setup a route in the Cisco machine to say 172.16.0.1 and set that up as my VPN IP. I'd prefer not to make changes to the Cisco machine; it's handled by another vendor and they don't know we're replacing them.
One question: on this step:
I actually have THREE interfaces. There's an OpenVPN interface, there's a tap1 interface, and a tap2 interface. I assume I assign the OpenVPN interface? What do I do with tap1 and tap2 (and why are there two?)
Create your Interface and Bridge:
1) Interfaces ---> (assign)
2) add an interface by pressing the "+" button
3) in the drop down box next to the OPT1 interface that was created choose the open vpn server instance we just created
If I change the OpenVPN from tap to tun, the tap1 and tap2 interfaces don't disappear. Do I have cruft in the system?
Thanks, sorry for the long post!
== John ==