If you connect via SSH you can monitor the log directly and, if you set a large scroll back buffer in the client, can capture more logs. From the shell, run clog -f /var/log/openvpn.log Or setup a syslog server and export the logs there for more/long term storage.

@heathstiles said in OpenVPN Routes to Remote sites: The sites are connected using IPsec Site to Site VPN tunnels if that makes any difference. You didn't mention above. Of course is that different. So will have to add an additional phase 2 in the IPSec configuration for the respective local network and the OpenVPN tunnel network.

@JKnott said in best pfsense appliance for openvpn: @akuma1x Also, how much traffic is going off the local network? There's a big difference between mainly using local servers and going to the Internet for everything. I agree with jknott I think its better to plan that out first..

Glad you have it working now. -Rico

It looks similar there but between the formatting and other info it's hard to say. Compare the actual OpenVPN config file in the profile from the Access Server with the client configuration made by pfSense under /var/etc/openvpn/

@bingo600 I just added an additional interface for openvpn client. If you want to ask feel free to ask, not starting like that. And the reason I couldn't post anymore because this is a new account, the forum limits my time to post, I was fixing this earlier and I want to post a lot of times.

Thanks for the feedback. The MS RADIUS server has no static address specified by default but it does offer the above 172.16.0.0/16 subnet though it's not "user configurable" (I discovered it looking at the logs - there are no such setting in the NAP/RADIUS mmc) unless you probably manually edit the registry (there was no RRAS service previsouly enabled to set them). By removing the 2 above attributes it works as desired using subnet topology without further modifications which is fine for me. Cheers

Hi, with pfSense 2.4.4, it's possible to "force" the ip server to connect : In the "Client Export Utility", "Client Connection behavior" heading, select "Other" for "Host Name Resolution". A second field appears "Hostname" and indicate in the hostname (dyndns, etc.) or public ip of the box... The next exe client generated will had the good public ip or hostname !

Hi Rico, Just to update: Since I have two ISP connected to my firewall (1) PPPoE Connection (which is having issue) (2) Static IP Address. I have tried using my secondary ISP by only changing the Interface and created the necessary firewall rules on the interface and the OpenVPN client connects w/out any issue, so it looks like my other ISP is blocking the traffic i still waiting for their feedback. BTW, I have another issue please see the diagram below. [image: 1584354612680-unnamed0.jpg] I also tried this options but no luck. [image: 1584354679947-ipv4.jpg] Appreciate your advice. Thanks, A

This might be helpful. https://forum.netgate.com/topic/150225/user-xxx-could-not-authenticate-every-1-hour

@mig said in Restarting OpenVPN interrupts non-VPN traffic: I tried to add ping-restart 0 to OpenVPN-Clients-"Advanced configuration"-"Custom options" but it doesn't suppress ping-restarts

@Derelict Ah ok, thanks for investigating, I was just reading through that link you sent me. There are a lot of useful command line options in there

@Derelict Thank you, you made my day! I need to learn more about basic networking.