No, that is not viable if you wish to use overrides and perform strict user/cn matching.

You need a better grasp regarding what firewall rules should go where: https://doc.pfsense.org/index.php/Firewall_Rule_Basics https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

Thank You Derelict for responding. Yes, I am  now running two instances of Openvpn server –- one for the road warrior and other for connecting all the sites. Although it turned out to be quite simple, in case any one wants a step by step guide please let me know. Thank you, Ashima

@firegood: @jimp: What auth settings do you have on the tunnel? Local? Remote (RADIUS/LDAP)? Does authentication still work for that user under Diag > Authentication? There were a couple of changes in that area but nothing that I've seen fail now that was working before. I am seeing the same thing as well. I have a site i VPN into once or twice a week. Nothing changed on the client side, upgraded to 2.3.3 from 2.3.2 and now i cant get in. I have the VPN tunnel setup to use a radius authentication server that goes back to MS Server 2012 via Network Policy Server hooked to AD. Test authentication works just fine under diags I am getting these error logs: TLS Auth Error: Auth Username/Password verification failed for peer WARNING: Failed running command (–auth-user-pass-verify): external program exited with error status: 1 user 'XXXX' could not authenticate. i would love to get with you and see how you have the radius setup tied back into AD!

Crap! I just lost the second post because the software logged me out before I hit post, Now I'm pissed off so I'll continue this later… JayArr

@myth20: Took me 3 years to got my CCNP R&S I have understanding of subnetting works. Cool - sorry - my post was aimed at anyone who comes here looking for an (easy) answer - there isnt one - and this is the only way i could get it to work. @myth20: So you would run TCPLogview on a Windows machine and this will list all Netflix IP's? No, it will only list IP's that, more than likely, are currently resolved by DNS for particular Netflix domains, it wont give you everything, BUT i did notice a trend of 52 and 54 addresses that were being accessed and went from there as you can use ultratools.com to find the subnets for the IP's listed and stick them in the Alias. They DO change from run to run, but the majority seemed to be within the 52 and 54 ranges above and since adding these to the Alias (several weeks ago), i have not had to add any more. @myth20: 52.0.0.0/10 & 54.0.0.0/10 will cover 52.0.0.0 - 52.63.255.255.255 & 54.0.0.0 - 54.63.255.255 nnnnnnnn.sshhhhhh.hhhhhhhh.hhhhhhhh Did you try adding those prefix instead of smaller subnets? It will but there are subnets owned by companies OTHER than Amazon / Netflix within that range that i didnt want to route via the VPN which i why i used https://www.ultratools.com/tools/ipWhoisLookup to find which subnets were owned specifically by Amazon / Netflix in that /10 and subnetted it from there. There ARE other IP's but these seem to be the main ones that Netflix is using IN MY CASE. I cant stress that enough - i have no idea if connections from your location will resolve to the same subnets. This is why you need to use something like TCPLogview to A) Confirm this and B) get the rest of the IP's that you need. As i said above, there is no easy answer here - no correct set of IP's and my range could change tomorrow - but i'll be able to find out what they resolve to by using the method above. I've seen lists of ranges with Netflix IP's off the internet that were useless and missing ranges so your only real method is to find them yourself. It might take you an hour of loading and closing the Netflix app, clearing TCPLogview and rechecking and adjusting the alias list but it works.

@kpa: A csr file would never work as a certificate (argument for the cert option) for OpenVPN, it's just a certificate request that can not be used for anything else but sending it to a certificate authority for signing and getting the real certificate. Make sure you're not mixing up files. The configuration I was referencing was an old not working one… of course the csr did not work when configured as cert.

hello, I have been for a long time trying to get the remote plex connection working over the openvpn unsuccessfully. It can work routed over the wan, but i can't get over openvpn. If you managed to solve this, i would appreciate some advice on how you did it. cheers

You have to put "Remote Networks" in the server settings. That is what creates the FreeBSD route into the OpenVPN instance. This is the OpenVPN route directive. Then, in the CSOs, you put the actual remote site networks. These must be contained within the server route above. This creates the OpenVPN iroute directives which tell OpenVPN what to do with the traffic when it gets it - as in what client to send it to. So in the example given, server local networks would be 192.168.11.0/24, 192.168.12.0/24, 192.168.13.0/24, server remote networks could be 192.168.1.0/24, and the CSOs would contain the /26 for each client in the IPv4 Remote Networks there. I would probably opt for something more like: Server remote network: 172.29.160.0/19 CSOs: 172.29.160.0/24, 172.29.161.0/24, 172.29.162.0/24, etc Or even: 172.29.160.0/22, 172.29.164.0/22, 172.29.168.0/22, 172.29.172.0/22 so each site has 4 /24 subnets to do with as they see fit without changes to the VPN. The /19 would allow growth to 8 branches of 4 /24s each, while the address "collision" possibility with other sites would be limited to 172.29.160.0/19. You should probably use Peer to Peer (SSL/TLS) mode for the server for this.

they are under Firewall > NAT >Port Forward and Firewall > Rules > WAN Thanks very much

Any updates on this? I have a similar setup working fine but I'd like to do this with multiple VPS IPs and multiple hosts behind the pfSense router. If possible, I'd also like to rewrite the source IP to the actual client IP and not the VPN gateway.

I figured it out. It was the Manual Outbound NAT rule generation rules that had to be configured. I used this guide: https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_OpenVPN-connection_in_PfSense_2.1 But instead of using the WAN interface I had to use the vpn interface which I created from the Openvpn Client connection. Good Luck!

dev tap isn't included in that on purpose because, as you stated, those devices don't support tap. If you load that config into the app it would fail to import or function because of the dev tap line. The way the export package is coded it isn't feasible to disable those export buttons for some VPNs and not others, so we err on the side of not creating invalid configuration files for the platform.

@Mithrondil: I was referring to that AES-256-GCM is not slectable in the Encryption algo rolldown window in pfsense. It isn't supported until OpenVPN 2.4, which is only on pfSense 2.4. And it is in the list there.

Never Mind.    Turns out OpenVPN Interface options must have "any" selected.  It was WAN only before. Is this still safe to chose any? cheers

Thanks will do.  I am not using VPN-> iPsec but instead my client is in VPN->OpenVPN.

The setting for the site-to-site I've suggested above is necessary anyway for correct routing. Look, if you try to access a LAN device on site B from a VPN client on site A, the packet is sent to the site A pfSense, cause of the route which is pushed to the client. Site A directs the packet to site B, cause it also has a route for the site Bs LAN. The packet reach the device on site B, which send its response addressed to an IP in 10.10.210.0/24 back to its default gateway which is site B pfSense. If there is no special route for 10.10.210.0/24 the gateway will send the packet to its upstream gateway, thus to the internet where the packet will be dropped, cause the destination subnet is not routed there. Therefor you need a route on site B which direct packets destined to 10.10.210.0/24 back over site-to-site tunnel to site A.