Some more playing around and I seem to have sorted it, dnsleak test performed and successful, snort installed and working as far as I can tell….just need to work out my poor speeds....

Hi marvosa. So let me preface with that I am running pfsense virtualized, under proxmox.  I also have 2 pfsense instances in a CARP, but I'm currently just trying to setup OpenVPN on the primary so I don't think the fact that I'm running in a CARP pool is relevant (could be, I suppose).  The physical hardware running these pfsense instances will eventually be going to colo, but I'm trying to get them setup on my local network first to configure (then just change WAN IP's and ship it to the colo). So let me try to explain my network setup. MY LAN, 172.16.1.0/24 COLO WAN (VLAN on my real LAN), 172.16.2.0/24 COLO internal LAN, 10.10.10.0/24 COLO internal VPN, 10.10.0.0/24 pfSense WAN IP - 172.16.2.26 (CARP VIP to 172.16.1.28) pfSense LAN IP - 10.10.10.251 (CARP VIP to 10.10.10.254) I have a CentOS instance at 10.10.10.250, on my colo internal LAN.  From this box, 10.10.10.250, I can access the internet…so that means that pfSense is routing traffic out 172.16.2.26, through my real firewall, out to my real WAN.  On my real firewall, I am NAT'ing UDP/1194 to my pfsense WAN IP, and I'm able to connect to the OpenVPN instance running on pfSense. So.. WAN <--> pfSense WAN/172.16.2.26 <--> pfSense LAN/10.10.10.251 <---> LAN/10.10.10.0/24                                                                                                           |                                                                                                           --> VPN/10.10.0.0/24 [2.3.2-RELEASE][admin@fw01.colo01.<redacted>]/var/etc/openvpn: cat server1.conf dev ovpns1 verb 8 dev-type tun tun-ipv6 dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-256-CBC auth SHA512 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown client-connect /usr/local/sbin/openvpn.attributes.sh client-disconnect /usr/local/sbin/openvpn.attributes.sh local 172.16.2.26 tls-server server 10.10.0.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc/server1 username-as-common-name auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' false server1" via-env tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'fw01.colo01.<redacted>' 1" lport 1194 management /var/etc/openvpn/server1.sock unix max-clients 4 push "route 10.10.10.0 255.255.255.0" push "dhcp-option DOMAIN <redacted>" push "dhcp-option DNS 10.10.10.254" client-to-client ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key dh /etc/dh-parameters.4096 tls-auth /var/etc/openvpn/server1.tls-auth 0 persist-remote-ip float topology subnet</redacted></redacted></redacted> Does all that make sense?

Hey, okay, you're right… The more sites are added to VPN, the more complex it becomes because each site has to be configured separately... So I started reconfiguring it from scratch. So I started trying it again... First, to answer your questions: How are you testing? (from where, to where, what are you trying to look up?) I was testing from a windows computer at each site. At each site, the computer is in the same subnet as the pfsense router. What are the configured DNS servers on the host you are testing from? When looking at System -> General Setup of both pfsense boxes, no additional DNS servers are provided. All DNS server input fields are empty. However, there is a checkmark at "Allow DNS server list to be overridden by DHCP/PPP on WAN". When typing "ipconfig /all" at any windows computer, the pfsense ip address is configured as DNS server (e.g. 192.168.1.1). What are the search domains configured on the host you are testing from? etc. On the windows computers, the option is set to receive the DNS server list automatically (DHCP enabled). There are no additional DNS servers entered in the adapter settings of the ethernet controller. This means, the only DNS server a computer from subnet 192.168.2.0/24 is using, is the pfsense box 192.168.2.1. Computers in the subnet 192.168.1.0/24 are using pfsense box 192.168.1.1 as DNS server. When being at the remote site and trying to access the pfsense box of the main site pfsense.garden.tld, I have the impression that the local pfsense router is asked about "what's the address of remote/main site pfsense.garden.tld", but local pfsense doesn't know about it? Windows command prompt shows: C:\Users\Administrator>ping pfsense.garden.tld Ping request could not find host pfsense.garden.tld. Please check the name and try again. For testing purpose, at the remote Site, I don't have any host override configured right now. The only thing I configured at the remote site is a domain override with following parameters: Domain: garden.tld IP address: 192.168.1.1 Source IP: 192.168.2.1 At the main site I have configured Domain Override and Host Override Domain Override: Domain: domain-of-remote-site.tld IP address: 192.168.2.1 Source IP: 192.168.1.1 Host Override: Host: pfsense Domain: garden.tld IP address: 192.168.1.1 According to https://forum.pfsense.org/index.php?topic=98198.0 it should even work without entering host overrides and just using domain overrides… All windows computers on each site are using the pfsense router in the same subnet as dns servers - however, pfsense doesn't know about the remote hostnames - although domain overrides are configured! EDIT: I changed my config from DNS forwarder to DNS resolver. I only have domain overrides (no host overrides) and it seems it's finally working now! Cool :) Thanks for your help so far! That's extremely nice when I don't have to configure host overrides! :)

https://www.reddit.com/r/PFSENSE/comments/3hql33/configuring_openvpn_bridge_with_local_dhcp/

Id guess you have to bridge the tap interface to the lan.  I think that was a change in 2.3 so the old guide doesn't work https://www.reddit.com/r/PFSENSE/comments/3hql33/configuring_openvpn_bridge_with_local_dhcp/

I'd like to TAP for a steamlink.  Broadcast don't need a gateway. Also you can push a default gateway via push "route-gateway 10.80.0.250" in your custom settings area. I haven't had much time to mess with tap mode, but I know chromecast isn't working, another local broadcast type app

Thanks for the suggestion.  But I take that as more of a workaround then solving the problem.  It also doesn't resolve the issue where the port the client is connecting with is not what the server is responding too.

This is a simple User access VPN, not a site to site Internal IP's are 192.168.10.X PFSense is 192.168.10.254 Cisco is 192.168.10.1 PFSense gives out 172.30.30.X addresses to VPN I can access 192.168.10.254 via VPN when connected. My IP address is 172.30.30.2 when connected. Now that the office is 'waking up' I do get some DHCP addresses; the two internal printers are both PING able, but I cannot print to them. Says it's offline. Although the Redirect Gateway option is specified, "Force all client generated traffic through the tunnel" when I connect I don't see it: Connection-specific DNS Suffix  . : corp.com Link-local IPv6 Address . . . . . : stuff IPv4 Address. . . . . . . . . . . : 172.30.30.2 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : I can trace a route to a printer, for example, but not connect: Tracing route to HPOJ8600.corp.com [192.168.10.100] over a maximum of 30 hops: 1    22 ms    19 ms    24 ms  172.30.30.1   2    28 ms    *      21 ms  HPOJ8600.corp.com [192.168.10.100] Which makes me think I'm missing some allow rules, but the wizard added the following rule: 3/10 KiB IPv4 *  *  *  *  *  *  none    OpenVPN Remote user access wizard Do I need to add allow rules from 172.30.30.x to 192.168.10.x and vice versa? == John ==

bump for the night crew

Ah, got it, thanks..

I get the same error when pfsense boots up from snapshot upgrade. Every time I upgrade I have to wait for it to boot, then reboot again and then it`s fine.

Thanks, that's exactly what I was looking for! Before I thought that 'description' is a usual 'comment' attribute which is visible only when editing ovpn profile

Hi Marvosa, Here's the config: dev ovpns2 verb 1 dev-type tun tun-ipv6 dev-node /dev/tun2 writepid /var/run/openvpn_server2.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto tcp-server cipher AES-256-CBC auth SHA1 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown client-connect /usr/local/sbin/openvpn.attributes.sh client-disconnect /usr/local/sbin/openvpn.attributes.sh local xx.xx.xx.xx tls-server server 192.168.89.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc/server2 username-as-common-name auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' false server2" via-env tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'router.domain.local' 1" lport 443 management /var/etc/openvpn/server2.sock unix max-clients 1 push "route 192.168.88.0 255.255.255.0" push "dhcp-option DOMAIN domain.local" push "dhcp-option DNS 192.168.88.3" push "dhcp-option DNS 8.8.8.8" ca /var/etc/openvpn/server2.ca cert /var/etc/openvpn/server2.cert key /var/etc/openvpn/server2.key dh /etc/dh-parameters.2048 tls-auth /var/etc/openvpn/server2.tls-auth 0 persist-remote-ip float topology subnet push "route 192.168.88.0 255.255.255.0" mute 10 comp-lzo

Hey, have you found a solution to your problem? Cause i have exactly the same trying to connect to VPN Service provider (nordvpn). thanks. kind regards,

You haven't described what connects to what in this setup. Is a Linux server acting as an OpenVPN server and other boxes connect as clients? Any Windows clients? How many boxes/connections are we talking about? Is it a full mesh setup? Have you designated a single server or other system as the "Keeper of the Certificates"? In general it shouldn't be too tough to migrate over to pfSense fairly seamlessly. Should be a matter of importing the required CA and (possibly a new) Cert for the pfSense OpenVPN server. Then it's a matter of copying in the settings from the existing config into a new OpenVPN server instance under pfSense. Personally, for one server, I would hand enter the settings from the old OpenVPN server's config into the pfSense GUI. Better error checking and less chance of something "odd" happening.

@dotdash: Try deleting the gateway under system, routing. Also check if it is assigned as an interface (interfaces, assign) Aaaand: it's gone. I just hit you with da karma stick, thank you  :-*

i think this boils down to the way OpenVPN is implemented in tomato. if i use a client from behind the tomato, i'm able to connect. if i use the same parameters, it connects but no traffic flows thro. ::) :o :o >:(

Theres one extra line in the vpn config with the problem = lport 0