@johnpoz: "Removed VLAN90 (a VLAN I had setup for VPN)" That would be my guess to your problem…  Revo list and or what certs is being used as long as they auth have nothing to do with it.. Possibly, but the weird thing is one user DID have access through the VPN. I can't reconcile how any of these changes suddenly let all users through instead of just the one. I'm glad I have it working, but I still can't figure out why haha.

I agree, use the "OpenVPN Remote Access Server Setup" wizard…. VPN -> OpenVPN -> Wizards Here is a link to the wiki for more info -> https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server

There are multiple ways of solving this issue assuming it's DNS related.  Some solutions are more efficient than others, but let's say your domain is example.com: Leverage the DNS forwarder and add example.com to the Domain Overrides. Configure a DNS server on site B.  Add a conditional forwarder for example.com that is pointed at the DC on Site A Configure a DNS server on site B.  Add a primary forward zone for example.com and create an "A" record for example.com and point it at the DC on Site A In theory, you could also do this -> While option 1 is in play (or add example.com to the hosts file here), Spin up a Server on Site B, join the domain, promote this server to a backup domain controller. Add example.com to the hosts file on every machine in site B.  (A management nightmare and the most inefficient method, but will work)

That was the ticket.  Thank you for your help.  It works correct now. Joe

It can work in SSL/TLS mode but it has to use tap, not tun. It won't work in net30 or subnet topology last I tried it. The rest of the setup can be similar, just use tap mode with a /24 tunnel network and ignore the bridging parts.

It's a workgroup, so no domain controller. PfSense router is the DHCP and DNS server for each subnet. It serves DNS fine locally and via Remote Access OpenVPN, but doesn't seem to like this configuration. However, DNS Resolver worked when I added the server to the list of Host Overrides. Thanks!

SUCCESS! I did as you said, added the openvpn server as a separate interface. Then I copied the any/any OpenVPN rule to the new interface, and deactivated it on OpenVPN interface. Both internet and LAN hosts are now reachable through my VPN server, and the VPN providers port forwarding to me works. :)

I do plan to eventually make the SG-1000 my primary router for myself, but currently I have a lot of special configuration on the router that I don't want to replicate and I don't want the "production" network to go down if I screw-up the SG-1000 configs. Also, I want to have the option to use SG-1000 as an "OpenVPN appliance" that I can just "drop-in" to client networks by having it completely pre-configured.  The LAN port would get an address by DHCP, so the only configuration I would have to do is define a DHCP address reservation on the foreign/main router and add one port forward to it and then the SG-1000 would just be a "plug and play" device to add a short-term inbound VPN to the network.  A "keep in the toolkit" and deploy so I could minimize time onsite and do the more advanced network administration (of the other stuff, not the SG-1000) via a secure remote access VPN.  (Theoretically, I might even be able to FedEx it to a client and talk them through the minimal installation without a physical trip.)

Is your work LAN subnet really 192.168.1.0/24? Also, your tunnel network is fairly narrow (/29) which means it can only handle 6 clients max (depending on your topology)… even less if you switch to net30 .. is that what you wanted?  Although, you're not even getting that far, you're having handshake issues... so first... we'll need to see more of the log and second, were the client certs created upon user creation?  If not, that may be your issue.

I found the answer on a commercial vpn guide page. Basically I had to setup outbound nat rules to route the traffic.

i could go back to tomato but wanted to have a more secure setup on one end. thank you for your help anyway. was looking for a more stepbystep idea. i mentioned iptables just as a reference..

Anyone have any kind of feed back? Did I post this in the correct section of the forums?

@viragomann: That should be possible though. However, you have to care, that each client connects through the WAN gateway. So in the client settings of each check "Don't pull routes" to avoid that the server sets the default route. Now you have to control VPN traffic by firewall rules (policy routing) and each client should connect well. Thanks Viragomann!!! That worked.

I just upgraded to advanced tomato version. everything seems fine settings wise but still i need 3 certificates: CA, Client certificate and a Client key… when i do a export from pfsense i get just one certificate... how can i get the other ones?

if your telling the client go down the tunnel for EVERYTHING, there is little reason to have to send routes for your specific networks since EVERYTHING will be coming down the tunnel ;)

@ThePieMonster: haven't been able to find any guides on how to use Windows AD authentication with pfSense's OpenVPN Server. How much time have you spent searching? 0 secs? https://www.google.com/#q=pfsense+openvpn+radius+active+directory

Yes, the problem was, that I haven't created a certificate for the user itself, but used the VPN's CA… After the modifications everything goes well now. Thank you for your help and I wish you a happy new year!