Thank you Derelict, it works!

@johnpoz: the use of multiple dns that can not answer the same questions the same way is bad idea.. You can never really be sure which dns will be queried.  Windows uses many different things to figure out which dns is queried, just because you have them listed 1 and 2 doesnt mean that is how its always going to  be queried. this is a very common mistake..  The dns you put in your client should be able to resolve the same stuff the same way.  If you want to resolve local stuff then you should point to your server(s) that are authoritative for your local stuff, and have them query or forward to something else that can resolve public stuff. Pointing to a local and public at the same time is going to give inconsistent results depending on how exactly the client determines which dns to use.  Once windows for example finds that dns 2 gives answers, when it had an issue with 1 - its not going to go back to 1 unless there are issues with 2, etc..  Getting a NX for query does not mean that dns is bad.. how does the dns resolver know it should check its other dns?  what if it gets back soa vs nx.  etc. etc.. if you need to resolve work stuff, when you vpn to remote site its prob best to just create host file entries on your host for what you need to resolve on the vpn side. your problem is that you want to resolve 2 different local domains with different name servers that are authoritative for their respective local domains.  your other option would be to run another nameserver say on your client that has specific forwards setup to where go ask for specific local domains, and where forward when its not a local domains. So you could have a forward on this server that asks work dns when looking for work domains, and the vpn dns when looking for vpn domains, etc. But splitting nameservers on your client is never going to function the way users think it does.  And also can be leak in dns info, where your asking the wrong server..  For example work server might now your looking for lots of records for some odd local domain.  or if your asking your vpn for these work domains, it will either try and resolve them directly which isn't all too bad.  Or maybe it forwards to your ISP dns and now your ISP has records of all these odd queries.  This is only an issue depending on how tight your tinfoil hat is.  But is another problem with having split dns on a client where the nameservers do not have the same info on them.. Thats true.. didnt think about it that way. Thank you!

any solution? dose anyone use Radius with OpenVP?  :(

If you can enter a default route in the static routes, then enter one pointed at the pfSense interface. That would be the preferred method.

Just found this thread after posting.  https://forum.pfsense.org/index.php?topic=111557.0 Looks like it is the TPLink hardware.  Will refer to the responses there.  There is no access point mode in the router setup on the AC3200 either.

push "route-ipv6 ::/0" <= think that fixed it

To put things graphically, here's what I want to do: _______  <vpn vlan="">________ <vm eth0="">/ <gateway interface="">–--------<                                                   ________ <local net="">________</local></gateway></vm></vpn>

Yeah. Your walkthrough has the workstation behind pfSense. You have it in a triangle. Give the Hyper-V VM and extra NIC as LAN, and connect your workstation to that and try again.

Ok. I understand this is due to OpenVPN topology change in new release. Now my next question is how do I specific IP for client with "Subnet – One IP address per client in a common subnet" ? I tried to specific client IP in the same subnet by enter "10.8.1.200/32" into tunnel network settings for user.cert.name, and I can see vpn established but traffic unable to pass through. Also with the new topology, can I specific client's IP in other subnet? Thank you.

Assuming the remote end is allowing ICMP thru and the Backup site machines are running Windows, it's because Windows denies ICMP echo replies to IP's outside of its local subnet by default.  You either have to disable the software firewall or add an exception to the firewall.

Unfortunately, we need more info… and since you are not in control of the remote end, that make things difficult.  There are a couple things at play... some of it may depend on the remote end's implementation of OpenVPN.... and the other is your device is behind an edge router, which means you will need to forward port 1194 (or whatever you have configured) to PFsense and possibly add a static route in your the edge router for the PFsense OpenVPN tunnel network. So, from my perspective, we need to know if the tunnel is actually being established and there's just a routing issue.... or are we having issues establishing the tunnel itself because of a config mismatch or possibly because of incompatible implementations of openvpn on the two devices. What are the logs showing?

In a routed solution, all subnet ranges on both sides have to be unique.

@daviddst: Hi, I'm using multiple VPN Express connexion on pfSense without Issue. Configuration sample : Server mode : Peer to Peer Proto : UDP Device mode : tun Interface : WAN Host : miami-cluster1.expressnetwork.net Port : 1194 TLS Auth / Enable auth of TLS packet : copy/pass OpenVPN Static Key Peer Cert Auth : select the OpenVPN CA (need to be imported) Client Cert : select you OpenVPN cert (need to be imported) Enc algo : BF-CBC (128 bits) Auth Digest Algo : 160 bits Compression : Enabled with Adaptive Compression Advanced : fragment 1300 Good luck ;-) hello, i am so happy that you ware found on this forum, please excuse me if i ask you for much, i am not a network or computer guru, Can you please provide me with a image set by step tutorial in the new pfsense GUI. i am not asking you for show me your internal and external ips, just want a example of how it is done. thanks you very much for the truble

Howdy. Jediah! This thread may be able to help: https://forum.pfsense.org/index.php?topic=107415.0 Good luck!

You'd need some other script to actually mark the tunnel disabled before calling the stop, and then marking it enabled again before calling the start. probably easiest using the developers shell. record a new macro to disable/enable the vpn & then use cron to call that macro some clues: config snippet when disabled: <openvpn-server><vpnid>2</vpnid>             <disable><mode>server_tls_user</mode>             <authmode>Local Database</authmode>             <protocol>UDP</protocol>             <dev_mode>tun</dev_mode></disable></openvpn-server> config snippet when enabled: <openvpn-server><vpnid>2</vpnid>             <mode>server_tls_user</mode>             <authmode>Local Database</authmode>             <protocol>UDP</protocol>             <dev_mode>tun</dev_mode></openvpn-server> so basically you going to need to set/unset the <disable>tag in the xml with something like: unset($vpnconfig[disable]) ; or $vpnconfig[disable] = true; don't copy past above, it needs some work to … uhm work  ;) https://doc.pfsense.org/index.php/Using_the_PHP_pfSense_Shell checkbox: https://github.com/pfsense/pfsense/blob/master/src/usr/local/www/vpn_openvpn_server.php#L628-L633 disabling: https://github.com/pfsense/pfsense/blob/master/src/usr/local/www/vpn_openvpn_server.php#L470-L472</disable>

:D Im fix the problem , the problem ocurr when you Have NPS in Windows Servers 2012 , you need ensure that the account in dial-in dialog say allow access and not NPS Policy in active directory , when you change the value you test with authentication pfsense option , and is succesfully , when you try again with openvpn work , remember install the certificate in root trusted in Windows Cerificates

It works!! thanks

You could also switch to hybrid outbound NAT (or manual) and add a rule to NAT outbound on the internal interface from a source of the VPN subnet to a destination of .1, natting to the firewall's address in that subnet. If that works, there is definitely a filter or routing/gateway issue of some sort on .1