I found the issue. I had some rules that imported from the upgrade to 2.3. They were all incoming rules. 1194 was at the top of the rule stack, but for some reason the other rules had the firewall jacked up. I deleted all the rules and nat rules. Basically cleared everything out. Cut pure NAT on and re added all the rules to NAT and the firewall and the VPN connected. I did all this after sniffing the WAN traffic that cmb suggested and seen it hitting the firewall. I can ping the server side subnet from the client. All is well now. Thanks for the input guys. This has been a real headache, but a lesson none the less. I could prolly instruct my grandmaw on how to setup openvpn now.. over the phone and just waking up with a hang over.    :)

OK.  I think OSPF does routing, but not load balancing, though. So it sounds like the only way to do this would be to create two separate OpenVPNs on both sides (one for each remote branch WAN), then assign interfaces for them on both sides, and then policy route the traffic through the tunnels on both sides. I'm thinking that since the traffic would be policy routed on both sides, neither side would have a routing conflict (even though the same subnets are configured on both OpenVPN tunnels).

@viragomann: Since the IP packets come from another network which the destination host has no route for, it sends responses to the default route (gateway). As said, you either need a route at site A or do NAT at VPN server. I see 3 ways to resolve: Add a NAT rule to VPN server which translates the VPN packets source address to its LAN address. The disadvantage of this is that any access to the destination host seams to come from the router and you are not able to determine the real source address. If that doesn't matter for your purposes, this will be the easiest solution for you. To add the NAT rule go to Firewall > NAT > Outbound, if the router is just for VPN as you said, you can select "Manual Outbound NAT rule generation" and hit save. Otherwise select "Hybrid rule gen". Add a new rule by clicking "+" or "Add": Interface: LAN Source: Network and enter the sites B LAN network Leave the rest at its defaults, enter a description and save the rule. Now source addresses in packets coming from the other site are translated to pfSense LAN address which is in the same subnet as your LAN host, so responses are sent back to pfSense which directs it over VPN. That is the best option for me  :) I've tried it out and thanks to your detailed guide I got it to work! I'm so happy. Thank you very much! Finally the clients from Site B can access the shares from Site A  ;D

What do you get in the OpenVPN logs at the time?

Solved

Yeah I failed to mention I watch my plex server from my phone via just clicking vpn, and then opening up my plex app.. Sure and the hell not going to open up my plex server to the public internet so I can watch something when I want on the road. Click click on my phone and there you go watching video/music just like I was on my actual lan.. I have 1 thing forwarded, that is ntp which I serve to the public as a member of ntp pool.. Anything else you want on my network you have to vpn to get too..

You cannot put 10.0.0.0/8 on an interface and use 10.100.5.1/24 to give to OpenVPN clients. Those subnets overlap. If you, for example, assign the IP address 10.23.56.34/8 to a host on em2 and it has traffic for 10.100.5.1 it is going to think it's on the same subnet and not send the traffic back to the firewall to be forwarded to the OpenVPN client. To tag traffic on a pfSense interface, you must first create a VLAN on the interface Interfaces > (assign), VLANs tab, then assign the interface to VLAN XXX on em2 in Interfaces > (assign). Then connect em2 to a switch port or device that expects traffic tagged on VLAN XXX.

Make sure the client is getting DNS servers it can reach over the VPN. If the client is still attempting to use ISP-specific DNS servers they would fail when run through the tunnel

As mentioned above, the contractors should only have access to a single host. So you have to put a firewall rule at OpenVPN interface to permit only this one destination from the contractors VPN tunnel. If this rule is right in place there will be no access possible to the pfSense GUI.

thanks i'll give that a go :-)

based on my log. everything seem fine.  :'( [image: log.JPG] [image: log.JPG_thumb]

your design oversight steps on network that is owned by tmobile NetRange:      172.32.0.0 - 172.63.255.255 CIDR:          172.32.0.0/11 Organization:  T-Mobile USA, Inc. (TMOBI) This is really bad idea to use public space that is not owned by you internally.

Thank you. I have logs at default and recommended levels.

Being in different timezones is not a problem..  But having the wrong time while your in a timezone sure going to have a problem ;) Why you should always sync off ntp ;)  Which set your time correct for the timezone your in.. But you still have a really OLD client, why would you not updated that… But maybe its because your running on a linux distro that last update was what 2011?

The error message "Cannot open TUN/TAP dev dev/tun1:Device busy" points to a previous instance of OpenVPN already running. This can happen if you're playing with your OpenVPN settings, trying to get things "right" and restarting the OpenVPN client and/or server. Sometimes the previous instance doesn't exit cleanly and can hang around for a while. I would try a full reboot of the box to make sure you have a clean start and see what your logs look like.

Forget the PIA website instructions…worthless. This is what worked for me... very nice tutorial: https://forum.pfsense.org/index.php?topic=76015.0

And, while on the subject, configuring outside servers to return RFC1918 addresses subjects you to dealing with DNS rebinding protections. Ran into this a few times running internet for a hotel meeting space. Told them to slap their network admin in the face hard when they got back and use a hosts file entry. Many of them were even 192.168.0.X - like that will work reliably on random, private networks.

The Airport Extreme makes a fine Access Point and switch if you only need 4 Lan ports. In the Windows Airport utility, Internet tab, you have the Connection Sharing drop down in which you specify Off (Bridge mode). With that set you can also use the Wan port as just another Lan port providing a total of 4 ports.