@Nicholas-0 Do you have other options in the branch drop-town? Maybe it helps to switch the branch to something else and than back again. There are some threads in this forum with this or similar issues. Try to search the forum, maybe there are solutions.

Currently the connection is working well in both directions. But I don't know the needed change...

@mac1995 Nice hack, but not really a fix Another hack fix is to disable the WAN rule that allows the client to connect to the server. But that's only really effective if the OP has all the servers on his side, and the clients on the remote side.

@jbcortezf The machines will send responses to their default gateway. If this is not pfSense you have to route the home network to pfSense. As a workaround you can add an outbound NAT rule on pfSense for masquerading, if the VPN is for your private purposes. What is a CSO? VPN > OpenVPN > Client Specific Override

Here is what I could grab when I stopped home. Was in a hurry. I can get more detail if you need. Thanks for offering to help. This is really puzzling me. [image: 1702918250059-1.png] [image: 1702918257568-2.png] [image: 1702918260453-3.png] [image: 1702918266389-4.png]

@mrjoli021 SMS, I don't think this is the best option. Check this: FreeRadius on pfSense software for Two Factor Authentication

@viragomann Thanks this did nudge me in the right direction. I ended up creating vlan interfaces and made outbound nat rules. Since the pfsense LAN interfaces were already able to get to the internal VLANs it was simpler approach.

@tuannm1509 said in issue with VPN Tap mode: i can't ping form the VPN Client to Lan Interface of Pfsense Firewall and PC Test Do you mean, you ping from the client itself and use the LAN IP as source, or pinging from any other device on the clients LAN? For other devices on the LAN, you would need to add a static route to them for the remote network and point it to the Windows machine. Additionally on Windows you would need to enable routing and configure its firewall accordingly to pass through the traffic. I don't think, that the bridge do the job without this. It would be a better practice to run the OpenVPN client on the router instead. Anyway you need add a CSO on the OpenVPN server for the client, where you state the client sides LAN network at "Remote Networks". Additionally you need to state it also in the server settings.

@viragomann I tried right now. It works fine!!! Thank you very much.

@viragomann I did select the correct CA for the user Certs, thanks for the reminder. Yes I actually was able to delete that user. My next step is update from 22.05 to 23.01 but holding off since I don't know if it would be successful and have no one on their end to help. Thanks again.

@steve-comerford said in ISP Throttling VPN: I have changed the ports and also to TCP from UDP on the OpenVPN to try and mask the traffic but the ISP is clearly wise to that, and it hasn't made any difference. I'm aware of networks that block VPNs and the way around that is to use TCP port 80 to get through the firewall. That might also work for throttling, if that's actually what's happening.

@viragomann said in Create an Outbound route - Client to Site: Add 192.168.20.15/32 to the "local networks" in the OpenVPN server settings. How does the right side network know how to reach that user? This is a perfect example of why using the same subnet for 2 networks is a bad idea. BTW, several years ago I used to do a lot of travelling with my work. I'd find myself in a hotel somewhere, unable to reach my home network, as it was the same subnet as the hotel. After running into that a couple of times, I decided to move my home network to 172.16.0.0 /24, as I had only once seen anything in 172.16 used elsewhere.