@Gertjan in case anyone has this issue, i found the solution. besides removing the DNS line remove the TLS key from Custom options under advanced configuration towards the bottom of the openvpn client. then go to the top and select USE A TLS KEY, then uncheck automatically generate a key and paste your key from your server here. then for TLS Key Usage Mode change it to TLS encryption and authentication. now it works after saving the changes!

@viragomann Sorry for that. Yes, it looks like there was a misconfiguration here. I had to change my default gateway it was still setup to be the 10.0.0.1 that the switch comes with. I thought it would be set from DHCP but i guess it wasn't. It's all working now! Thanks!

@poldus What do you consider as "static" here? The above shows the client log. But what shows the server log? Does the server even see any VPN packet? Are you aware, that shared key OpenVPN is deprecated these days? Do you really intend to setup a tap client?

@guillaume14 Ensure all related states are flushed. If the no-nat rule still isn't applied, there might something wrong in its settings, so that it doesn't match. Ensure that the protocol and the destination port are correct if stated.

@rajukarthik its just the normal openvpn community edition. [2.7.2-RELEASE][admin@test.mydomain.tld]/root: openvpn --version OpenVPN 2.6.8 amd64-portbld-freebsd14.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] [DCO] library versions: OpenSSL 3.0.12 24 Oct 2023, LZO 2.10 Yeah it is a bit dated, sure that will update when 2.8 drops.. but its not the access server version. As to soc2 - As to the just community edition, prob not - since really the user of said edition can pretty much do anything they want with the config, were with the AS and Cloud versions of their server being more strictly controlled in what can be configured. Those 2 versions are not free, so sure they can get certification of meeting specific standards, etc. But I doubt they would run through such trouble with audits of controls, etc. for something the user might easy override even a config change. If you really want to make sure its soc2 compliant - I would run either of those on something other than pfsense. I have not heard of anything about being able to run say the as version on pfsense. I run an as version on one of my vpses - you can run it for free for max of 2 concurrent connections. Which for me is plenty for my use case.

@bozo-bogd We tried setting reneg-sec on both sides to 0 but it caused the client to constant want the MFA prompt satisfied. The pings settings are already set to 0 Details from Azure. We have a CA policy that requires MFA when authenticating to the EntraID account. The Entra RADIUS VPN app is installed on our RADIUS box to interject the MFA prompt when authenticating to our local AD with the OpenVPN client. The MFA app has a limited config, with caching and renegotiation settings not being options.

@McMurphy hahah - yeah minor detail ;) hehehe

@DSTMalo Thank you so much! Happy new year.

@Gertjan perfect thank you. Still shows as applied and has the revert option so i'll keep it applied

Perfect. Thank you

@viragomann It works! I remove the client static IP configuration from the server setup and ping works from both sides. It was quite difficult but the reason why I didn't read the documentation about s2s OpenVPN connection. Thank you!

@ctarbet I configured the OpenVPN with OpenLdap. I had some issues regarding to setup but I found the solution: Start configuring A connection from scratch (SystemUser -> ManagerAuthentication -> Servers) - don't copy the connection! [image: 1737104274313-screenshot-from-2025-01-17-09-53-21.png] [image: 1737104283687-screenshot-from-2025-01-17-09-56-57.png] QUERY: &(objectClass=groupOfNames)(cn=vpn)(member=*) LDAP tree structure: [image: 1737104693725-screenshot-from-2025-01-17-09-59-59.png] Please take a look at the screen. This is an example of configuration, but maybe it'll help you. Good luck!

@Gertjan You helped me find the problem, on the other VPN server, I had selected to give the client the domain name and swapped my DNS entries. All good now. Appreciate your help, your the man!