@M0L50N I suggested above to set the tunnel for A to 192.168.130.32/30 and for B to 192.168.130.36/30. Additional I would use a net /30 topology in the server settings. So each client gets its own /30 subnet with an IP for the server and one for the client.

Another way would be to just copy and paste it out of your ssh client after viewing it with cat. [image: 1605793271002-cat.png] Or you can just sftp to pfsense and download it that way if your having issues with the scp commands. Filezilla supports sftp [image: 1605794549085-sftp.png]

I was at an event where I ran into NineStar’s CEO and asked him, whether there was someone who could help me, because I had increased suspicion that it was an ISP issue. The following day I got a call from NineStar’s CTO who almost immediately knew what was up. He directed his staff to provide a solution, which is working great. See also my related post. Thank you very much to all of you for helping troubleshoot!

I'd be quite interested to hear if you got this working. I just purchased a dedicated IP through VPNArea and am trying to setup an OpenVPN client for it. Having some trouble. I am waiting to hear back from their tech support on my latest set of questions.

status can be acquired by changing 'restart' to 'status' [root@pfsense.lan]/root: pfSsh.php playback svc status openvpn client 1

Something to read: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16128.html

In that screen the "client instances" are clients where pfSense is connecting to other servers. That has no relation to remote access servers on pfSense. If you have a remote access setup that would be up higher on the page

i have the same error [image: 1605472724651-cf241614-06f7-4c34-9592-f42158912c9f-image.png] Current Base System2.5.0.a.20201114.1250 Nov 15 19:39:29 radvd 37186 returning from radvd main Nov 15 19:39:29 radvd 37186 removing /var/run/radvd.pid Nov 15 19:39:29 radvd 37186 sending stop adverts Nov 15 19:39:29 radvd 37186 exiting, 1 sigterm(s) received Nov 15 19:38:52 radvd 36851 version 2.18 started

Problem solved. After I enabled NCP and added ncp-ciphers AES-256-GCM:AES-128-GCM:AES-128-CBC I forgot to create a new client certificate ... my mistake. Creating a new client certificate got me connected.

The issue was resolved by check option: Username as Commnon name. ![image: 1605401616552-whatsapp-image-2020-11-05-at-10.12.00.jpeg]

Please ignore my stupidity. For posterity, the "mystery" route was from an old IPSec config I forgot to disable.

@jimp thanks for your reply. May the documentation need to be corrected in order to reflect this scenario?

Well, I'm sitting here having a nice tall glass of Noob Cola. Very refreshing! Yes, it was a firewall issue in the end and face-palm. I had to turn on the rule to allow File and Printer Sharing (Echo Request - ICMPv4-In) in Windows 10 and modify the scope. Thank you for the reminder for the "is it plugged in" rule.

FYI, it works. I had to change to the GW which is made "automatically" so I guess there is no need to manually create it for openvpn local routing? There was also an issue with older cname client names, which had to be addressed. Now back to the original task, connect openvpn to ipsec network :)

Ok, so I did a little more searching around and came upon this site: https://www.ceos3c.com/pfsense/pfsense-openvpn-linux-client/ I followed the steps from that page and low and behold, I was able to connect to my pfSense OpenVPN server with no issues even using my wireless hotspot. Success. Thanks for getting me headed in the right direction. I appreciate your time.

@viragomann said in Route local traffic using Interface IP instead CARP VIP: Add a static route for the OpenVPN tunnel network of the backup box pointing to the backups LAN IP to all your LAN devices which should be reachable over the VPN. Just wanted to let you know that I finally used your advice and created a static route. I now have two OpenVPN servers with distinct virtual IP subnets. The first server is used only on the main (master) box, and the second server on the backup box. Each LAN client has a static route to the backup box's lan ip for the second OpenVPN server's subnet. This works well. Thanks a lot !

System > Advanced > Miscellaneous > Skip rules when gateway is down was the money maker. Its working now. Thank you!

exactly - out of the box unbound does not allow vpn users to query it.. If you want your vpn users to be able to query unbound, you have to create a ACL to allow that. Per the example posted by @bingo600