I went ahead and created a PR#3844 for this alternate method Again, "works for me" but would apprecaite comments If you want to give it a try, use System Patches and add commit 4f62b7c0bd7e7a1845cded171fbd918c04e73738

If you have only one client who connects to the server, he gets the same IP on each connection anyway and you can also control access by the whole tunnel subnet. If you have multiple clients take a look at Client Specific Overrides. https://doc.pfsense.org/index.php/OpenVPN_Settings https://doc.pfsense.org/index.php/OpenVPN_multi_purpose_single_server#OpenVPN_Client_specific_overrides

It seems to work no so I guess it not a problem anymore.

Should have been more patient/persistent, and kept working on it before I posted here. Eventually sorted this out myself. For anyone referencing this article later, here's what the issue was: I messed around with DNS settings just after getting the VPN online, because I want all internal DNS resolution to go to the server-side PFsense box (it's acting as DNS resolver). I had put an entry in the general setup, specifying my server-side pfsense box as a DNS server, with my client-side ISP IP as the gateway. This was causing a static route to be entered into the table, and was the root of the issues. I still have some things to figure out with DNS, but the original issue I was posting about is now resolved.

So all 3 of your servers are on some public /? they are behind a firewall, so  not accessible on internet. dhcp provide on my lan (file server, vpn …)  routable ip adress 194.48.50 .../24, (that different of traditionnal "private use" 192.168... adress) PS: i can change my mind and put an another NIC , but it will be in same subnet.

@Cyber-Wizard: but it creeps me out that this impacts the OpenVPN service so dramatically. Not a solution but with regards to OpenVPN "locking up", it is known it happens during the authentication. Normally this goes unnoticed. There is a way around it, maybe it can be applied/integrated to pfSense… http://engineering.freeagent.com/2017/05/22/external-authentication-scripts-in-openvpn-the-right-way/

"it pushes CN and IP to a bind/named and works like a charm" Yeah bind can do that ;)  There is not such functionality in unbound that I am aware of.

Hello, thanks for your reply.  I basically wanted to add another wireless router just as a bridge connection so that if my son and his friends connect to that wireless bridge they won't get the lag they are experiencing going thru the VPN. I know I can achieve this with aliases specifying which hosts use what, but I just wanted to see if i could set it up so I can tell the kids if they want to do gaming connect to this gaming AP. I can't seem to find out how I can add a NIC card and anything connected to the 3rd NIC will go straight out using WAN.

When I experienced that problem I moved my network to 172.16.0.0, as I'd never seen any commercial gear in that range, but I had in 192.168. & 10..

I don't see that happening. While technically it may be possible, that would increase the complexity quite a lot for very little benefit to most users.

What worked: It was the DNS suffix: On a computer on a domain, I needed to ipconfig /all, and under "Connection-specific DNS Suffix" it showed local.domainname.com Thats what needs to be under "DNS Default Domain" under VPN -> OpenVPN -> Servers -> edit

What port are you using for vpn, you say not standard so not 1194 UDP?  But still UDP? There are many a wifi network that block ports other than 80/443.. This is why I run an instance of openvpn on tcp 443.  This way you are pretty much SURE you can get to it from anywhere.  Since not allowing 443 tcp would make the internet not viable..  And when running in tcp mode on 443 this also pretty much makes sure you can even make the vpn connection over a proxy. So just run a another instance of openvpn on 443 tcp and if you have problems from a location just use that configuration.. As to your domain?  I assume you mean some dyndns you have setup - is that resolving.  Its possible where your at is blocking that domain?  Does it resolve?  Test with some tool like HE tools for ios or android it has a dns testing feature, etc.

I am interested in something similar to this and was thinking that integrating pfBlockerNG would facilitate creating an access list to be used for routing purposes.  In this case I would think that adding the domain to pfb would resolve all of the ip's for that site/domain and adding them to an access list, then setting a routing statement using that access list as the destination to route through the vpn instead of the WAN. What I am wanting to test is using pfblocker to create an access list for the .onion domain, then routing the traffic destined to that domain through a vpn.  For instance, there are ubuntu repos on tor, and when updating packages from that repo, I would like that traffic to automatically route through the vpn connection instead of attempting through my wan.

That won't ever work properly. You must configure it using the GUI. If you post the details of your configuration (without anything private included), we can help you determine how it will be setup in the GUI but running it in the background like you are doing is not viable.

Is the pfSense LAN IP the default gateway on the LAN machines? Please post your vpn settings.

You are correct he mentioned that… I must of been thinking of another thread.. Thee was another thread asking about using using multiple vpn connections.  Much longer than this one though.. I was thinking of this one. https://forum.pfsense.org/index.php?topic=135283.0 Different poster.

Thanks! Attached is a screenshot of the logs page. Do I need to do something to turn them on? I can't find any settings. It seems really odd that there are no logs of anything. The client seems to have gone down the tunnel and found the network, because it received the 192.168.4.x address, and the pfsense is there too. But the rest of the transaction isn't happening. I have a laptop that successfully connects through OpenVPN and PfSense to a different network. The configuration files seem pretty much alike. [image: pfsense-logs.jpg] [image: pfsense-logs.jpg_thumb]