@gertjan Thank you guys for your support

@johnpoz I found my very stupid mistake! I did not ebabled the rule that i created! :) So now everything works like charm! Thank you very much, John! [image: 1666109531000-image3.jpg]

@gertjan I asked my ISP to get a real public IP and got one ... but sadly for a monthly fee. This solved the problems I had with OpenVPN. Thanks again for all your support ... I have learned alot about CG-NAT ... that was a white spot on my map.

@help-group Have a look at pfsense openvpn server with freeradius.

@rm85 Found it, we had to add a Outbound Firewall rule (Mappings) from LAN interface (Source IP VPN Client subnet) to the LAN. Now it works![image: 1666074145084-screenshot01l.jpg]

@renj said in Certificate Autority: So, In the available packages window I have notting. You don't see these : [image: 1665992337284-537b2daf-9e3b-4a71-8fb2-235e4a1ef86e-image.png] ? @renj said in Certificate Autority: I have, under Instaled Packages window; two isntalled Packages. At the bodom of this window, I have a message in red: Package is configured but not (fully) installed or deprecated. We all have this : [image: 1665992388532-a3d0d631-348e-418b-9c70-f850cfb5b53b-image.png] If an installed package is marked in red => now you know what that means. If an installed package is marked in yellow => now you know what that means.

@chuck1968 No, don't push a DNS server. You cannot push a DNS server for the local domain only. If the branch uses Server01 for DNS resolution it uses it for all request. You have to add a domain override for the local domain instead to only forward these certain requests to the main office. In the branch OpenVPN settings enter 192.168.99.0/24 to the "Remote Networks". On the main, presuming you are using a /30 tunnel network, enter 192.168.95.0/24 into the "Remote Networks" box.

There are no granular per-service privileges right now, so any user who must control a service requires access to status_services.php (WebCfg - Status: Services). All of the service control links, even in the shortcut bar, use that page to manage service control.

@petri Turns out a real managed switch needed to be connected. Not the Unifi Lite I had. Now my IP isn't leaking out anymore.

@ppcm said in Local authentication with groups of users: if the user changes groups, I will need to send a new config, not easy to manage I'm running multiple OpenVPN servers with different CAs for different user groups for 10 years. Never need to move a user into another group till today. Is there a way to use groups of pfSense? No, not the local user groups in OpenVPN. If you need to replace the functionality of AD you can install the FreeRADIUS package and use it in the OpenVPN servers for authentication. Authenticating OpenVPN Users with FreeRADIUS

@gertjan yes, it was pfblockerng-devel v3.1.0_6. I have blocklists set to prevent traffic coming from "non friendly countries", basically, asia region, russia, some northern countries + africa. But I agree, it is quite weird. I've now made several tests with pfblocker-ng enabled/disabled, etc.. and always see the BW drop when pfblocker-ng is enabled. [image: 1665590312022-5c64470f-6054-465d-8153-9428ad13ba7a-image.png]

@coyotekg The client certs use the CA as the issuer just like the server certs do so yes, you would need to change them.

@bingo600 Yeah, exactly. You get an encrypted p12 file, when you download the Viscosity bundle and state the path to it at CA, user cert and private key in NM.