maybe should upgrade openssl to 1.1.1+

nobody ever experienced this issue?

Syslog and feed it into Splunk or Elastic Search. https://docs.splunk.com/Documentation/Splunk/8.0.5/Viz/IplocationChoropleth https://www.elastic.co/blog/geoip-in-the-elastic-stack Never done it, but if I was I'd use one of the two above.

Your server firewall looks fine. Use the VPN Export package (install it on the server) and create a VPN user, if you already don't have one. Export the user, and install it on a PC/Mac/Phone device, and connect that way. When you have this 'road warrior' setup working, proceed to the next step : treat your Client (home) pfSense as a VPN client, using the VPN client. Btw : for the home pfSense, that needs to become a VPN client, no need for a '1194' firewall rule on WAN. The client isn't 'listening' on port 1194, WAN. It initiates a connection to your server, port 1194. Also : as soon as the Client VPN is up, it's pretty useless. You'll have to visit the Interfaces > Interface Assignments menu, Add an interface (an interface called ovpncx (Your VPN name) will be available). This one has to be added. See more info here.

From my testing it appears OpenVPN is not at all tolerant of packet loss and will restart the tunnel every time during it. I switched to IPsec and it maintains its connection through brief packet loss without any problems.

@oldlock Not directly by user basis, but you can set up a client specific override to assign specific IP addresses to these users. Then you can control the users access by firewall rules. https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/configuring-a-single-multi-purpose-openvpn-instance.html#openvpn-client-specific-overrides

I have been having this EXACT same problem for the past year. I haven't been able to figure out why the pfsense machine won't curl out the interface using the VPN. I suspect this is an NAT Outbound issue... but nothing I do there has fixed it so far. I have manual rules setup for my Outbound NAT. This whole issue prevents my script running on pfsense using curl to utilize my VPN. It's very annoying. For a while I simply used the pull routes option from the VPN and then my script worked but everything then went out the VPN from my shell that wasn't specifically setup otherwise. I had DNS going out the VPN so much though that I eventually reverted and decided to stick with the more secure crippled version.

I put something into Visio to help explain [image: 1597562279150-openvpn-client-pfsense.png]

Yeah, I checked that link before. Still no Joy. Does anyone have a sample configuration i.e. what exactly goes in each field?

@jere7em said in Not natted access to LAN network: No, the default gateway is the VPC Internet Gateway (they are on AWS)... That's why you need NAT. @jere7em said in Not natted access to LAN network: maybe I have to add the routes to the AWS Lan configuration... Don't know the structure of the AWS network, so I cannot help. If it's possible you can install a transit network between the default gateway and pfSense. So you have only to add a static route for the LAN to pfSense. Otherwise you will need a static for the OpenVPN tunnel network route on each device the VPN clients should be able to access.

@Rico Thanks, this might be the cleanest solution. @oddussiben-3161 That would require me to define every single client connection in order to make them gateways and able to be added to a gateway group. This is exactly what I want to avoid. Thanks for you r reply though. I appreciate it.

Yes. So check "Redirect gateway" in the server settings to push the default route to the clients and provide a DNS server. Additionally you have to add an outbound NAT rule for the VPN clients. Firewall > NAT > Outbound. Select the hybrid mode and hit save if you have the automatic mode now. Then add new rule: interface: WAN source: <OpenVPN tunnel network> destination: any translation: interface address

@DaddyGo I have this processor [image: 1597153553300-cc874b28-faad-4faf-8bec-4b7f7592cefc-image.png] I´ll look this =) In pfSense, you can configure multiple servers on a single device. Due to redundancy and for the sake of a high number of users, I would even run multiple servers in a separate box. (we do anyway) i´ll try change port Port scanners are familiar with the sub-2K range, yes the dedicated port(s) is 119X, but i wouldn't leave the port here, if you have that many VPN users. i´ll update the version this week. Current version and 2.4.5-p1 contains very important fixes !!! (pfctl, etc.) 23d05161-da56-456f-b9af-b03d8644b5e1-image.png Please Update...... ASAP after update S.O , i´ll update this post about the vpn Connection. Thansk you in advanced.

@netblues said in Work from home security issues: policy won't happen by asking on any forum.