@hamidsattarrana Double-check that the CA assigned to the OpenVPN server and the CA the user cert is from are the same and that you selected to correct server in the client export utility. You can verify the certs in System > Certificate Manager > Certificates, which gives you a good overview of the issuer and the usage.

Thanks for all the help. The OpenVPN server was trying to push DNS to the client and it was the cause of all my troubles.

Anyone else looking for something like this, Wireguard has it and it works great!

@richardeb No, if you only did the recommended setup you're safe. However, be careful when you add an OpenVPN server on your pfSense additionally. The wizard if you run it, will add an allow any rule to the OpenVPN tab. You must consider that the OpenVPN tab is in fact an interface group which includes all the OpenVPN instances, either servers and clients, you're running on pfSense. And rules on an interface group have priority over rules on member interface tabs. So to stay save when running additional OpenVPN instances, where you must permit inbound access from, either assign an interfaces to each of the instances and define your rules there, while you leave the OpenVPN tab blank, or set the source in the rule so that it is only applied to the concerned VPN clients.

@viragomann Thanks again for you always clear and relevant answers! Have a good day!

@jarhead You have to establish an layer 2 connection between server and clients. L2 between different network interfaces can be achieved with a bridge. So you have to create a bridge at both sites. I didn't get where your clients and the server are connected to. The concerned interface have to be bridged with the VPN interface. So at both sites you have to use tap mode OpenVPN and assign an interface to the VPN instance. Then you can bridge these interfaces with the respective server or client interface.

@viragomann Ey, sorry for no reply, i was trying and trying... i can't do more... The log on the server says "P_CONTROL_HARD_RESET_SERVER_V2" and "P_CONTROL_HARD_RESET_CLIENT_V2". In the client the first message is "Preserving recently used remote addres: [AF_INET]xxx.xxx.xxx.xxx:xxxx" "UDPv4 link local:(not bound)" I don't know what can i do

@viragomann Got it working. Thanks,

Any one has any clue ?

@greywolf could this be mtu/mss issue when tje connection is over TCP?

Seems like an ISP issue, but it has resolved itself. Thank you for the assistance.

@mmercier can you please give me the step by step to get openvpn on the 22.01 release, been trying to configure it and it won’t start. Went by all documentation twice every time and nothing, is there another documentation on configuration for 22.01 release, please and thank you.

@mariof said in PiVPN and pfsense as Client: my devices on the network I didnt have to disable gateway monitoring. Got it set up and since the RPI runs PiHole before VPN I use it for DNS and gateway testing. Do you, by any chance, have two RPIs? I have to VPN servers on two seperate RPIs on two continents (Netflix :-) works) but I am having problems with CAs as common name is the same causing pfSense to get confused.

@drhans Here are screen shots of my client config for a Nord UDP client connection that is up and working as expected. Note that if you want to start out with all traffic being routed through the VPN connection, un-check the "Don't Pull Routes" option that I have checked. The full set of "Custom Options" I have, which is not fully visible in my screen shots, is: tls-client; remote-random; tun-mtu 1500; tun-mtu-extra 32; mssfix 1450; persist-key; persist-tun; ping 15; ping-restart 0; ping-timer-rem; reneg-sec 0; remote-cert-tls server; auth-nocache; pull-filter ignore "redirect-gateway"; pull-filter ignore "dhcp-option"; auth-retry nointeract; Note that you will NOT want the line: pull-filter ignore "redirect-gateway"; if you want all traffic to be routed through the VPN. And in fact I probably don't need it myself with "Don't Pull Routes" enabled. You also may or may not want the line: pull-filter ignore "dhcp-option"; which prevents the server from pushing DNS servers to use. I have pfSense configured to use unbound but with the outgoing interfaces set to my VPN client interfaces. Some of the other things I have in my custom options are redundant to options set up by the GUI, but not harmful; it's just been a while since I've cleaned them up, but I know that these work for Nord. [image: 1648731850703-a7263980-045c-4839-8c67-22e0ff199eb7-image.png] [image: 1648732010836-51fb8fe1-920c-42a1-89f7-caa871c1ecd6-image.png] [image: 1648732058974-a9999673-6e36-44ad-ae68-77d440194da5-image.png] [image: 1648732092474-7cfbc770-9ae4-4114-b321-e3840c6aca98-image.png]

@circle-0 said in How to route a wifi interface through OpenVPN?: These describe in various clarity how to set things up for LAN and I thought I could just replace the LAN interface occurences in the guides with the wifi interface/network. No luck however. Generally it should work this way as described. Consider that in the outbound NAT rule you have also to replace the source with your wifi network. If it doesn't work, post more details of your setup.