@Rico Clients connected to the WAN_VPN get directed to Site B as desired but the other clients lose WAN. If I disable interface, WAN returns. I worked around it by setting applicable firewall rules on LAN to use the Advanced->Gateway->WAN but there must be a different solution. Why would the default gateway WAN not be used?

Hi @jimp I have the same issue and updated the redmine: https://redmine.pfsense.org/issues/8142 As you can see I have full control over the VPN server (and options) so I can do whatever test/log is needed in order to sort out the issue.

On the client, are the needed 'cert' file present and found and loaded by the OpenVPN client ? From what I make of it, it can't find the needed cert info. Also : use the Netgate official videos (Youtube) to check you config with what you see in the videos.

Well, finally I could manage to do what I want. Due to a missing gateway entry in /etc/network/interfaces (Ubuntu) I was not able to connect properly.

No, that's not the case. They are bound to the individual WAN gateways. I've attached a few pictures. You can see in the OpenVPN clients list that they are each bound to separate WAN interfaces. The gateway list shows that one of the WANs is down but both VPN tunnels are up. The VPN status page shows that both are up but doesn't show the local IP address for the one with the gateway that is down. (I can see on the server end that both connections come from the same IP) EDIT to add: Each connection has a separate client cert so when I look on the server status I can also tell both are connected because both common names are used. [image: Pw6a9ah.jpg] [image: F2TZLBd.png] [image: 3Fc6jIC.png]

@Derelict I've looked in the firewall, but see no denied connections. If i had to create such a rule, how would you do that? Edit: You've got to be kidding me, all these headaches for this. All you have to do is add the vpn subnet to "smb-in". I'm so dumb.

So you want so use pfSense just as OpenVPN server behind the comcast and nothing else? That would be a waste. ;-) And you have to mess around with manual adding routes to the comcast and so on. Why not use pfSense as full Firewall/Router? -Rico

No idea about this old howto, better follow the latest official documentation: https://docs.netgate.com/pfsense/en/latest/book/openvpn/bridged-openvpn-connections.html -Rico

So what I discovered is that the no protocols are being set (checked) for the TAP-Windows Adapter during installation of the OpenVPN client. Why would that all of a sudden change when nothing else changed from the OpenVPN end? Still using same process. Still using same version of client, etc.

At the moment all you can do is make new ones. Since the old ones have expired and are invalid, you can safely delete them.

Maybe this one gives the basic setup (use FRR instead) or ? https://help.pureport.com/support/solutions/articles/43000485827-vpn-config-guide-pfsense-route-based-vpn-with-bgp On further thought (& reading) , i think i'll skip VTI for now. It seems to be quite a new feature, and i'll get trouble if i loose a site halfway around the world. Maybe i should just stick with OpenVPN & Static routes. I have an L2L openvpn @home -> Summerhouse , using Certificates & the full monty. Would there be any significant disadvantage in using a Loooong shared key for this setup ?? Or should i go for a CA on the central site & distribute the certs from there. /Bingo

@jogofus said in Issues with OpenVPN: @JKnott first subnet is in 192.168.5.0/24 and the second in the 192.168.0.0/24 Look at both sides of either router: Router 1 - 192.168.5.57 (WAN) pfSense (LAN) 192.168.5.200 - Client computers Router 2 - 192.168.0.200 (WAN) pfSense (LAN 192.168.0.2 - Client Devices. Router 1, both WAN & LAN are in the same subnet. Same with router 2, assuming the LAN subnet mask is /24. It may work if the mask is /25 or longer. Please post the subnet mask for all interfaces.

that log doesn't really show anything. can you post your client page? are you connecting by host name or IP? i've heard several use IP and it resolves this.. are you using the DNS resolver, if so how is it configured..

Hi, What was the final outcome with this? I've just set up pfsense, with a VPN, I can prevent leaks if I send ALL dns lookups to resolver and only select the VPN interface for outbound requests, but then my internet slows for all clients (especially non VPN clients), speed tests come back slow, high ping and gdrive uploads are slow. When I perform a trace route to google.com it goes through massive hops, if I remove the VPN interface from the resolver and add back in my WAN, everything works and trace route hops drop. If I add both, I get leaks. I assume the content delivery network stuff gets messed up like one poster mentioned? I think my only solution at the mo is to no use VPN client in pfsense, and stick to the windows/Mac clients on the machines that I'd like to use the VPN.... I'd like to add Pihole or adblocker next, so keen to understand if this got resolved. Also how can I prevent the resolver using my fail back LTE link for dns, but still support dns when WAN is down? This all feels related and like there should be an easier way to achieve this out of the box :-) Random brain dump - do we need to ultimately have 2 x Pihole, resolver etc. (1 for WAN 1 for VPN clients) to get around this problem? Is it a design constraint with a single resolver?

Thank you for the suggestions, but they really don't address the basic issue. Once connected with the VPN, the server should know who I am and credentials shouldn't be needed again. I tried this on a couple of other computers and discovered that it's something particular to my computer. That makes for a much different troubleshooting process. I'll close this as I look into it. Thanks!

Thoughts anyone?

@guardian Any hints/suggestions? I know how to set up and interface/VPN client... It is just the selective routing I need a hand with.

Welcome :)