Logging into a VPN won't log you into the domain. Two completely different tasks.

@ega: Tried with another Laptop? If another device reach LAN IP address, and reaches internet, is not crazy to think that the problem is not in the server. If its in the server, try with the same usr that cannot connect on your phone, and with the usr that can connect on your laptop, this is the unique variable that I saw on first plane, if the problem is on server. Interesting! Thanks for the suggestion. Here is what I came up with. 1. Laptop user on phone: Works! By "works", I mean I can connect to my network AND tunnel web traffic through the VPN, i.e., "surf the web". Phone <–> LAN/VPN server <--> WAN 2. Phone user on laptop on neighbor's network: Works! 2. Phone user on laptop ON SCHOOL NETWORK: No go! Again, I can connect to my LAN/pfSense box/OpenVPN server, but I CANNOT get through to the WAN. Laptop <–> LAN/VPN server <--///--> WAN …So I am guessing it is something on my Macbook? I know we are venturing out of the scope of this forum, but what could it be? .................. Could it be the super-locked-down network I am on when away from home? It's a public university network that uses 802.1X. It seems everything is blocked except TCP 443 (which is what my VPN uses). Could it somehow let me connect to my VPN but not allow me to access websites? My setup USED to work on this network. Could they have somehow blacklisted my MAC? It seems to go against the point of the encrypted tunnel...

Here is where I´m saying [image: OpenVPN_Conf.png] [image: OpenVPN_Conf.png_thumb]

Yes.  That should work fine.  Like I said, leave both iroutes enabled and check the routing tables after they connect.

@jimp: That's entirely up to the Windows box and what it allows with Anonymous binds vs binds with a service account.  You might be able to find some other info on the net about that unrelated to pfSense (since it's a general Windows LDAP issue, not a pfSense issue) I agree this has to do with my own server configuration and nothing to do with pfsense LDAP implementation. Thank you for your responses.

check fw rules on their respective LAN-tabs

That would mean it's OpenVPN itself leaving it in the table – pfSense doesn't manage the routes for OpenVPN, they are handled directly by OpenVPN. You might post about it on their forum or bug tracker. They may want to see your OpenVPN config before and after the change, and a copy of the routing table before and after the change. The OpenVPN config would be in /var/etc/openvpn/, routing table can be copied from the output of "netstat -rn"

You can run as many OpenVPN servers with different configuration as you wish.

"After I finished the Wizard, my OpenVPN server had been assigned the user cert" Again dude the Wizard does NOT do that, can not do that!!  So if you did that that is on you not the wizard.. Not sure how that could ever happen other than just pure stupidity?? If english is not your native language ""Invalid purpose"" might be a bit confusing, but if you actually speak english how is that not clear??

thanks now I wll test

@johnpoz: "nslookup from the client says it's using 127.0.1.1 as server." Your clients said they were using loopback address as their dns?  Where they running any sort of dns server that forwarded.. That makes no sense at all.. This is from a linux client.  I have to specify nslookup someIP dnsIP and it works. My windows clients are now working correctly!

Unfortunately LDAP schemas vary widely so it would be tough to pull something like that off. Not sure I like the idea of fetching a client's private keys via LDAP either, but as long as LDAP is using SSL itself it may not be too bad. The problem then becomes finding a way to query the LDAP server in such a way that it can get a list of all users with certs/keys available. Gets ugly fast…

Hi Guys , i have a similar issue like this but with a dual WAN on the client side. Client just work with the default gateway ( WAN or WAN2 ), but if I do a test with just the WAN2 , connection do not work.  I do a openvpn resync or just click no the submit button on the openvpn config and connection works in a couple of seconds.  fast! can you please provide some help.

Yes, the VPN server can provide DNS server for the remote client. Follow this instructions https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server Keep me posted if anything goes wrong

It worked, after I restarted the pfsense box. Thank you :-)

Why are you omitting that value when the documentation recommends it be set for increased security? The  optional  direction parameter enables the use of 4 distinct               keys (HMAC-send, cipher-encrypt, HMAC-receive,  cipher-decrypt),               so that each data flow direction has a different set of HMAC and               cipher keys.  This has a number of desirable security properties               including  eliminating  certain  kinds of DoS and message replay               attacks. When the direction parameter is omitted, 2 keys are  used  bidi-               rectionally,  one  for HMAC and the other for encryption/decryp-               tion. You're just hobbling the feature by omitting the direction. Seems it would be much simpler to add the direction on the server side like it wants.