The original issue here is fixed in 2.3.1, the config upgrade will now appropriately set your topology to stay the same as it was previously. 2.3.1 also has the latest OpenVPN 2.3.11, though I don't see anything between 2.3.10 and 2.3.11 that'd be relevant. https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23

@divsys: The two issues that immediately come to mind: The ports you use on pfSense for the two different OpenVPN servers must be different and have the appropriate Firewall rules enabled. You can use both 1194 and 11394 for the two different servers, but you must have firewall rules for both. The certificate you used for the 2nd OpenVPN server should be different than the 1st (you say that it was - good), but the CA used for that certificate must be the same as the CA used for the Client's certificate.  In addition, the Client's certificate should be of Type "User" NOT "Server". Your log error message indicated that something was trying to connect (that's good) but failed to handled key negotiation (not so good). Hi divsys, Thanks for your help :-) It isn't the first proposition because i created 2 rules on Wan interface  (1 for 1194 in UDP and 1 for 11394 in UDP too..) and i add a rule to allow any traffic in OpenVPN interface. The certificate for the 2nd OpenVPN server it's an other certificat than the 1st. I created a CA different from the 1st and from this new CA, i created an internal certificate type "Server". I use this internal certificat in the openServer at option "Server certificat". But if the certificat isn't good, how is it possible that the openVPN works when i try from INSIDE of the infrastrcture ? Oo' when i look my openVPN client config, i see the IP Wan from my pfsense. And when i try openVPN with my internet connection shared by my mobile phone to my laptop, it doesn't work  :'( My purpose it's to use OpenVPN with just  login/password+OTP without any client certificat. EDIT: the problem has been solved. a little problem with virtual IP…  ::)

It was a switching problem at the server side lan  :o

That link is to openvpn access server, not the community edition that is installed to pfsense. If they are authing to your AD, why don't you just lock out the AD account.  I think that is your typical AD out of the box setup, so many failed and locked.

This is still not working

huh??  Why do you want a host specific route?  So what is your vpn tunnel network?  For example mine is 10.0.8.0/24, so yes pfsense has a route to that network via the openvpn interface. So client connects and gets an IP in the 10.0.8.0/24 network - so pfsense yes knows how to get to it down the tunnel.  Why would you want/need a host specific route?

I think the best solution is to switch VPN provider. I am Plex Pass member, pfSense user and AirVPN user. Those 3 work pretty well together. AirVPN allows you to setup port forwardings (up to 20) so you basically apply the same concepts you set on routers.

SOLVED!!!! Really thanks you!!!

See attachments, I have two internal networks: 192.168.5.0/24 and 192.168.6.0/24 nginx webserver used in portshare it's 192.168.6.2 [image: OpenVpn1.png] [image: OpenVpn1.png_thumb] [image: OpenVpn2.png] [image: OpenVpn2.png_thumb] [image: OpenVpn3.png] [image: OpenVpn3.png_thumb]

It didn't help, same problems. If the same user tries to connect via different user, e.g. my user - it's a success, every time in first attempt. However, yes, with his account/mobile OTP - problem. It's definitely not his PC, as he's able to log in with different accounts from the office and it's also not VPN client problem. Only difference is where OTP is generate, either his mobile or ours. EDIT: We've found the problem. Starting with point that he can connect as described above, we knew it's mobile-related problem. It seems like somehow his time on phone was ahead in time and once I increased OTP Lifetime from 3 to 6 on freeradius settings he was able to log in always in first try. Thanks for all the help!

Thank you Derelict, it works!

@johnpoz: the use of multiple dns that can not answer the same questions the same way is bad idea.. You can never really be sure which dns will be queried.  Windows uses many different things to figure out which dns is queried, just because you have them listed 1 and 2 doesnt mean that is how its always going to  be queried. this is a very common mistake..  The dns you put in your client should be able to resolve the same stuff the same way.  If you want to resolve local stuff then you should point to your server(s) that are authoritative for your local stuff, and have them query or forward to something else that can resolve public stuff. Pointing to a local and public at the same time is going to give inconsistent results depending on how exactly the client determines which dns to use.  Once windows for example finds that dns 2 gives answers, when it had an issue with 1 - its not going to go back to 1 unless there are issues with 2, etc..  Getting a NX for query does not mean that dns is bad.. how does the dns resolver know it should check its other dns?  what if it gets back soa vs nx.  etc. etc.. if you need to resolve work stuff, when you vpn to remote site its prob best to just create host file entries on your host for what you need to resolve on the vpn side. your problem is that you want to resolve 2 different local domains with different name servers that are authoritative for their respective local domains.  your other option would be to run another nameserver say on your client that has specific forwards setup to where go ask for specific local domains, and where forward when its not a local domains. So you could have a forward on this server that asks work dns when looking for work domains, and the vpn dns when looking for vpn domains, etc. But splitting nameservers on your client is never going to function the way users think it does.  And also can be leak in dns info, where your asking the wrong server..  For example work server might now your looking for lots of records for some odd local domain.  or if your asking your vpn for these work domains, it will either try and resolve them directly which isn't all too bad.  Or maybe it forwards to your ISP dns and now your ISP has records of all these odd queries.  This is only an issue depending on how tight your tinfoil hat is.  But is another problem with having split dns on a client where the nameservers do not have the same info on them.. Thats true.. didnt think about it that way. Thank you!

any solution? dose anyone use Radius with OpenVP?  :(

If you can enter a default route in the static routes, then enter one pointed at the pfSense interface. That would be the preferred method.

Just found this thread after posting.  https://forum.pfsense.org/index.php?topic=111557.0 Looks like it is the TPLink hardware.  Will refer to the responses there.  There is no access point mode in the router setup on the AC3200 either.

push "route-ipv6 ::/0" <= think that fixed it

To put things graphically, here's what I want to do: _______  <vpn vlan="">________ <vm eth0="">/ <gateway interface="">–--------<                                                   ________ <local net="">________</local></gateway></vm></vpn>