Yeah. Your walkthrough has the workstation behind pfSense. You have it in a triangle. Give the Hyper-V VM and extra NIC as LAN, and connect your workstation to that and try again.

Ok. I understand this is due to OpenVPN topology change in new release. Now my next question is how do I specific IP for client with "Subnet – One IP address per client in a common subnet" ? I tried to specific client IP in the same subnet by enter "10.8.1.200/32" into tunnel network settings for user.cert.name, and I can see vpn established but traffic unable to pass through. Also with the new topology, can I specific client's IP in other subnet? Thank you.

Assuming the remote end is allowing ICMP thru and the Backup site machines are running Windows, it's because Windows denies ICMP echo replies to IP's outside of its local subnet by default.  You either have to disable the software firewall or add an exception to the firewall.

Unfortunately, we need more info… and since you are not in control of the remote end, that make things difficult.  There are a couple things at play... some of it may depend on the remote end's implementation of OpenVPN.... and the other is your device is behind an edge router, which means you will need to forward port 1194 (or whatever you have configured) to PFsense and possibly add a static route in your the edge router for the PFsense OpenVPN tunnel network. So, from my perspective, we need to know if the tunnel is actually being established and there's just a routing issue.... or are we having issues establishing the tunnel itself because of a config mismatch or possibly because of incompatible implementations of openvpn on the two devices. What are the logs showing?

In a routed solution, all subnet ranges on both sides have to be unique.

@daviddst: Hi, I'm using multiple VPN Express connexion on pfSense without Issue. Configuration sample : Server mode : Peer to Peer Proto : UDP Device mode : tun Interface : WAN Host : miami-cluster1.expressnetwork.net Port : 1194 TLS Auth / Enable auth of TLS packet : copy/pass OpenVPN Static Key Peer Cert Auth : select the OpenVPN CA (need to be imported) Client Cert : select you OpenVPN cert (need to be imported) Enc algo : BF-CBC (128 bits) Auth Digest Algo : 160 bits Compression : Enabled with Adaptive Compression Advanced : fragment 1300 Good luck ;-) hello, i am so happy that you ware found on this forum, please excuse me if i ask you for much, i am not a network or computer guru, Can you please provide me with a image set by step tutorial in the new pfsense GUI. i am not asking you for show me your internal and external ips, just want a example of how it is done. thanks you very much for the truble

Howdy. Jediah! This thread may be able to help: https://forum.pfsense.org/index.php?topic=107415.0 Good luck!

You'd need some other script to actually mark the tunnel disabled before calling the stop, and then marking it enabled again before calling the start. probably easiest using the developers shell. record a new macro to disable/enable the vpn & then use cron to call that macro some clues: config snippet when disabled: <openvpn-server><vpnid>2</vpnid>             <disable><mode>server_tls_user</mode>             <authmode>Local Database</authmode>             <protocol>UDP</protocol>             <dev_mode>tun</dev_mode></disable></openvpn-server> config snippet when enabled: <openvpn-server><vpnid>2</vpnid>             <mode>server_tls_user</mode>             <authmode>Local Database</authmode>             <protocol>UDP</protocol>             <dev_mode>tun</dev_mode></openvpn-server> so basically you going to need to set/unset the <disable>tag in the xml with something like: unset($vpnconfig[disable]) ; or $vpnconfig[disable] = true; don't copy past above, it needs some work to … uhm work  ;) https://doc.pfsense.org/index.php/Using_the_PHP_pfSense_Shell checkbox: https://github.com/pfsense/pfsense/blob/master/src/usr/local/www/vpn_openvpn_server.php#L628-L633 disabling: https://github.com/pfsense/pfsense/blob/master/src/usr/local/www/vpn_openvpn_server.php#L470-L472</disable>

:D Im fix the problem , the problem ocurr when you Have NPS in Windows Servers 2012 , you need ensure that the account in dial-in dialog say allow access and not NPS Policy in active directory , when you change the value you test with authentication pfsense option , and is succesfully , when you try again with openvpn work , remember install the certificate in root trusted in Windows Cerificates

It works!! thanks

You could also switch to hybrid outbound NAT (or manual) and add a rule to NAT outbound on the internal interface from a source of the VPN subnet to a destination of .1, natting to the firewall's address in that subnet. If that works, there is definitely a filter or routing/gateway issue of some sort on .1

I found the issue. I had some rules that imported from the upgrade to 2.3. They were all incoming rules. 1194 was at the top of the rule stack, but for some reason the other rules had the firewall jacked up. I deleted all the rules and nat rules. Basically cleared everything out. Cut pure NAT on and re added all the rules to NAT and the firewall and the VPN connected. I did all this after sniffing the WAN traffic that cmb suggested and seen it hitting the firewall. I can ping the server side subnet from the client. All is well now. Thanks for the input guys. This has been a real headache, but a lesson none the less. I could prolly instruct my grandmaw on how to setup openvpn now.. over the phone and just waking up with a hang over.    :)

OK.  I think OSPF does routing, but not load balancing, though. So it sounds like the only way to do this would be to create two separate OpenVPNs on both sides (one for each remote branch WAN), then assign interfaces for them on both sides, and then policy route the traffic through the tunnels on both sides. I'm thinking that since the traffic would be policy routed on both sides, neither side would have a routing conflict (even though the same subnets are configured on both OpenVPN tunnels).

@viragomann: Since the IP packets come from another network which the destination host has no route for, it sends responses to the default route (gateway). As said, you either need a route at site A or do NAT at VPN server. I see 3 ways to resolve: Add a NAT rule to VPN server which translates the VPN packets source address to its LAN address. The disadvantage of this is that any access to the destination host seams to come from the router and you are not able to determine the real source address. If that doesn't matter for your purposes, this will be the easiest solution for you. To add the NAT rule go to Firewall > NAT > Outbound, if the router is just for VPN as you said, you can select "Manual Outbound NAT rule generation" and hit save. Otherwise select "Hybrid rule gen". Add a new rule by clicking "+" or "Add": Interface: LAN Source: Network and enter the sites B LAN network Leave the rest at its defaults, enter a description and save the rule. Now source addresses in packets coming from the other site are translated to pfSense LAN address which is in the same subnet as your LAN host, so responses are sent back to pfSense which directs it over VPN. That is the best option for me  :) I've tried it out and thanks to your detailed guide I got it to work! I'm so happy. Thank you very much! Finally the clients from Site B can access the shares from Site A  ;D

What do you get in the OpenVPN logs at the time?

Solved

Yeah I failed to mention I watch my plex server from my phone via just clicking vpn, and then opening up my plex app.. Sure and the hell not going to open up my plex server to the public internet so I can watch something when I want on the road. Click click on my phone and there you go watching video/music just like I was on my actual lan.. I have 1 thing forwarded, that is ntp which I serve to the public as a member of ntp pool.. Anything else you want on my network you have to vpn to get too..

You cannot put 10.0.0.0/8 on an interface and use 10.100.5.1/24 to give to OpenVPN clients. Those subnets overlap. If you, for example, assign the IP address 10.23.56.34/8 to a host on em2 and it has traffic for 10.100.5.1 it is going to think it's on the same subnet and not send the traffic back to the firewall to be forwarded to the OpenVPN client. To tag traffic on a pfSense interface, you must first create a VLAN on the interface Interfaces > (assign), VLANs tab, then assign the interface to VLAN XXX on em2 in Interfaces > (assign). Then connect em2 to a switch port or device that expects traffic tagged on VLAN XXX.

Make sure the client is getting DNS servers it can reach over the VPN. If the client is still attempting to use ISP-specific DNS servers they would fail when run through the tunnel

As mentioned above, the contractors should only have access to a single host. So you have to put a firewall rule at OpenVPN interface to permit only this one destination from the contractors VPN tunnel. If this rule is right in place there will be no access possible to the pfSense GUI.