So everyone with a Comodo-issued certificate will be allowed to use your OpenVPN? There are multiple posts about this, mostly pointing out how horrible the idea is.

Set up a 2nd tunnel bound to your 2nd ISP interface. Put your two VPN interfaces into a Gateway group with each set as Tier 1 Use a policy route on your LAN interface firewall rules pointed to the VPN gateway group.

Oh, now it's clear for me. Thanks for explanation.

Quote from: pajo99 on 2015-12-02, 01:47:48 try to remove checkbox from Block Private Networks in WAN inerface and see if it works What? Exactly, Block Private Networks has nothing to do with this issue, as johnpoz already pointed out, the OP is incorrectly trying to use a USER Certificate for an OpenVPN SERVER.

Thanks for updating your progress. If you update the title of your first post to include [SOLVED], it makes it easier to find the fixed issues. Welcome to pfSense  :)

Can we try to solve this with a simplified version of your setup? I would suggest  that we pick 3 sites: The "main" OpenVPN server - Site1 First VPN client - Site2 Next VPN client - Site3 For each Site we need: Site 1 LAN Subnet ???? Site 1 OpenVPN Tunnel Subnet ??? Site 2 LAN Subnet ???? Site 2 OpenVPN Tunnel Subnet ??? Site 3 LAN Subnet ???? Site 3 OpenVPN Tunnel Subnet ??? Can you post the OpenVPN server config screens for Site1 and the client config screens for Site 2 and Site 3?

Probably same root cause as https://redmine.pfsense.org/issues/4587 I'll be looking at that after we replace apinger in 2.3.

OpenVPN on pfSense will send more than enough keep alives to keep that up, and OSPF's hello packets would be more than enough as well. For what you show to happen it really would have to lose connectivity for 60+ continuous seconds between the sites.

Amazing.

leighno5 - Did you get this working? I am having the same issue. If you did, can you post what you did to make it work? I came up with a boatload of IP addresses for Hulu, but with them using Akamai, it's hard to pinpoint the correct ones. I did notice if I check the No Pull box, start Hulu, then uncheck and apply, Hulu continues to work.

ops dont know why i said both are pfsense routers as one is and ones a draytek so thats why i created vm openvpn servers one at both sites behind the routers

I'm not sure that this is a pfSense problem, but probably more of a general VPN VoLTE problem. I have my VPN configured to not route all traffic through the VPN, it only sends the traffic on my work network through the VPN. Public internet still goes out on the regular public gateway. I've got AT&T and called them today to try to troubleshoot the issue. The lady was surprising knowledgeable and actually reached out to their Tier 3 when she was on the phone with me. He did a call trace and said it looked like a device issue not a network issue so they referred me to Samsung. They offered to conference the call with them, but I had to jump on a conference call. If you have any success or further input on what you found out about this I'd love to hear it. My guess is that the call signaling still goes out over the regular voice network and they just reroute the audio payload over the data network. My phone will initiate the call, but it usually drops before the other side ever even rings; at most I get 1 unanswerable ring.

Actually it was a misconfiguration on one of the clients, it was missing the remote subnet option. I did not need to add the client-to-client option on the server side, it looks like when selecting peer to peer it's already there by default. Everything seems to be working now, thanks

192.168.101.101 is the server address in your case. You cannot push it to a client.

This works perfectly as what I want. Thank you viragomann

The wizard is pretty much IDIOT proof, yet seems like every other day we have someone trying to use a user cert for the server… [image: wizardservercert.png] [image: wizardservercert.png_thumb]

I'm really late here but i can tell you expressvpn would be great tool for you solution :) its mos tsecure vpn service provider list on mostsecurevpn.com

Hi, ref 1), advice on how would I do the correct routes? Thanks.

Tunnelblick works perfect with with config  exported via Inline Configurations: Others