No.  You add routes and iroutes to OpenVPN and it adds them to the routing table as necessary. I'm asking if you can renumber because it would be easier to do (and reduce your chance of a collision with another network) if you were to number your LANs something like: 172.26.48.0/24 172.26.49.0/24 172.26.50.0/24 172.26.51.0/24 172.26.52.0/24 Then, to every site, you would push a route to 172.26.48.0/28 Then, in your client-specific overrides on the main site, you would iroute the appropriate LAN network to the appropriate client. And on all your OpenVPN rule tabs, if you want everyone to be able to access everything, you would pass all traffic from 172.26.48.0/28

my client is set to 3 as well, server is set to 4.. let me set it down to 3 and reconnect. Ok just reconnected server set to 3 and still see it verify. Oct 22 14:28:22 openvpn[12190]: publicIP:63992 [johnpoz] Peer Connection Initiated with [AF_INET]publicIP:63992 Oct 22 14:28:22 openvpn[12190]: publicIP:63992 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Oct 22 14:28:22 openvpn[12190]: publicIP:63992 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Oct 22 14:28:22 openvpn[12190]: publicIP:63992 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Oct 22 14:28:22 openvpn[12190]: publicIP:63992 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Oct 22 14:28:22 openvpn[12190]: publicIP:63992 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Oct 22 14:28:21 openvpn[12190]: publicIP:63992 VERIFY OK: depth=0, C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpozsnipped, CN=johnpoz Oct 22 14:28:21 openvpn[12190]: publicIP:63992 VERIFY SCRIPT OK: depth=0, C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpozsnipped, CN=johnpoz Oct 22 14:28:21 openvpn[12190]: publicIP:63992 VERIFY OK: depth=1, C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpozsnipped, CN=openvpn Oct 22 14:28:21 openvpn[12190]: publicIP:63992 VERIFY SCRIPT OK: depth=1, C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpozsnipped, CN=openvpn Oct 22 14:28:17 openvpn[12190]: publicIP:63992 TLS: Initial packet from [AF_INET]publicIP:63992, sid=6f5a2a44 6d92e177 Oct 22 14:28:17 openvpn[12190]: TCP connection established with [AF_INET]publicIP:63992 client Thu Oct 22 14:28:17 2015 TLS: Initial packet from [AF_INET]10.56.226.130:8080, sid=ba339956 9c9fc85c Thu Oct 22 14:28:19 2015 VERIFY OK: depth=1, C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpozsnipped, CN=openvpn Thu Oct 22 14:28:19 2015 VERIFY OK: nsCertType=SERVER Thu Oct 22 14:28:19 2015 VERIFY X509NAME OK: C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpozsnipped, CN=pfsenseopenvpn Thu Oct 22 14:28:19 2015 VERIFY OK: depth=0, C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpozsnipped, CN=pfsenseopenvpn Thu Oct 22 14:28:22 2015 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Thu Oct 22 14:28:22 2015 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Oct 22 14:28:22 2015 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Thu Oct 22 14:28:22 2015 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Oct 22 14:28:22 2015 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Thu Oct 22 14:28:22 2015 [pfsenseopenvpn] Peer Connection Initiated with [AF_INET]10.56.226.130:8080

All you have to do is be able to identify the traffic.  Post your port config page. If you have an inbound port forward from PIA to you you don't need to do anything because the traffic is obviously coming in PIA. For outgoing ports, you will have to uncheck Use Random Ports then set a port or port range for outgoing connections. Then add those ports to the firewall rule that policy routes traffic to the VPN. If you set outgoing ports from 63001 to 63010 you would set your firewall rule like this: TCP/IP Version: IPv4 Protocol: TCP/UDP (unless you know it's one or the other) Source: Local Host IP This is one of the few times it's appropriate to do this, but click advanced Source port range: from: 63001 to: 63010 Destination: any Destination port range: from: any to: any Advanced Features Advanced options: mark the packet NO_WAN_EGRESS Gateway: YOURPIAVPNGW A better way to do it might be to add an IP alias to your torrent host and make Deluge use only that. No idea how to do that on your system, but Deluge appears to be able to select an interface for outgoing connections. It looks like mine (MAc) just prompts for an interface name. Might take some digging.

Just to ask the obvious simple question: If these are Windows machines, have you made sure the internal firewalls are not blocking "foreign" subnets (perhaps turn them off for testing purposes)? Have you tried pinging something easier (like a network printer) instead?

That's from gateway monitoring, where the specific ovpnX interface is assigned.

The interest is in methods of registering with DNS Resolver ie its resolvable ;)  What is the point of registering it in resolver if your not wanting to resolve it?? ;)  So yeah the desire/need to resolve is clearly debatable…  Why should we discuss doing something that has no actual value?? Eitherway other than an override I do not know a way of registering that IP, which again could be lots of different IPs for each vpn client based upon their /30  What name would it be?  If going to resolve it, has to have a NAME..  so just going to be pfsensename? or pfsense.openvpn.yourdomain.tld ?  What name would you use to resolve it with?  If just PTR, what name would it return? Guess you could ask for a feature request or do some coding to come up with a name for these IPs being used.. So that it could be registered in resolver without override.

To resolve this issue, I had to edit the openvpn server. If you have checked off 'allocate only one IP per client' under CLIENT SETTINGS, then uncheck this setting and your 'Client Specific Overrides' should now work. This is what resolved the error for me. Jits

you are loadbalancing and something is problably wrong with ONE of the two routes/connections between the network. test both individually to figure out which one is causing the issues. if you are natting either of them, then stop natting vpn's between private subnets ;)

SBSI ?? For policy based routing? https://doc.pfsense.org/index.php/What_is_policy_routing Your VPN is your gateway, you setup a rule to use that gateway when you wan to use it, either based on dest, port, source IP..  Put this rule above your other rules that allow other traffic to internet..  Do you really need a picture of such a basic concept? Guess I can fire up a vpn connection to one of my vpses and show you a picture..

Well, strangely whatever I tested couldn't get it to work. Changed the drive and NIC's to another physical system and connection of OpenVPN is active. Allthough I added all the Firewall rules traffic doesn't pass over the link. Any ideas? Kind regards.

Thanks. I'll try it out and I'll come back with the result :)

I'm pretty lost now… My iOS client gives me the following line in the log file: "redirect-gateway def1" My MacBook client (Viscosity) does not have this in the log file but when I go to whatsmyip.com I do get the (external) IP from my OpenVPN server. But when I check the options in Viscosity client the box that says: "send all traffic over VPN" is unticked.

Just to clarify a few things… I do have IPv6 working though the VPN. i.e. When a client connects they can access things via IPv4 and IPv6. The issue is how you initially connect to the VPN server. You have to use the IPv4 address to connect because OpenVPN is only listening on the IPv4 address. I want the server service to listen on both IPv4 and IPv6. Per your suggestions, I could listen on "any" interface or start another OpenVPN server on the IPv6 interface.  I also thought about adding another "lcoal" line with the IPv6 address in the config file for the server. I've read that using "any" is not recommended in pfSense as it breaks things and it is only there to facilitate upgrades from older systems. So, I think that's out. As for starting a 2nd OpenVPN service, I'm ok with that, but what bothers me is that if I give it the same tunnel IP ranges won't that cause conflicts? Do they have to be different? Is it possible to add a second "local" line to the config file for the server? Thanks, Steve

it works I've added a NAT outbound rule to allow communication interface : openvpn source : any source port : * destination : any destination : * nat port : * satic port : no nat address : OpenVPN address Ping works from a client LAN host to another client LAN host. OUFFFFFF.

This just happened to me as "Socket bind failed on local address [AF_INET]192.168.100.10" following a TWTC Internet outage. The logs indicate that pfsense briefly picked up 192.168.100.10 from the motorola cable modem. The question I have is, why did OpenVPN hang on to it?

If you back to your first message, you can edit it an add a [SOLVED] to the title for posterity's sake  ;)

Why would the traffic for you public IP go thru the tunnel, did you hand out routes to the clients that the public IP is down the tunnel?  When your call is ssetup, the client should be told what the private IP is so it will go down the tunnel just like the call setup.