@JeGr Thanks. I have a user access vpn on the "server" side now and was thinking of putting the same on the "client" side as well for traveling didn't have to connect to A to get to B. I will be traveling to the other site tomorrow to finish the setup. Thanks all for the info

@yanafig You welcome

@Strive2Learn said in OpenVPN Credentials Manual Console Input During PFSense Bootup?: creating a rule for Amazon to not go through the VPN! GLWT

@JeGr Thanks a lot! I'll be trying.

Just try to do it as written here: https://medium.com/@gmanual/pfsense-mikrotik-openvpn-site-to-site-b001c105843c

OSPF advertises remote network because you redistribute pfSense Kernel Routes. right? if yes try: option1 : uncheck pfSense Kernel Routes to stop redistributing it. Correct, when this is unchecked, OSPF does not learn about the route. It will work when pfsense1 is up and its link works because it is the default gateway. Once it loses its connection, it no longer works because the remote site traffic arrives on pfsense2 over the VPN but tries to return via pfsense1 (the default route). then OSPF in your local network will know about the next hob only which is pfSense 1 or 2 and nothing after them. once the traffic reach one of them it will follow openvpn routes. This is exactly the issue. Somehow, I need the local network to learn that pfsense2 is now the gateway for the remote site VPN traffic. still looking how to stop adding route when openvpn is down This would be great as it would mean everything would work.

Look at the OpenVPN logs they will tell you why it was failing to start.

resolved by adding the remote client subnets to the remote lan list on each end of the site to site config.

Push all LANs to the remote access client by adding them all to the "Local networks" in the access server settings. Additionally you have to add the remote access tunnel network 10.111.0.0/24 to each remote server by adding it to the "Remote Networks".

Got it! NAT was the key, vs modifying rules manually. I have now deleted the extra interface and all firewall rules and all is good. The .10 network no longer exists, I changed up the scheme (mentioned that above but probably wasn't clear). Thanks!

Sure. :) Thank you very much Lokesh Kamath

@juanki_hd hi, it seems to me that, you are using pfSense only......., because of the OpenVPN server @juanki_hd "I think it would be double NAT?" - (you already have one) your current system also have dual-NAT configuration (ISP router to USG = double-NAT, because RFC1918 192.168......172.10.......) BTW: pfSense has more serious abilities than a USG and is more customizable. all your problems will be solved, if you put your ISP device in bridge mode and pfSense will replace USG and USG will be listed on eBay (yeah, joke, but possible)

Could have been another case of those SSL problems with one of the Root CAs rotating their CA cert (old one expired). Perhaps working fine without actually "touching" / restarting it but now needed the new certificate chain to reconnect.

So your on-prem Webserver is also running as OpenVPN client which is connected to your gcloud pfSense? You are only running this one pfSense? What is your OpenVPN mode? -Rico

@AdmiralBTech said in open VPN and vlans: I was thinking of trying to use OpenVPN in TAP mode rather than TUN mode. I wouldn't count on that. Even in TAP mode, there are some things better left rather than to open pandora's box ;) I'd think more along the lines of tools like Zerotier or anything alike that aim to make a L2 capable VPN connection. But really, if the soft-/hardware you have deals heavily with local broadcast or multicasts and "autodiscovery" and such "automagic" things rather then plain IP, I'd leave it alone even if I understand the idea.