Welcome.

Ok, thanks, I will plan for one user/cert per TC then. EDIT: That means creating one user/cert per Thin Client on pfsense, and creating one specific profile (in terms of IGEL UMS) per TC (deploying the individual cert, configuring the VPN-connection to use that cert). Bit more work but manageable for 4 TCs as in my current case. btw: I plan to name the users/certs after the MAC of the TC to keep it traceable and not get something like user-names in there. OK?

There is no web-based or in-browser VPN available on pfSense.

In your diagram pfsense has ZERO to do with your client running openvpn and connecting to some outside vpn server? Zero!! Unless pfsense is blocking the port your wanting to connect to the vpn server on, default UDP 1194 pfsense has nothing to do with it. Did you modify the default lan rules? because out of the box they are any any and that client would be allowed to do anything it wants outbound to the internet.. Are you wanting instead this configuration? [image: 1539079606325-vpn-resized.png] Where pfsense is the client to the vpn server, and 1 machine or multiple machines behind pfsense can be used to use the vpn to go to sites on the internet, while other machines just go out the normal internet?

@execcr said in OpenVPN in existing enviroment: could only ping clients but not reach other ports, firewall completely opened.: a Zyxel UTM Why do you not just run your vpn server there just replace it with pfsense? Running an vpn server that is inside your network is always going to be a asymmetrical mess...

Yes indeed that would be it. Nice to see it got implemented: https://forum.netgate.com/topic/120569/oddity-with-viscosity-openvpn

I think his question is already answered here https://forum.netgate.com/topic/136428/setup-multiple-subnets-with-dhcp-question -Rico

Yes. You have to use an extended query so the authentication fails unless the user is a member of that group. Those VPN access permissions have nothing to do with OpenVPN.

Did you set Firewall Rules in the OpenVPN Group tab? -Rico

OK, I've just found the reason. The hiding of the "IPv4 Local networks(s)" edit box is simply because of the selected option "Force all client-generated IPv4 traffic through the tunnel". As soon as that option is deselected the elusive edit box is displayed again.

You'll need to provide a bit more info than that. You mentioned an east coast server. Where's the other? Generally load balancing has to be configured at both ends. What precisely did you have in mind?

Or you could just ssh to pfsense and cat the file and then copy paste or use scp ;) or sftp to browse your pfsense box - many many ways to skin that cat ;)

i removed key-direction 1 from my config and its gone. i guess the provider does not support this functionality

Only traffic able to pass through it is ping, and that's from the road warrior to the gateway. Is there a way to allow any traffic to go through it without redirecting gateway? Just so I can selectively choose programs to go through? Thank you

Sorry if I’m all over the place in my explanation, aside my setup I’ll just explain the issue I had. Pfsense LAN 192.168.102.x connected to switch. Switch connect to NAS and PC, worked perfect. If I made the PC part of the PrivateInternetAccess alias I would lose the ability to connect to the NAS even though it was on the same network. If I made the NAS Part of the PIA alias it would work but now the rest of my devices couldn’t connect to NAS.

I did, I also later on stated I've tried my LAN v6 but it never worked. Afterwards I got it to work recreating it using identical configuration. Thank you both @jimp and @JKnott for the help. My issue has been resolved by itself.