How can these settings i.e "Backend for Authentification" and "IPv4 Tunnel Network" have anything to do with exporting user certificates?
The export wizard tries to limit exposing users for export that cannot possibly log in. If you had Local database selected in the server, had created the user certificate, but did not create the user in the local database, then that user would not be able to log in so the user is not exposed for export.
When you select the external authentication method then all it will check for is the presence of a certificate issued by the Peer Certificate Authority.
More information is needed to help you.
What is the server?
What is the client?
What are the Local and Remote networks on each end?
Where are you pinging from?
Where are you pinging to?
You generally have to specify a specific source IP address (Like the interface address of a network specified as a Local network in the OpenVPN configuration) to ping across an OpenVPN tunnel from the firewall itself so it's pretty unclear what you're actually doing.
You can't, and you don't want to. Read the last post on that thread.
https://forums.openvpn.net/viewtopic.php?f=15&t=12605&sid=c75d657e002504a39d34ae664ddd9ad5&start=60#p49837
Ok, just to confirm the issue was that the ISP device had a hidden 'advanced' setting which did not forward Internet packets by default, as I thought.
Once this was found, and packets forwarded correctly, it worked fine!
Thanks for your input!!
I used a NTRadPing and I could see there was something wrong with the user so I went back and I checked if the user was member of the vpn group on DC and it was not
i forgot to add the user back in to the group after fiddling around in the DC
this guide works
https://community.spiceworks.com/how_to/128944-pfsense-admin-logins-via-radius-using-active-directory-accounts
Thank you for your help, another user just PM'ed me with another method of fixing the issue.
The killswitch now works using the link I just posted above and I'm ready to move on in my network issue 'todo' list.
Thanks so much for you help.
Also I had already deleted the redundant/useless rules. I had just started making any rule on whim to see if I could stumble on the solution.
You'd have to manually craft the OpenVPN server settings to match your server config. You don't have to import the full CA unless you want to manage the keys on pfSense, but if you do want to import it all, see https://doc.pfsense.org/index.php/Using_EasyRSA_Certificates_in_2.x
If you just want to run the server on pfSense, you need only import the CA Cert and server cert.
hey guys, not that anyone cares but I think I found the solution. I was using a smart DNS service that was getting around Netflix geoblocking. Part of that had static routes on my edge router. One of them was the google dns which I think the VPN client was trying to use for it's own DNS. As soon as i turned off static routes, my mobile devices can connect through the VPN and access the internet and everything else.
@Pippin:
In OpenVPN Server config you can select it under:
DH Parameter length (bits)
Oh ok I see it. Do you still feel that 2048 is necessary ? I'm worried about a performance hit
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
