You cannot put 10.0.0.0/8 on an interface and use 10.100.5.1/24 to give to OpenVPN clients. Those subnets overlap. If you, for example, assign the IP address 10.23.56.34/8 to a host on em2 and it has traffic for 10.100.5.1 it is going to think it's on the same subnet and not send the traffic back to the firewall to be forwarded to the OpenVPN client. To tag traffic on a pfSense interface, you must first create a VLAN on the interface Interfaces > (assign), VLANs tab, then assign the interface to VLAN XXX on em2 in Interfaces > (assign). Then connect em2 to a switch port or device that expects traffic tagged on VLAN XXX.

Make sure the client is getting DNS servers it can reach over the VPN. If the client is still attempting to use ISP-specific DNS servers they would fail when run through the tunnel

As mentioned above, the contractors should only have access to a single host. So you have to put a firewall rule at OpenVPN interface to permit only this one destination from the contractors VPN tunnel. If this rule is right in place there will be no access possible to the pfSense GUI.

thanks i'll give that a go :-)

based on my log. everything seem fine.  :'( [image: log.JPG] [image: log.JPG_thumb]

your design oversight steps on network that is owned by tmobile NetRange:      172.32.0.0 - 172.63.255.255 CIDR:          172.32.0.0/11 Organization:  T-Mobile USA, Inc. (TMOBI) This is really bad idea to use public space that is not owned by you internally.

Thank you. I have logs at default and recommended levels.

Being in different timezones is not a problem..  But having the wrong time while your in a timezone sure going to have a problem ;) Why you should always sync off ntp ;)  Which set your time correct for the timezone your in.. But you still have a really OLD client, why would you not updated that… But maybe its because your running on a linux distro that last update was what 2011?

The error message "Cannot open TUN/TAP dev dev/tun1:Device busy" points to a previous instance of OpenVPN already running. This can happen if you're playing with your OpenVPN settings, trying to get things "right" and restarting the OpenVPN client and/or server. Sometimes the previous instance doesn't exit cleanly and can hang around for a while. I would try a full reboot of the box to make sure you have a clean start and see what your logs look like.

Forget the PIA website instructions…worthless. This is what worked for me... very nice tutorial: https://forum.pfsense.org/index.php?topic=76015.0

And, while on the subject, configuring outside servers to return RFC1918 addresses subjects you to dealing with DNS rebinding protections. Ran into this a few times running internet for a hotel meeting space. Told them to slap their network admin in the face hard when they got back and use a hosts file entry. Many of them were even 192.168.0.X - like that will work reliably on random, private networks.

The Airport Extreme makes a fine Access Point and switch if you only need 4 Lan ports. In the Windows Airport utility, Internet tab, you have the Connection Sharing drop down in which you specify Off (Bridge mode). With that set you can also use the Wan port as just another Lan port providing a total of 4 ports.

Now I know  :)

Will try to find why its working for me. That machine as I just discovered, is getting detected through NetBIOS so yes maybe its WINS. Under Network select View-Details, then right click on the columns (Name-Category-Workgroup-etc.) and select "Discovery Method". Then you can see how they`re discovered, obviously  :o I hope thats clear enough because I dont have English version of Windows  :)

Hello, I have the same problem. When I'm connected to the VPN I can not surf the Internet, but have access to the remote network.

Removed 'ping-restart' and other 'ping-xxx' options from the config and now the vpn client doesnt die.

That was it - changing it to 10.254.254.0/24 worked! Thank you all!

Moikerz, Pippen, NOYB, I really appreciate you guys replying back.  I've researched some things already that you all have mentioned and I'm going to do my best to dive in and start testing.  Wished I was looking for something simple in the GUI.  Guess not. I appreciate the sympathy on the matter.  I live in a state with only about 4 million people.  And I live in one of the larger cities if you wanna call it that.  I just refer to it as a big town.  So if we want more bandwidth, we have to cough up a heck of a lot.  The whole supply and demand thing. Right now I'm looking for a reason to switch out a few of my clients DD-WRT routers with a bigger gun, like pfSense.  Was hoping pfSense alone with little customization would provide a better OpenVPN experience.  Aside from the killer interface in pfSense I'm pretty much in the same place I started with DD-WRT. Thanks guys!  Hoping I can make pfSense work out for me.  I haven't had this much fun with tech in a long time.  I could play with that GUI for hours on end.  Just wish I had more time.  "Technology, why can't it be easy?"  Guess that's why we get paid the big bucks ;)