You need to state a specific destination address. Forwardings with destination "any" to a single host don't work.

thank you alot for your help

Personally I always use Certificates (SSL/TLS): https://docs.netgate.com/pfsense/en/latest/book/openvpn/site-to-site-example-configuration-ssl-tls.html My Options are: TLS Configuration: Use a TLS Key TLS Key usage mode: TLS Encryption and Authentication DH Parameter Length: 2048 bit Encryption Algorithm: AES-256-GCM Enable NCP: OFF Auth digest algorithm: SHA256 Certificate Depth: One (Client + Server) Compression: LZ4-v2 Topology: Subnet Maybe you want to disable compression because of the VORACLE attack: https://forum.netgate.com/topic/133930/new-openvpn-attack-demo-d-at-defcon -Rico

Well, I have just got it working. The solution may be very specific to my scenario. First, I need to go through and test all the individual changes I made to ensure each one was needed, remove the cruft that was not needed and I will post the final solution here there after. What I had to do in this scenario was go Pfsense A, go to advance settings of IPsec, From there: Auto-exclude LAN address Enable bypass for LAN interface IP Exclude traffic from LAN subnet to LAN IP address from IPsec. This box was checked by default. I cleared it and traffic is now working both ways. I suspect what mattered here was the fact that Pfsense A didn't have a LAN subnet, and OpenVPN client subnet may have been seen as a LAN by this rule. I am sure one of the Pfsense developers could provide an explanation. Now I just need to check all the routes, rules, Phase 2 parts to ensure they are needed.

I didn't understand the route command. By adding this line: route public.pfsense.ip 255.255.255.255 net_gateway openvpn isn't routing the pfsense public ip through the vpn tunnel. The problem was that in our environment we force to route the whole traffic through the openvpn server and this broke stunnel. Cause with this configuration openvpn wants stunnel goes trough the vpn tunnel and this ends in timeouts. By excluding the psense public ip (stunnel runs on this ip, too) it keeps the connection, also while vpn is running. And the dns problem was a different one. I used the gnome vpn manager, before I tested the stunnel-thing with the openvpn command line. Gnome manager was setting everything in a proper way, but the openvpn command line tool not. So, I had to do the following things: sudo apt-get install resolvconf Add to openvpn client conf: script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf Greetings Yannik

So here is a drawing of the network. [image: 1554561731234-d51f6d59-d87e-475f-8485-ad799f7b3eef-image.png] using ssh the client can connect to PF1, Server A, Server B, as well as PF2, Server C and Server D using html the client can not connect to PF1 or Server A and B, but can connect to Server C and D as well as PF2. the client can connect via OVPN to a client on the network behind PF2, with RDP and then use that client to connect to PF1, Server A and Server B with HTML through the IPSEC tunnel. Both pfsense boxes have the default (everything to everything) OpenVPN rules.

Uninstall whatever version you have and then install the latest OpenVPN 2.4 client. It needs admin privileges to install, but not to run.

So you had a working setup with VPN speeds around 50MBit/s and without touching anything it's down to 10MBit/s? Definitely sounds upstream/ISP to me. Not implicitly incident, maybe they capped some Ports or low QoS VPN traffic? You are in TLS Authentication mode? Try TLS Encryption and Authentication. Also try to change Port for OpenVPN, e.g. some real-time application port like SSH (22) for testing. Should not be your actual problem but I'd go for AES-128-GCM or AES-256-GCM not CBC. -Rico

@marvosa I had already opened the case yesterday, follow the link https://forum.netgate.com/topic/142192/slow-navigation-after-connecting-openvpn-problem-with-host-to-site-dns-resolution/3 Thank you.

Driving me insane now - needed to reinstall pfsense. - set it all back up and now its not setting the ip i set in the bridge dhcp code_text ```Wed Apr 3 14:44:57 2019 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options Wed Apr 3 14:44:57 2019 OpenVPN ROUTE: failed to parse/resolve route for host/network: 10.9.8.0 Wed Apr 3 14:44:57 2019 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options Wed Apr 3 14:44:57 2019 OpenVPN ROUTE: failed to parse/resolve route for host/network: 10.9.8.0 Wed Apr 3 14:44:57 2019 TUN/TAP device tap0 opened Wed Apr 3 14:44:57 2019 Initialization Sequence Completed``` code_text I tried to manaully add the route but that didnt work either - any ideas?

I see the OpenVPN Interfaces is your PIA stuff. So I've just read through your problem again, you had your Site-to-Site connection A/B fully working and the problem with A can't access B started with adding PIA as OpenVPN Client, right? Generally speaking for most scenarios with VPN providers you want to enable the Don't pull routes option in your OpenVPN client. Also check out https://www.netgate.com/resources/videos/openvpn-as-a-wan-on-pfsense.html - very great hangout! Maybe you can grab some useful tips & tricks for your PIA. Troublesome could be your any-any Firewall Rule in the OpenVPN Tab. You allow any traffic PIA is sending in your direction there! -Rico

Common software firewall's behaviour is to block traffic from outside its own subnet, so it will not reply to pings from your VPN network. The Windows firewall behaves this way. Perhaps these other devices do as well.

I am grateful for your reply. What I did eventually after trying everything I could think of was to reload the configuration to an apparently safe previous state but to no avail. Finally I reloaded the 2.4.4.1 distro and rebuilt to where I was when the calamity made its appearance and all was well. Once in the clear I clicked for the 2.4.4.2 and that loaded beautifully. You will be right I am sure but I just could not find it. As a noob I am a great deal clumsy and inattentive but I now have a working installation with OVPN server and clients, pfBlockerNG and Snort. I await delivery of my SG1100. What I am running on is an old AMD Athlon 2core with hardware crypto acceleration. I don't think that is working yet on the SG1100.

If you know you won't have to revoke the cert again in the future, then it can be removed. As @Rico said though the details are copied to the CRL so you could re-import them from there if needed. Though that may go away in the future. Certificates are always revoked by serial, having the extra info is handy but not strictly needed.