OpenVPN traffic is going out WAN, comrade.

I've changed to "keepalive 10 30". I've changed the DNS. We'll see. Thanks

The config looks ok.  So, there's a couple things: Make sure there's a route to 10.94.10.0/24 in your client's routing table upon connection.  If not, verify that you're running the OpenVPN client as admin. It looks like you're double NAT'ing.  If you have access to the modem or edge device, the easiest fix is to put your modem in to bridge mode, so PFsense gets a public IP and everything will start working.  Otherwise, you may need to add a route to the edge device that points the OpenVPN tunnel network towards PFsense.

It was route on host i LAN I added route to 192.168.34.0/24 and everything is ok. Thank you for answer.

@viragomann: If you can not change config at B site you can get access if you do NAT at A. To do so you have to assign an interface to the VPN client and to VPN server, if you haven't done allready. In site A's client settings add the remote subnet 192.168.88.0/24 to "IPv4 Remote Network/s" and in server settings add it to "IPv4 Local Network/s". Go to outbound NAT. If it is set to "automatic rule generation", select hybrid or manual and hit save. Add a new rule, select your VPN client interface and leave all the other setting at their defaults, enter a description and save it. Now the source addresses of packets get translated to the site A's vpn client address when packets leave pfSense on the vpn interface, in consequence now responses from B are routed back to site A. This worked! Thanks

I'm inclined to agree with you - looking at OpenVPN PID files, quite a few of them had really high PID numbers, into the billions! I can run; killall openvpn ; rm -f /var/run/openvpn_* Then when the services are restarted, they all work fine until the next service crash or config reload. Also, (probably because of this issue), if I have the faulting services in Service Watchdog, I eventually end up having to reboot the routers (PID exhaustion? Is that still a thing these days?). Anyhow, probably a week from today, I'll be able to get us a few dates that we'll be quiet enough to not suffer from having to reboot systems, etc.

No, there are no browser-based VPN options currently, primarily because there are no current, supported Open Source browser-based VPN projects. There was OpenVPN ALS/Adito years ago but that project died years ago.

@johnpoz: Well those are not actual true AP then, you got some soho wifi router as your AP??  If you can run 3rd party like dd-wrt on them you can set a gateway. 3 different brands, and I can set just about everything but the gateway on two of them…. Even my old Apple Airport has that option  >:( I know there's an unofficial dd-wrt build for one of them, but not for the other one. I'm not too keen on the unofficial builds. For now, i'll just stick to the current situation. I can access my NAS and it's shares, the main switch management and the devices and VMs i need. If i need to do maintenance on the access points i'll just have to come home once in a while  :P

Not sure why you would have both openvpn and rdp open to the public - if you want to rdp to something why would you not just vpn in and do whatever it is you want to do? As to why you can not connect from Location A, but you can from location B – clearly that would point to Location A blocking your traffic.  I find it really odd that a place of work would allow 3389 (remote desktop) directly out their firewall. But lets say they did, and still do - what do you get on a traceroute to your pfsense wan IP?  The public IP your trying to connect too... What does your openvpn client say for why it can not connect?

I tried with the nopull, but then I manually have to create a route for the VPN. But this IP is not fixed, so on a reconnect I would have to update the route again. Unless there is something else I am missing here…. Anyway, all this got me thinking in a different direction which seems to do the trick: Proto       Source Port Destination Port Gateway Queue Schedule Description IPv4 TCP/UDP Hosts * Site1 * VPNV4 none IPv4 TCP/UDP Hosts * Site2 * VPNV4 none IPv4 TCP/UDP Hosts * Site3 * VPNV4 none IPv4 TCP/UDP Hosts * Misc * VPNV4 none IPv4 ICMP Hosts * * * WAN_PPPOE none IPv4 TCP/UDP Hosts * * * WAN_PPPOE none IPv4 * LAN net * * * * none Default allow LAN to any rule Hosts contain all hosts (except for the gateway IP address itself, basically LAN Net without LAN Address) From the initial tests this seem to work.

I get it now.  I am relatively new to all of this and I am learning as I go along.

I tried different things, including static routes, but without success (the problem may be related to the way the WAN interface of the Netgear Internet routers works..?). I solved by purchasing two switch layer 3 and configuring vlan. Anyway, thank for your answers.

Great - that helps sort things out for me.  I do have not rules on OpenVPN or PIA tabs.  Although I do have pass any rules on my VPN server interface tabs, since I am the only one who can connect to the Open VPN server and generate incoming traffic on those interfaces, I don't think passing all traffic should present a problem?

@divsys: Do you have the same "Allow any-any" rule on the OpenVPN tab of the pfSense server? Yes, I do. I've pretty much determined that what I'm trying to accomplish isn't possible. Now, I've noticed that if I connect to my VPS using SSH on the OpenVPN address [10.30.0.1], the SSH tunnel is originating from the OpenVPN address of my pfSense router [10.30.0.250] - if I could open ports/port forward on the pfSense OpenVPN address/interface, I could accomplish what I want [access to LAN resources on the OpenVPN server] but I haven't been successful at this either.

After a bit of struggle I got it working. It's been a crash course in certificates and stuff like that, I just couldn't get everything to line up properly. Most guides shows how easy it is to export vpn settings to a windows client, but I run linux and had to struggle some more. At one point I even swapped out the drive in my laptop to an old harddrive installed with windows - just to see it work - which it didn't.. Then I discovered that even though I've told my ISP supplied router/modem to fork over the entire connection and external ip to my pfsense box, believing that would make the router/modem function as a pure modem, for some peculiar reason the firewall in the router/modem were still active. I disabled that, leaving the firewall duties to pfsense and suddenly everything worked. I flopped the linux drive back into the laptop and whadda'ya'know the linux vpn client worked just fine too.. Finally I modified the firewall rule for openvpn to block access to my local lan, so now I can connect to the virtual lan and use my internet connection to surf the web, while my home lan remains off limits fomr the outside. All in all I'm a happy camper!

In this case the static route doesn't depend on a OpenVPN connection. The route goes to a static interface address of the other pfSense.