@viragomann thanks for the tip! It worked! I am just a little bit confused, since I am nearly 100% sure, that I tried this exact set-up before. But who knows what I had hanging around wit me trying to solve this via "push route (...)".

@Bob-Dig said in OVPN-Server in - OVPN-Client out?: only learning by doing, not by studying or understanding. Ah the click random shit and hope it does what you want methodology of networking ;)

@jfish Your computer is in your LAN, same as 192.168.1.1. So if your computer sends a packet to 192.168.1.1, the packet goes directly to the destination machine, without passing pfSense. Only packets for IP addresses outside your LAN subnet are sent to the default gateway (pfSense). So pfSense is not able to route these packets to anywhere, cause it doesn't get them at all.

I got rid of this error by adding "remote-cert-tls server" in the additional configuration options field. But I did not understand why this is necessary.

@amateur its an option inside the TP-Link Access Point , after i enabled it, i now can manage the ap trough the VPN. I have 2 other AP with no "RemoteAccess" Checkmark, that i cant manage

@sisterpfsense A domain controller is something like Microsoft's Active Directory. It's what you log into and in turn, displays the available resources. A domain controller is typically used on large networks, such as in a business. Also, there are a few ways to map a drive, but the easiest would be to go into the This PC folder and click on Map Network Drive. Select Map Network Drive and go from there.

@xalex1977 Take a look at... Not the perfect solution but a work around https://forum.netgate.com/topic/151351/email-notification-openvpn-client-connect-common-name/28

@monden2 Windows file sharing uses broadcasts to announce it's presence to other devices. Since broadcasts are not passed by routers, you don't see the shares. You'll have to use the host name or IP address to set up a connection to that share.

so i've done it the old school way kind of doing some clean up in user name and settings and cleaning up style. Certificate Manager --> Certificate Revocation --> Certificate Revocation List added CRL to openVpn Server revoked all vpn-user Certs via CRL revoked openVpnServerCert controlled via System --> Certificate Manager --> Certificates disabed vpn-users System --> User Manager --> Users so far ... added new Certs changed Certs on openVpn Server adden new CRL to openVpn Server created new users testet works like a Charm and it feels good ;) so [solved] Thanks for helpin me out.

Look also at https://forums.openvpn.net/viewtopic.php?t=24703 It boils down to : if you can't trust the humans that operate your devices ....

@Bob-Dig is this correct? [image: 1584724276117-senza-titolo.jpg]

@NogBadTheBad Yep, or just add a blacklist to an IP range individually.

If you connect via SSH you can monitor the log directly and, if you set a large scroll back buffer in the client, can capture more logs. From the shell, run clog -f /var/log/openvpn.log Or setup a syslog server and export the logs there for more/long term storage.

@heathstiles said in OpenVPN Routes to Remote sites: The sites are connected using IPsec Site to Site VPN tunnels if that makes any difference. You didn't mention above. Of course is that different. So will have to add an additional phase 2 in the IPSec configuration for the respective local network and the OpenVPN tunnel network.

@JKnott said in best pfsense appliance for openvpn: @akuma1x Also, how much traffic is going off the local network? There's a big difference between mainly using local servers and going to the Internet for everything. I agree with jknott I think its better to plan that out first..