@abidkhanhk Can you ping it localy? And more generally, a. disable/adjust host firewall and b. make sure it has a default gateway , or routes to the gateway serving the vpn That's assuming you haven't done specifing firewalling in pfsense somewhere else.

@KOM [image: 1572397743300-giphy.gif]

You'd need some way to tell the user's devices which VLAN to connect to. There is DHCP option 43, but that's based on MAC address. By the time a user logs in, it's too late. The normal way to restrict access is to configure it in Active Directory. Why do you think you have to do it with VLANs?

@boelter said in PfSense OpenVPN > Ubiquiti USG > LAN not routing properly: PfSense (W:DHCP / L:10.42.9.0/24 / OVPN:10.90.0.0/24) -> USG (W:10.42.9.12 / L:10.42.8.11) -> LAN Wow, does this actually work with DPI stats in the Unifi controller? Do you have any VLANs behind there? I.e., can the pfSense do the VLAN routing and let the USG just be a "dumb" router/bridge?

@Gertjan said in OpenVPN Command Line Arguments: @RHLinux said in OpenVPN Command Line Arguments: /etc/rc.d/openvpn ? FreeBSD doesn't start daemon like "Linux" based OS's .... pfSense isn't even following pure "FreeBSD" conventions. To finalize : editing core file will probably get wiped (re written) when saving config, and for sure when upgrading. If you really have to, look here : /usr/local/etc/rc.d/openvpn Thanks for the information, I'm used to Fedora, Debian/Ubuntu Linux distros :)... It's purely for testing, I realize they will be overwritten during upgrades, but they shouldn't be overwritten by config changes. RHLinux

Did you hand your vpn client your dns in your openvpn config? I use this every day, all day.. Is there some reason your using the forwarder (dnsmasq) and not unbound on pfsense? [image: 1572263143444-dnsvpn.jpg] When your client connects.. Look in your interface details with ipconfig /all Do you see that it was handed dns? When I get to work this morning, I will connect as always and show you how it should look. You are running your openvpn server on pfsense right?

I am not ignoring this - I just broke everything quite badly - so am having to recover :-( Sean

@DangerMouseUK said in Possible to use directly a .ovpn file without GUI ?: Hi Guys, Didn't want to start a new thread on this one. OVPN config importing would be really handy for me setting up multiple SG appliances quickly. Is this still on the roadmap? Thanks DM why not use the backup and restore function already built in?

Try watching this. https://www.youtube.com/watch?v=7rQ-Tgt3L18

Most of us just run it open. OpenVPN discards any packets that are not using the correct TLS key. Remote Access VPN is almost always passed from source address any.

Which options box are you referring to? If its Custom options, then that is empty. https://i.gyazo.com/36d58311d84723b4b998b90743b1a433.png How can I check that I have the right instance? I believe I only have one. Where is the local config? Maybe in cases like this it is better to start over with the OpenVPN? Is there a way to wipe all this OpenVPN settings away completely? Update: I have attempted to remove all traces (one trace that does remain and I can't seem to remove it is the User certificate from the original OpenVPN setup) of my initial OpenVPN setup and start anew. I have followed the link as suggested in your earlier post to setup OpenVPN. When trying to do the Client Export utility, no client executables appear in the OpenVPN Clients section of the Client Export Utility page. There is this note next to it: "If a client is missing from the list it is likely due to a CA mismatch between the OpenVPN server instance and the client certificate, the client certificate does not exist on this firewall, or a user certificate is not associated with a user when local database authentication is enabled." Update2: I managed to remove the original user cert after I removed it from someplace else, the delete/trash can symbol appeared. The Client Export executables were not showing up b/c I had not created a new user cert. Now I can ping the pingable devices behind the pfsense firewall. I can also create a mapped network drive to those devices. However, I need to use their private IP addr. instead of their Windows name. Is it possible to use the computer names for creating network drives? And is it possible to make network drives to these devices with their firewalls enabled? Also, is it possible to restrict connections to the vpn by MAC addresses that I specify? If so, how?

Tried drips the srv does not respond. My machine neither. The weirdest point clock responds to. And the 3 equipments are in the same range https://uploaddeimagens.com.br/imagens/captura_de_tela_2019-10-25_as_11-13-57-png https://uploaddeimagens.com.br/imagens/captura_de_tela_2019-10-25_as_11-11-41-png

@sonnyboy said in Can connect to VPN from LAN but not from WAN: rules yes, i think its firewall rule issue only with wan interface in new 3p update of pfsense, there was no issue in previews update, i have practiced and implemented more than 10 time before this update, but now i am not able to get successed with same steps and documents which i was following before, i tried more than 10 time with 3p patched update of pfsense but no luck!, again i am searching and practicing to find the issue.

Probably the server isn't reachable from the client with the given IP/port.

Op did hear the news the NordVPN encryptions keys have been stolen? https://techcrunch.com/2019/10/21/nordvpn-confirms-it-was-hacked/

the routing table now is the same ? maybe it was something else on the configuration

Hello ated19, This is not specifically site to site VPN connection, what you have described is more a "road warrior" configuration. The configuration you are looking for is very much easy to do with pfsense. Things to configure (assuming IPv4): Redirect IPv4 Gateway -> Check Force all client-generated IPv4 traffic through the tunnel IPv4 Local Networks -> Networks that need access behind the firewall (ie non-routeable IPs) although I'm not sure if this is needed if all traffic is going through the VPN. Topology -> Net30 Do not use common non-routable IPs for your OpenVPN Server (ie.. 192.168.0.1 or the likes). As this will give issues when people are connecting in coffee shops or other areas where wifi is available. Use a IP address that is not common. On number 3 above (Net30) not sure why you would need this, if your concern is inter network communications between OpenVPN users, the check box Inter-client communications should be unchecked. This will prevent OpenVPN users from seeing each other on their VPN connection. Then setup NAT and WAN for the new OpenVPN Server. Clients would have to download OpenVPN (Windows) or Viscosity (MacOS) and you will have to send them the profile files so they can connect. There is also a package that will automatically generate the profile files for you within pfSense (openvpn-client-export). Regarding all traffic sent through the tunnel. I prefer to have a split tunnel, in that only networks that they need access to are routed through the VPN tunnel and all other access is through the local wifi. RHLinux