Got it sorted out. As I thought it was a simple fix to a major headache, in the client config all that is needed is to add the "Float" line to the end of the configuration. Now it shows as routing traffic through the server and no more errors in the status log.

No access to pfS at the moment but on client side add float to the config. Could be a checkbox too in CSO. See --float in manual 2.4: https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

Add a REJECT Rule on your LAN Interface with Destination "This Firewall" and your OpenVPN Port. Place the Rule on top of your LAN - allow any Rule. -Rico

@viragomann said in Access LAN via OpenVPN Server and pfSense OpenVPN Client: So I assume, pfSense is the default gateway on the LAB network. Yes right, all network traffic of the LAB pass throught the pfSense. Thanks very much for the answer @viragomann !! I'll try all that asap and tell you if it worked or if I've other questions !

You have to forward OpenVPN packets on your ISP router to the pfSense WAN IP. The pfSenes WAN address should be static. Configuring an OpenVPN Remote Access Server If your public IP from your ISP isn't static, you will have to use a dynamic DNS service to have a static FQDN, which you are able to connect to from outside. The DDNS update should be done by the ISP router if possible. If it doesn't support that you may do it on pfSense, you can run a cron job with a short interval for that.

@Derelict said in OpenVPN Site to Site with 3 locations: Sort of. They would need to each be on the proper server going to that site. I did misspeak that... The A-B link would be "remote networks" 192.168.2.0/24 on the A side and The A-C link would be "remote networks" 192.168.5.0/24 on the A side. But since I apparently need new glasses I missed the part where the OP said he had those links working... DOH!

@jeff3820 said in Optimize OpenVPN connection: set to BSD Cryptodev engine. In the Pfsense Advanced/Misc settings the cryptographic hardware is set to AES-NI and BSD Crypto Device Disable both. Try playing with different values for snd/rcvbuf. Also, can play with --txqueuelen n See manual 2.4: https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage Above settings apply to server and client separately.

So you may already have assigned interfaces to the OpenVPN instances on both sides. Deactivate all firewall rules on the OpenVPN tabs if you don't need them for other purposes and add rules to your VPN interfaces with limited access. Remember that the OpenVPN tab is handled as an interface group including all OpenVPN instances running on pfSense. For the IP range 172.16.0.200 - 172.16.0.210 in your example you can add an alias and use this in the filter rule as source.

@Gertjan said in Streaming through the VPN: @william333 : is this a publicity ? What I read is this : b#ll#t#vn isn't on the "Netflix" VPN list .... yet . It will be there in the near future. Check the b#ll#tv#n URL : no where it's mentioned that "Netflix" passes, or, that would be a huge commercial selling reason ..... "24/7 live chat customer support" won't be of any help with these kind of issues. See i browse and i found that site which i mentioned here. Regarding your above sentence "24/7..." then i removed that sentence.

@jagradang Thanks, your solution worked fine.

Just logging issues here; another thing that this DNS issue causes is that NFL.com Fantasy Football Game Center does not work.

No idea about Astrill, but maybe this one helps: https://www.netgate.com/resources/videos/openvpn-as-a-wan-on-pfsense.html -Rico

@hamed_forum use 0.0.0.0 in IPv4 Remote network(s) fowrard all trafic to server side

Hi is there anyone who has already setup site to site OpenVPN who can help me?

I am going to try this out in the next week... I'll post results if it works. First read-thru passes the sniff test. Fingers crossed https://blog.monstermuffin.org/tunneling-specific-traffic-over-a-vpn-with-pfsense/

I'm sorry, I should've sent a picture from the beginning, I suck at explaining things. It looks like this: [image: 1570087848827-screenshot-from-2019-10-03-02-29-44-resized.png] Exact same rule as the above, except that it rejects and has no gateway selected. When the firewall is evaluating the traffic since the tunnel would be down and hence it doesn't match anymore, then the traffic would fall on the next rule, and, the next rules says sorry you can't pass. In the picture, it's a catch all rule, which is very dangerous because it can lock you out, so you need to add yet more rules for services in the firewall (or to other local networks): [image: 1570088423794-screenshot-from-2019-10-03-02-39-35-resized.png] Here, rules are: is automatically generated, it's disabled on the settings but I keep forgetting. :) is automatic as well, created by pfBlockerNG is my actual first rule, it bypasses the firewall completely. It catches all traffic from the alias def_fullchoya. allows traffic going to internal IP ranges (RFC1918: 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16) since the interface address is 10.0.0.1, it therefore allows access to anything on the firewall and other local networks. Shouldn't be that broad though. allows internal DNS servers to get DNS outside of the tunnel (because it's above the tunnel rule) but in an ordered fashion, i.e; it's a gateway group that goes one by one checking what's [interface] up so DNS queries are region-matched. blocks all other DNS so clients are forced to get it from the servers specified though DHCP. allows certain hosts (alias def_fullthrottle) to use the local exit to the Internet at full speed but still use internal DNS (covered by rule 4) allows servers known to phone home, i.e; Microsoft products (alias bad_kiddies) to get internal DNS and communicate internally with other local hosts (covered by rule 4) but blocks them from actually communicating out. every other traffic goes through tunnel safeguard (negate) rule: if tunnel drops, traffic matches this rule rejecting traffic everywhere out. That would include local traffic if it wasn't covered by rule 4. The way you did it is good too but that I think that would create problems if you're hosting servers as it would block or create asymmetric routing from a remote client's perspective as most VPN services don't let you do port forwarding. In other less confusing words: when you add a rule on an interface, the firewall creates on the background a temporary pass rule for the return traffic on whatever the other interface for as long as the state lives even if there's a rule that blocks the traffic. In my case rule 8. In all honesty I'm not a hundred on if the floating rule would catch autogenerated rules passing traffic from blocking rule 8 but that's exactly what floating rules are for. They're for complex scenarios and should be avoided at all costs if you're not completely sure what you're doing -- that applies to me, at least. Filtering on the outbound also catches traffic from the firewall itself (complex scenarios) and could get you into a frustrating situation where your tunnel drops and the firewall can't get DNS to bring it up again if you didn't set it correctly. I made this a few days ago, maybe it can help: https://forum.netgate.com/topic/146714/tunneled-isp-cheat-sheet :)

And edited the title Thanks again for all your help and time, Much appreciated

I'd suggest you to grab a spare box and perform the update there / restore your config to make sure everything is going smooth. Risky to upgrade from a very old version with just one box if you run critical stuff there. -Rico