Thanks for the reply. I have ended up using OpenVPN Connect an always on VPN and whilst not exactly what I wanted to do, it works for my apps in that it disconnects the VPN when I am home and works fine. Just some of my apps when I am connected to the VPN act a little strange but that is for another post. Cheers.

@viragomann All done. Misunderstanding on my Intranet Application state. You're right, using Intranet IP can access my Application. Thank you very much, viragomann. You saved my days.

Ok, I found a solution for Remote Access Clients. Shortform: Openvpn Client: IP Forwarding configured (Borderrelay) PFSENSE: Client Specific Override for CN of the Borderrelay configured (Remote Networks added) PFSENSE: Borderrelay VPN IP as Gateway configured PFSENSE: OpenVPN Service restart Now I am able to reach the Configured networks behind the Borderrelay from PFSENSE and also the PFSENSE Networks from the Client behind the Borderrelay.

@apsis-im You are welcome, enjoy :)

@mainzelman it works ! I have created on FW-B rule: LAN -> OVPN2 for it. Whatever before there was nothing to be seen in the FW logs. <don't always believe what you see ;-))>

Go back to auto, deleted all the other rules. then go to hybrid and create your rule for your boubound nat for your vpn. [image: 1612088293164-hybrid.png]

@daddygo 192.168.38.1 is LAN IP The PF-Sense is connected via a DynDNS Name 10.x.y.z is nessesary cause we are running a bunch of offices - 192.x.x.x does no longer serve us. We are changing all up to 10.X.Y.Z but till everything is up I need to connect the old firewalls with the new ones :-) Later on everything will be changes to 10.x.y.z :-)

@rico thanks wasnt shure ! lets keep it a bit more strict "clean" .... i dont wanna know how many more of these classy "iDontKnowJackRules" i m gonna find on thes boxes ;) brNP #stayHealthy

@griffo Yes about the prevention of traffic leaks.

@adelphi Sorry for bumping such an old topic, but it's very relevant. I can't understand why your method didn't work for me, as it makes perfect sense. It's even weirder that what I came up with did work. After firewall rules failed to achieve the desired result, I tinkered elsewhere. Here is a NAT Port Forward rule that achieved the same goal. Interface: LAN Protocol: UDP Source: Any (this is default) Source Port: Any (this is default) Destination: WAN address Destination port range: 1196 (our VPN port) Redirect target IP: Random private IP address that is NOT part of your LAN network. I used 192.168.1.254, but our LAN network is 192.168.21.0 / 24 Redirect target port: I just chose a random port. 45534 I was surprised that it even let me create this rule, but doing so made it so people who are connected to the LAN can no longer connect to the OpenVPN server while people connecting to the VPN from outside the office are unaffected.

It isn't something you'd check directly like that. Setup a VPN using that cipher and run a speed test across it. Try a couple different types of AEAD ciphers and compare. IPsec can use AES-GCM WireGuard uses ChaCha20-Poly1305 OpenVPN supports both AES-GCM and ChaCha20-Poly1305

@ali-ghabsha said in OpenVPN Unable to contact Deamon, Service not running: 2.4.3 the openvpn works Be careful : when you export a config ( with the OpenVPN client EXE in the config if you use that one also ) you change the OpenVPN version used. Mixing OpenVPN client software on client and or server side can have issues. @ali-ghabsha said in OpenVPN Unable to contact Deamon, Service not running: the openvpn doesn't work, so it's a version issue, why the old version works but the new one no What do you mean by doesn't work ? I can only find this in your log : @ali-ghabsha said in OpenVPN Unable to contact Deamon, Service not running: GDG: problem writing to routing socket This https://community.openvpn.net/openvpn/ticket/688 ? I don't have that GDC message : [image: 1611558159451-2cc1b805-3779-48d4-ad8b-5e49a0e43d1a-image.png] You can see it starts to listen on : UDPv4 link local (bound): [AF_INET]192.168.10.3:1194 192.168.10.3 is my WAN interface - WAN IP - I have an ISP router in front of my pfSense. The start up shown is a clean start up of OpenVPN This is the WAN firewall rule : [image: 1611558342015-babbf6c7-7a77-4d88-a4a6-8717af6143e4-image.png] @ali-ghabsha said in OpenVPN Unable to contact Deamon, Service not running: If we check the logs we find there's an error related to the Wan interface regarding the openvpn .... and what about showing these errors ? @ali-ghabsha said in OpenVPN Unable to contact Deamon, Service not running: Why if I upgraded from the old version to the new version the openvpn works but users behind pfsense can't access the internet. So, OpenVPN starts, there is a related firewall rule on your WAN, and devices on LAN do not have any Internet access any more. I'm curious how you set up your system. Adding the OpenVPN firewall rule on WAN doesn't implicate at all LAN's Internet access - OpenVPN server running, or not. Running OpenVPN server with or without the firewall rule on WAN doesn't change OpenVPN behaviour (no messages or warnings). Without the firewall it just isn't accessible. This will not alter anything for devices on your LAN.

@ephi Driving an OpenVPN server on LAN VIP works definitely. I did that already. The only part, I'm not familiar, is your "special HA setup" with CARP on LAN only.

@viragomann yes internet is working on pfsense machine, however machine is down yet , i'll share the logs after some hours.