Assign an interface to the OpenVPN instance in Interfaces > Assign. Then edit all you LAN firewall rules which allow upstream traffic, open the advanced options, go down to Gateway and select the gateway of the corresponding OpenVPN instance. Consider that rules with stated gateway only allow traffic passing that gateway. So if you also need access to other destinations like DNS on pfSense itself you have to add additional rules to permit that and put them to the top of the rule set.

Hi, LAN rules aren't important, as initial traffic goes out the LAN, not coming in. "VPN"(or, if absent, "OpenVPN" tab rules) rules are important : [image: 1536296684708-ef132e19-b33e-4ea1-8446-ed0be1b97912-image-resized.png] do you see the state counters going up ? And, as you didn't mention : some other little details, like the local LAN from where you run your Mac with Viscosity must be different as the remote LAN on pfSense with OpenVPN.

@viragomann Worked like a charm - thanks!

100+ users. Probably time to think about an alternate authentication scheme like LDAP or RADIUS.

You can put it on any unused port you want. Just choose Other and specify the port number.

I also find this under Status / System Logs / System / DNS Resolver: using nameserver X.Y.Z.11#53 for domain qwerty.se .11 = the old DC that is out of the picture. This should be .37. Looking at Services / DNS Resolver / General Settings .37 is stated in domain override for qwerty.se (the internal domain). Pontus

I've got a really stupid question but have you rebooted your pfSense box (on both ends if it's site-to-site). I had some trouble last week getting an OpenVPN connection set up. I've done it so many times I can't remember. I even wrote myself a step by step tutorial a few months ago just in case. But no matter how many times I reset everything and started over I couldn't ping the other side. Even tried resetting the firewall states after re-configuring. I rebooted the pfSense boxes on both ends and BAM! It worked fine. Last thought, you've got the firewall rules in pfSense, right?

No. You are asking about limiting access based on routes that already exist. That is accomplished with firewall rules passing the desired traffic. How to route the traffic in the first place is a different question.

On my side, I have the same setup as you explain but I use RCDevs OpenOTP (MFA authentication server) instead of DUO security products. RCDevs provides a custom OpenVPN package who can be installed and configured very quickly. Active Directory and OpenOTP works very well together and are very easy to setup. I worked with DUO 2 years ago, but pricing for enterprise company are more interesting with RCDevs products and support/dev teams are great !! I asked for a special feature and they added it in 1 day !!! And for small company the product is free up to 40 users. Wonderfull product and team. I advise you OpenOTP and RCdevs company ... James

Didn't even know that the OpenVPN app for iOS 11.4.1 was updated .... I was always using the exported config from the Client Export package. I switched the slider, and was connected without any issues.

PIA on pfSense

@jknott Yes!

@soarin said in NAT OpenVPN Client Traffic: @johnpoz @Derelict Oh man, if you saw the horrors of other ranges and configurations I had setup trying to get this to work you would have to read a pfSense bible to try to forget what you would've seen. I still fail to see a valid reason to stray from RFC1918.

I have no DNS set up on the VPN server. I searched the internet for a long time and found this series of commands that solved the problem,I hope it works for you too. Greetings

@profit said in Where's my Mapped Network DRIVE!?: @jknott yes, I can ping, but nothing else. Well, fire up Wireshark (or Packet Capture if you must) to see what's happening. Once we know what's happening to the packets, we're in a better position to advise.

Thanks Jimp for the update, I will work on this project, thanks!!!

I wouldn't worry about it. Any Internet-facing port that's opened is going to be continually "under attack." But that's largely why things like OpenVPN exist. If you're getting these connection attempts non-stop, then yes I might worry that you are being specifically targeted. But odds are it's just the constant, random scanning for open ports with unsecured services behind them. I run an OpenVPN server on pfSense too and get connection attempts like these relatively frequently too.

@derelict said in Routing OpenVPN not working: Not sure what you want when you're using an ancient version like 2.1.5. Not a lot of people want to spend time chasing long-fixed bugs and problems. You should consider upgrading and seeing if the issue is fixed. I wrote earlyer, upgrade is in my plans, but NOW I can't do it so fast, so I need solve this question. I understand your answer, thanks

No. But you can set your OpenVPN server to authenticate against the LDAP or RADIUS server of your choice.

@derelict Had nothing to do with SoftEtherVPN and moreso to do with the underlying SSL package they were using. That said, I do now see how old this is. That part of your comment was at least somewhat helpful.