In order to do the outbound NAT to effectively use an OpenVPN provider you must create an assigned interface. Rules on the OpenVPN tab will only affect inbound traffic (which should be none in almost all cases) not outbound.

Yeah figured give you the good news ;)  Not that its been on the books for a year… heheeh

The only drawback of this could be that you possibly override other routes on the client with that. Yes, that happened ;D so I had to refine the pushed routes a bit. Now it seems that things are working as intended. I will ponder a bit about NATing the traffic and if it might improve things, but the origin problem is solved. Thank you very much for helping!

think i have worked it out, I set them to assigned instead of static added the static leases in pfsense, and they seem to be applying okay, I have two dns servers set to the static leases, but when i run a leak test four are showing? why does this happen? Thanks again!

Thanks for the answer! I'll give it a shot.

Hi All, let me give you an update on this. I finally got it resolved last week but just wanted to see how long it's going to last before giving you any update. I deleted all my previous OpenVPN configurations, CA's, client certificates and interfaces, and defaulted firewall NAT Outbound rules and some how I got and assigned the correct vyprvpn interface (I was previously prompted to always assign ovpnc2 interface that is not working properly instead of ovpnc1, and finally I got ovpnc1 interface assigned which might resolved that issue with web traffic). I did start following the guide from the link https://forum.goldenfrog.com/t/opnsense-firewall-openvpn-client-working/3630 (mainly OpenVPN client setup) which help me to get vyprvpn connection to vyprvpn server hk1.vpn.goldenfrog.com up and running but  setting NAT –> Outbound --> to Hybrid and adding a rule manually didn't work for me so I just set NAT --> Outbound --> to Manuall and added new mapping rules based on existing ones, and changed the interface to vyprvpn in my case on all mirrored rules, and then I finally set a Gateway from GW_WAN  to VYPRVPN_VPNV4 in my case in Firewall-Rules-LAN. I'm happy to say that my vyprvpn connection to vyprvpn server has been up and running for more than a week. That test was done in Europe so I'll help my team mate who is located in China to set pfSesne as VyprVPN OpenVPN client at our China's office and test the connection. Hope it will end up ok. If someone needs more info regarding to that case I can provide a screenshots with my full pfSense VyprVPN OpenVPN client and firewall rules configuration. Thank you all for your help once again.

meh, after some further fun trail and error I found the problem. There was an old and disabled IPSec rule in conflicting subnet range. It looks like also it was disabled and definitely offline it still hindered OpenVPN to add its routes. After deleting it completely and another restart site-to-site works. And for further reference: yes, now also the routes to the remote OpenVPN subnets show up in "Diagnostics / Routes".

Don't do that. Set the assigned interface to "None" for IPv4 and IPv6. OpenVPN will manage the address internally, setting it there is messing it up.

please can you send YealinkOpenVPNGuide file one more time. thanks :-[

Don't believe the iPhone environment will allow that. There might be something that allows transfers but it has nothing to do with pfSense. Maybe someone else knows.

To all other readers: https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting  (Check (really check) everything there!!!!!) No, it is not possible. That host's routing table prevails. If that host happens to have some reply-to magic like pfSense does, then maybe. But that would be a subject for that host's support forum.

Hi gentlemen, not able to figure out so far… However my route table seems fine doesn't it ?  ??? Sure I'm not far from the end, seems so simple, did I miss something ? Thanks. [image: routes.png] [image: routes.png_thumb]

@joelones: EDIT: I just realized that there's a "IPv4 Local network" allowable networks field in the server configuration. Is that it? Yes, you have to enter the VLAN 10 network, 192.168.10.0/24 into the "IPv4 Local network" box. However, this field is not for allowing access, its just for pushing routes for network entered to the client. To block access from VPN clients to other networks you should restrict the firewall rule on OpenVPN interface to only allow access only to VLAN10.

I also see that the 'Connected since' time is ahead of the PFsense time. The time show correctly for the OpenVPN servers that are setup as 'remote access' Does anyone have a clue?

So just add 99.99.99.0/24 as a remote network on the OpenVPN at site 1. See also all the stuff above about reply-to and assigned interfaces at site 2. Pass the traffic on site 1 WAN that you want to pass such as tcp source any dest 99.99.99.1 ports 80 and 443 Make sure that traffic DOES NOT MATCH on the OpenVPN tab at site 2. It has to NOT MATCH there and match on the assigned interface tab.