There isn't, but there is also no point in tuning it. It's a symptom of the root connectivity problem, not the source of any problems. Nothing you change will fix connectivity issues.
What did it for me, at least as far as preventing everyone from going through the VPN by default, was enabling the "Don't pull routes" option under VPN>OpenVPN>Clients>edit your VPN. It's the 2nt option above the Advanced Configuration header.
All I need now is a 'Killswitch' so if the VPN goes down any client routed into the VPN doesn't just go back through the WAN.
Hope this helped.
Hi manny,
No, I didn't need to do anything peculiar for the double-nat. No custom routes or NAT settings required. Literally, the issue was the subnet mask, which took quite a while to figure out, but was an easy-fix.
Thanks!
I'm having the same problem… "Authenticate/Decrypt packet error: packet HMAC authentication failed"
and I've reviewed and re-input the keys a couple of times. I believe this may be related to the recent reset of all of the PIA keys/ports/ciphers due to the Russian activity.
Does anyone have a 'how-to' that includes the most recent changes? TIA.
@johnpoz:
So you want to use tap vs tun? Why exactly do you feel you need to be on the same network as your remote location? Are you trying to broadcast for something, use multicast? what? There really is very few things that would justify "bridging" your openvpn connection.
my directv box wont let me do lots of things unless it thinks im on the same network. It is on my home /24 network, using a /24 bitmask, and my VPN network is a smaller /29 network part of the same /24 network, but outside of what would be the same /29 that the directv box would be on if i left its IP the same but put its netmask to /29. Was thinking that pfSense would proxy arp to the directv box in place of my VPN client but it apparently isnt happening.
Hoping that by having a layer2 VPN here it would work.
Thanks I worked it you a few days ago. The pig time on the default VPN ping was to long and showing the gateway down. I changed the monitor address to the server public address instead of the VPN address and all is good now.
Thanks,
SImon
Nice, but indeed, not 100% sure and don`t want to clutter :)
Server:
Remote access SSL/TLS+User Auth
In config file of server I see for example:
server 192.168.168.0 255.255.255.0
tls-server
I think:
"server…...." already includes "tls-server" so no need for the latter.
When exporting a client config I see similar in the *.ovpn:
client
tls-client
Again I think:
"client" already includes "tls-client" so no need for the latter.
Thanks.
Thank a lot viragomann
To get this to work - I ended up providing domain name (factory.local) to my remote office DHCP clients so those client PCs can resolve short (NetBIOS) names as well as FQDN for our local domain. I typed Main-Office DNS server IP (10.0.1.20) on the top of the list in General->Setup for Remote-Office pfSence machine (as you suggested)
So now Remote Office client PCs can join the Main Office domain and listed in AD-DNS with 10.0.5.x addresses :)
I did not use DNS-Forwarder… do I really have to use DNS-Forwarder ? I think AD-Client PCs are better left with their "natural" AD-DNS server for name resolution...
Question: We have an extra subnet in Main Office (10.0.3.0/24) used for IP-Phones… Is it possible to connect that subnet through our VPN connection ? We need to install a few IP-Phones in the Remote-Office location ?
I tried adding extra gateways and static routes at pfSence - nothing works... Please advise :)
Anyone have any advice on my problem? At this stage even after deleting all VPN related settings, rebooting and then re-configuring I end up with the same error. My next option is to reinstall PFSense on a new USB. Though I feel that if this is an option to address the problem there is something significantly wrong.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
