@the-rob Try to get it work with IP first to avoid resolving issues. If you cannot access the SMB ensure the host does not block it by its own firewall, which is the default behavior. To troubleshoot you can use the packet capture utility from the Diagnostic menu on pfSense. Take a capture on the interface facing to the SMB server and check if requests are going out and if responds are coming back properly.

Never mind...

@vinns For the clients the Apple store, Andriod store, etc ... https://openvpn.net/vpn-client/

@n8lbv The issue is probably the '5' thing you mentioned. Dono what that is. Look here : https://www.pfsense.org/download/ The next important thing is that OpenVPN itself - see here : https://openvpn.net/community-downloads/ went from the 2.4.x series (th ese are NOT pfSense series numbers !!) to the 2.5.1, 2 or 3 version. And between2.4.x and 2.5.x (OpenVPN !) things changed, some parameters are faced out, some can even do other things. Mixing 2.4.x settings (opvn file) with 2.5.x (2.5.2 is the OpenVPN version on pfSense 2.5.2) can crate issues. The other way around : same thing. So, using pfSense 2.5.2, things changed. I'm using a OpenVPN 2.5.x client on the client side, and pfSense 2.5.2, this works just fine. And yes, I to go to the OpenVPN 2.5.x release info page ( again : here https://openvpn.net/community-downloads/ ) and read the "Overview of changes since OpenVPN 2.4" part.

@hellnation76 I can't think of anything, short of using a managed switch that supports that function.

@felipefonsecabh the bridge between OpenVPN and Local Network works after i enabled these options: [image: 1637289410510-2021-11-18_23-36-29.png] I try to keep the "Redirect IPv4 Gateway" disabled (the address configured as 192.168.1.0/24), but doesn't work. It's possible to make it works without pass all traffic throught the tunnel? Thanks a lot!

@detox how you handle vulnerabilities on the cheap routers ? how you avoid sniffing traffic without encryption ? how you get easy updates and renew the system without replacing hardware? how you manage easily traffic routing and adding rules ? The answer to all above is pfSense and OpenVPN. at least is what i learned from the good guys here.

@johnpoz the Log Level was set to Default. I have changed it to 2 and now appear the TLS version. Thankyou so much.

@whitetiger-it The virtual IP of a client which is part of the tunnel network is that what the firewall is seeing as source address. So that is the way to do it. But there is quite no need a assign an /24 tunnel to 2 clients at all. If you use net30 topology you need 4 IPs (/30) for one client, so for two a /29 subnet is sufficient. If your server uses subnet topology a single IP is sufficient for each client. John, instead, has a CSO to use 10.201.201.1/24 But then he is always assigned to 10.101.101.2, as before. So obviously the CSO is not applied. If pfSense finds a matching CSO when establishing the connection a log line is written. If not the client gets an IP out of the servers tunnel pool. I mentioned above what are the requirements for a CSO to get applied.

I change my openvpn firewall rule on the WAN interface destination to "WAN address" from "this firewall (self)" . It seems that the "this firewall (self}" does not update the state table correctly, that is why I can make small call and get my 302 but not send any real data. So use the "WAN address" for the destination for the openvpn rules.

@kesawi I understand your question .... Is this a server or client message ? Maybe some OpenVPN client 'humor' : I rephrase : Profile uses BF-CBC which is not enabled BF-CBC isn't referenced in your opvn config (profile). If the client software is based on 2.4.x, then "BF-CBC" was a default cipher method. The current pfSense (25.5.2 CE or comparable) uses OpenVPN 2.5.x not the 2.4.x series.

@gertjan Thank you for your response, But actually, I'm looking for a third party solution, sth like Splunk but a bit easier and cheaper, Cause products like Splunk are too expensive for implementing in these kinda simple situations, I don't want to detect any problems, the main reason is security purposes. Please let me know if you have any ideas abt this situation. Regards

@audiobahn said in VPN Settings Sanity Check: Hi All, I'm trying to setup a VPN server on my PFsense to be able to remotely access my local network. I have managed to setup a server & client which connects fine BUT only when the client is within the network it tries to connect to. I feel I'm quite close to getting it but there's something I'm missing. Some background info on my topology: Public IP -> ISP Router (192.168.1.111) -> PFSense @ WAN Interface (192.168.1.210) -> Lan (10.10.x.x subnet). I already created a NAT rule to push any traffic on port 1194 from the Public IP all the way to 192.168.1.210:1194 so in theory an external client searching for the server on the WAN interface should be able to find it. I have screenshots of my settings but apparently the dimensions are too big to post, what's the best way to share these? Thanks. Nevermind, it got resolved now.

@helloha You can direct only specific host names or IPs over the VPN by using aliases and Policy Routing.