Ok, fired up a virtual box and topology subnet for pfS shows inet 172.16.25.1 --> 172.16.25.2 while on Linux inet 172.16.25.1 --> 172.16.25.1 . Then I remembered something about topology in FreeBSD and found it: "Repair topology subnet on FreeBSD 11" https://sourceforge.net/p/openvpn/mailman/message/35478475/ So I guess it's related to that for why it's different. But don't know it's related to OPs "the user can't access the 192.168.5.0 ressources if the OpenVPN roadwarrior DHCP gives the 10.0.8.2"

You're confusing site-to-site/remote access VPNs on pfSense (servers) with VPN service clients. A VPN server on pfSense would use a server certificate from a self-signed internal CA as its server certificate. A VPN client on pfSense would use a certificate provided by the server. If that's a VPN provider, the VPN provider would give you a certificate. (If it's something like PIA, that's up to them. If you are connecting to another pfSense, it would be a user certificate made on that remote pfSense server).

@kiokoman said in pfSsh.php playback not stopping clients: op OpenVPN client # Thank you so much! Works now.

@derekmarch said in Is it possible to setup a gateway group of VPN connections that will only connect when needed: Can I somehow configure it so if a VPN server drops below the configured threshold it connects me to a different server, verifies that it meets the threshold requirements, connects me through that server then disconnects the original server? I am also interested in a solution for this problem. Does anybody know, how to set up the system for that?

@Gertjan yup thats true.. thats why i switch straight away..

@Rico word! i do not need to unserstand why i would do this ;) CSO local networks but here in ausrtia a lot of things are possible ;)

@johnpoz said in Slow Speeds with OPENVPN: 4ms to google - that pretty slick ;) Here's mine. PING 8.8.8.8 (8.8.8.8): 56 data bytes 64 bytes from 8.8.8.8: icmp_seq=0 ttl=56 time=26.496 ms 64 bytes from 8.8.8.8: icmp_seq=1 ttl=56 time=12.179 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=56 time=11.206 ms 64 bytes from 8.8.8.8: icmp_seq=3 ttl=56 time=10.219 ms 64 bytes from 8.8.8.8: icmp_seq=4 ttl=56 time=13.817 ms 64 bytes from 8.8.8.8: icmp_seq=5 ttl=56 time=9.764 ms 64 bytes from 8.8.8.8: icmp_seq=6 ttl=56 time=8.719 ms 64 bytes from 8.8.8.8: icmp_seq=7 ttl=56 time=10.771 ms 64 bytes from 8.8.8.8: icmp_seq=8 ttl=56 time=10.745 ms 64 bytes from 8.8.8.8: icmp_seq=9 ttl=56 time=17.773 ms 64 bytes from 8.8.8.8: icmp_seq=10 ttl=56 time=7.366 ms 64 bytes from 8.8.8.8: icmp_seq=11 ttl=56 time=11.967 ms 64 bytes from 8.8.8.8: icmp_seq=12 ttl=56 time=15.246 ms 64 bytes from 8.8.8.8: icmp_seq=13 ttl=56 time=10.638 ms 64 bytes from 8.8.8.8: icmp_seq=14 ttl=56 time=8.609 ms 64 bytes from 8.8.8.8: icmp_seq=15 ttl=56 time=10.193 ms 64 bytes from 8.8.8.8: icmp_seq=16 ttl=56 time=8.295 ms 64 bytes from 8.8.8.8: icmp_seq=17 ttl=56 time=10.942 ms ^C --- 8.8.8.8 ping statistics --- 18 packets transmitted, 18 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 7.366/11.941/26.496/4.300 ms It appears to be a bit better than yours. I'm on a 75/10 plan on cable modem.

@JKnott said in Remote Employee & Remote PBX: @easysimpleit I have done that with a different firewall and it worked fine. I set it up with Talkswitch PBX and Adtran router. Once a VPN is set up, it's no different than any other IP connection. This would or should work if I’m allowing all traffic over the tunnel. I have it setup as a split tunnel and at the moment only internal resources are accessible. Is their anything special I need to do to allow that? The PBX is not local to our network, it’s a remote server outside our environment or control. Thank you

@JKnott I'm going to restate you're response as I understand it. Based on your experience the IP is configured on the tunnel and you don't understand why I'm implying the VPN connection would be receiving a DHCP address. Based on my read of the Netgate documents it notes a TAP bridging setup would allow the VPN client to obtain a DHCP address on the network it's attaching to. [image: 1586701720343-ng-doc.png] https://docs.netgate.com/pfsense/en/latest/book/openvpn/bridged-openvpn-connections.html This wording seems to be similar to OpenVPN's - **There are two methods for handling client IP address allocation: Let OpenVPN manage its own client IP address pool using the server-bridge directive, or configure the DHCP server on the LAN to also grant IP address leases to VPN clients.]** https://openvpn.net/community-resources/ethernet-bridging/ Also when one goes into the OpenVPN Server to edit it [if I remember correctly you do not see these options on creation] [image: 1586702057787-pfsrv.png] Based on what I've read I believe I'm using the correct terminology in explaining what I'm trying to do. If you feel otherwise could you help me understand your perspective. Thanks,

client specific override and firewall rules for the client i guess invert may be the best guess have a look here for the cso https://forum.netgate.com/topic/152171/openvpn-and-static-ip-for-all-clients/9

@Rico Thanks for suggestion. That works really nicely. Just like having a DHCP server handing out "static" IP addresses, in the OpenVPN subnet. I give you a thumbs up.

Yes the netmasks are all /24. For now it is 1 peer for testing. But in the future i would like to have the possibility to add more clients. The following is what I'm trying to accomplish: [image: 1586624098701-test.png]

@stephenw10 tested it with some older android clients right now without the ifconfig-push not working on device added the lines working maybe / pretty shure it is the client not the config on the Server

Your posting of the log showing the route waiting for interface to come up was key in finding that info... So glad you got it sorted!

Thank you I will give that try. So how is that openVPN server side should be setup? in "Redirect IPv4 Gateway" in Tunnel Settings in VPN server, should I list out all the VLAN?

I must say using these SG-1100's and pfSense was way easier than when I tried to do it using another vendors firewalls. Thank you again community for your help.

Thank you for your reply, however, could you also help in how to rectify that? Should I post any other logs?

@rem1488 said in Can a user change his password to open VPN or change the password even at the first connection?: after receiving the config you will get access to the system True. As soon as you have access to a device, the 'cert' method opens also the remote LAN .... Let's say I presume that tools like OpenVPN-client are not (never) installed on devices that have shared users. @rem1488 said in Can a user change his password to open VPN or change the password even at the first connection?: and users can leave it on a flash drive or somewhere else Yep. And they have the VPN login and password - just several characters - in their heads, which can be 'copied' also very easy to another head. @Gertjan said in Can a user change his password to open VPN or change the password even at the first connection?: What looks more secure to you ?? ;) The important word here is "looks". Which is close to 'mystification' or security by obscurity. Because using certs or passwords to ID yourself is the same thing. The latter is easier, after a couple of hundreds of VPN logins ..... as we all do lately.

@viragomann said in How to reach a webserver when all traffic is encrypted via OpenVPN?: If you have a gateway defined on WAN pfSense should direct response traffc back correctly. Ok. Yes my pfsense does a NAT from 192.158.0.0/24 to 192.168.5.22 on the WAN and redirects it to my ISP router with that address. I went to duckdns.org and updated my IP to reflect the ISP's public IP address but it still isn't hitting my router for some reason after x minutes <mydomain.>duckdns.org gets back the VPN IP address. I'm wondering if I can filter out my 192.168.0.150 to not have incoming or outgoing vpn traffic? I tried to add an alias and the address and then use the WAN gateway instead of vpn under the LAN interface but that didn't work.