Can you ping the cisco IP on your transit network from your vpn client? I can not tell from your diagram what the cisco IP in this transit is 192.168.0.1?? With pfsense IP being 192.168.0.254? Other than @viragomann great points.. Also don't forget possible overlap? What are you using for your tunnel network? What is the remote clients local IP.. If it overlaps 192.168.1 remote client would have any need to send traffic down the tunnel to try and get there. Also don't forget local firewalls on your dest box.. Not allowing whatever your tunnel network is. Which would be the source IP from your vpn connections. Can the vpn client ping the cisco svi on the lan side network 192.168.1.1?

@bcruze thanks for reference.

I didn't zero in on the fact that he was using pfSense nor am I too familiar with it. I'll have to get smarter on that.

Then you are doing it wrong. Not sure what else to tell you. Post your config screens. You are trying to match traffic sourced from VPN Net. Chances are that is not matching anything. Try changing those sources to any (like they are on the OpenVPN tab.)

If you are trying to port forward in from WAN across OpenVPN to a host there you must: Assign an interface to the OpenVPN instance on the target server side Be sure that the incoming connection there is NOT passed by a rule on the OpenVPN tab but IS passed by a rule on the assigned interface tab. This will get you reply-to there and the reply traffic will be routed back through the tunnel.

If they all use the same general settings you can put additional remote entries in the extra configuration settings at the bottom of the client configuration. remote host [port] [proto] Remote host name or IP address. On the client, multiple --remote options may be specified for redundancy, each referring to a different OpenVPN server. https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

That is not set by OpenVPN. That is set on the interface by the router. OpenVPN only provides the virtual interface which the router uses here. Some non-professional routers do the translating by default. Maybe you can disable it. Look for settings named like "masquerading".

It's strange that PFSense can't auto detect this- when I dump the route tables for my other VMs, they don't have a mapping to the VPN subnet either, but they are still able to talk to VPN clients. Anyway, this solution worked for me. Thank you.

@Pippin Hi Pippin Ok but the route did work even when I push them in, but when I added them to the remoted network on the server side. It start working.

the default port for openvpn is 1194 are you sure that 1195 is correct ? did you check if the port is open and reachable ? does this have anythig to do with pfsense? Network unreachable the error is pretty explanatory if you think there is a problem with pfsense check the firewall logs

@swarm said in pfSense as OpenVPN client keeps routing random websites through VPN server (which don't get past the VPN gateway): Hey @bmeeks . Appreciate your answer. I decided to delete and reconfigure the client to see what happens. I checked the boxes to both not pull routes and bar the server from adding routes to the local routing table. Forgot to do it when setting up the client initially so I edited the original config afterwards, if it makes any difference. Is it possible some of the routes are still there in the table and won't go away? Any way to check that? The problem still persists and I think it's because of something being cached where it shouldn't be. You may need to flush the routing table. If the firewall is not a business-critical item (meaning it's just your home network or similar), I would just reboot pfSense to be sure everything "cached" is flushed.

other unique indicators? Other then already mentioned, use tls-crypt...

@sepp_huber said in OpenVPN 2.4.4: Cannot connect with external CRL: default_crl_days One pitfall for me was, that "default_crl_days" must be set in the environment where the CRL is generated and NOT on the pfSense instance. Which is just logical ;-)

It has no concept of "prioritization". It will keep trying the next server in the list if it gets disconnected or times out. Assuming it respects multiple duplicate entries, that may help, but ultimately it means that it will try the first one twice and then the second if the first two tries timeout.

@calvinsteel said in OpenVPN can't connect on Windows 8: I have read too many guides. https://www.vpngate.net/en/howto_l2tp.aspx https://www.expressvpn.com/what-is-vpn/protocols/l2tp https://www.purevpn.com/what-is-vpn/protocols/l2tp But still nothing. All wrong. The sites you mentioned are companies that offer VPN services. They have a VPN server that you can access with a "client", like your Windows 8 PC. I advise you to start with https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/openvpn-remote-access-server.html Then, stop reading, and look at these https://www.youtube.com/channel/UC3Cq2kjCWM8odzoIzftS04A/videos - take the 2, 3 VPN "server" videos. Btw : install this package : [image: 1562157156171-599a7906-c802-49af-a0af-27aa8ba0a649-image.png] When you finished setup your OpenVPN? server, and added at least one "client" (the visitor), you go to " OpenVPNClient Export Utility" and select : [image: 1562157249903-939d1fa5-8058-4e0e-ac41-b489c424730e-image.png] Take that zip file, bring it to you Windows 8 PC, install and go.