https://www.netgate.com/resources/videos/openvpn-as-a-wan-on-pfsense.html -Rico

Bumping this and adding more specifics... According a post on the Pi-hole forum, the correct config is: Add the Pi-Hole IP address to pfSense > Services > DHCP Server > DNS Servers. Do not enable DNS Forwarder. Do not enable DNS Resolver. Do not add a DNS entry in the System > General Setup > DNS Server Settings. The last setting seems to be causing an issue -- the router is unable to connect to my VPN provider if no entry is made in System > General Setup > DNS Server Settings. It's also unable to connect if the Pi-Hole IP address is entered there. Specifying a public DNS, such as Clouldflare, does work -- but then I am not sure if all DNS queries are going through the Pi-hole?

Well the only thing that can talk over the tunnel - is your vpn clients.. But sure you can limit what your vpn clients can access if you want/desire to do so. The automatic acls should prob be updated to auto allow tunnel networks to be honest.. But anyone that understands how the acls work, would know that they need to adjust them, etc. Glad you got it sorted..

That is a tab created when the firewall as any OpenVPN clients or servers defined. It's an interface group tab for firewall rules which apply to all OpenVPN interfaces. If you have assigned your OpenVPN instance(s) and use rules on the per-interface tabs then you won't need to do anything with the OpenVPN tab. Some people don't assign the OpenVPN clients or servers as interfaces and just manage rules on the OpenVPN tab.

I'd look at using Freeradius as external auth (Radius) server, if needing something like that /Bingo

Glad you have it working now. -Rico

No, I have PFSense server on one side. My server connects as OpenVPN user cert/user/pass. I gave it static IP via push ifconfig, then on firewall i have made rules that cover this communication. So, my server connects as a OpenVPN user.

@bingo600 said in Q: OpenVPN RoadWarrior Certificate Expired , what to do: 1: Delete the expired certificate 2: Under user manager , edit user -> "User Cartificates" -> "+Add" , create a new certificate with the same CA name ? That would be easier if working. That should be fine Though strictly speaking you probably want to setup a separate VPN for vendors than for your typical remote access users, to be sure they can be isolated more strictly. So a different CA, server cert, OpenVPN server, etc. I actually made 3 servers : ADM + INT + EXT , and made "interfaces" for all 3. All 3 have separate CA-Roots + Server /24. That way i can do firewalling based on the Client types. Sounds good

Hmm...you realize this is the pfSense forum? -Rico

@splinny Is that 192.168.1.0 actually from your ISP? If so, then you are behind NAT and a VPN will never work.

OpenVPN Connect for Windows is beta and aimed at OpenVPN Access Server. Either download from pfSense GUI or use the download from @Rico

No idea what you are showing there...just a port forward like it is mentioned in your VDSL Router user manual. ;-) -Rico

The wizard sets the firewall rules automatically which are needed to access the server and also for anything else over the VPN. What you have to check is the "Redirect gateway" check in the server settings. But I think, this is set by the wizard as well. @hyposera said in OpenVPN Remote acces server on VPS without LAN: I would like to set up the pfsense openvpn remote access server on VPS and connect my local pfsense box as a client. I assume, you aim to direct any upstream traffic from the network behind your local box over the VPN. So you have to add an outbound NAT rule for that traffic. If your outbound NAT works in automatic mode switch to hybrid mode and save that setting. Add a rule like this: interface: OpenVPN source: any (or restict it to your LANs) destination: any Translation: interface address I assume, you're running only that one OpenVPN instance (client or server) here. If you run multiple, assign an interface to the client instance and use that one in the NAT rule. On the remote pfSense, you also to add an outbound NAT rule like the above one, but to the WAN interface.

https://docs.netgate.com/pfsense/en/latest/book/openvpn/index.html -Rico

I got my Roarwarrior OpenVPN servers up & running. And it was as easy/elegant as i hoped, after the answer above. Just create the server , and "dig into" the available "unassigned" interfaces. Enable and name it , and "voila" you have gotten an interface to make your rules on. No need to have any rules at all under the "OpenVPN" interface. Thanx for this feature Netgate /Bingo Edit: This page was inspirational https://turbofuture.com/computers/How-to-Setup-a-Remote-Access-VPN-Using-pfSense-and-OpenVPN

You can have as many OpenVPN Clients and Servers as you want, just set it up. -Rico

If you change the status in the GUI and save, it would always be immediately reflected in config.xml. Unless your disk is doing something really funky with caching writes, it should be there as soon as the config is written.