The most secure way is also the most convenient way: Use a separate OpenVPN server. Any time you need different levels of access, it's best to setup an isolated VPN structure (different CA & server cert, different server, different subnet, etc)

@abidkhanhk Can you ping it localy? And more generally, a. disable/adjust host firewall and b. make sure it has a default gateway , or routes to the gateway serving the vpn That's assuming you haven't done specifing firewalling in pfsense somewhere else.

@KOM [image: 1572397743300-giphy.gif]

You'd need some way to tell the user's devices which VLAN to connect to. There is DHCP option 43, but that's based on MAC address. By the time a user logs in, it's too late. The normal way to restrict access is to configure it in Active Directory. Why do you think you have to do it with VLANs?

@boelter said in PfSense OpenVPN > Ubiquiti USG > LAN not routing properly: PfSense (W:DHCP / L:10.42.9.0/24 / OVPN:10.90.0.0/24) -> USG (W:10.42.9.12 / L:10.42.8.11) -> LAN Wow, does this actually work with DPI stats in the Unifi controller? Do you have any VLANs behind there? I.e., can the pfSense do the VLAN routing and let the USG just be a "dumb" router/bridge?

@Gertjan said in OpenVPN Command Line Arguments: @RHLinux said in OpenVPN Command Line Arguments: /etc/rc.d/openvpn ? FreeBSD doesn't start daemon like "Linux" based OS's .... pfSense isn't even following pure "FreeBSD" conventions. To finalize : editing core file will probably get wiped (re written) when saving config, and for sure when upgrading. If you really have to, look here : /usr/local/etc/rc.d/openvpn Thanks for the information, I'm used to Fedora, Debian/Ubuntu Linux distros :)... It's purely for testing, I realize they will be overwritten during upgrades, but they shouldn't be overwritten by config changes. RHLinux

Did you hand your vpn client your dns in your openvpn config? I use this every day, all day.. Is there some reason your using the forwarder (dnsmasq) and not unbound on pfsense? [image: 1572263143444-dnsvpn.jpg] When your client connects.. Look in your interface details with ipconfig /all Do you see that it was handed dns? When I get to work this morning, I will connect as always and show you how it should look. You are running your openvpn server on pfsense right?

I am not ignoring this - I just broke everything quite badly - so am having to recover :-( Sean

@DangerMouseUK said in Possible to use directly a .ovpn file without GUI ?: Hi Guys, Didn't want to start a new thread on this one. OVPN config importing would be really handy for me setting up multiple SG appliances quickly. Is this still on the roadmap? Thanks DM why not use the backup and restore function already built in?

Try watching this. https://www.youtube.com/watch?v=7rQ-Tgt3L18

Most of us just run it open. OpenVPN discards any packets that are not using the correct TLS key. Remote Access VPN is almost always passed from source address any.

Which options box are you referring to? If its Custom options, then that is empty. https://i.gyazo.com/36d58311d84723b4b998b90743b1a433.png How can I check that I have the right instance? I believe I only have one. Where is the local config? Maybe in cases like this it is better to start over with the OpenVPN? Is there a way to wipe all this OpenVPN settings away completely? Update: I have attempted to remove all traces (one trace that does remain and I can't seem to remove it is the User certificate from the original OpenVPN setup) of my initial OpenVPN setup and start anew. I have followed the link as suggested in your earlier post to setup OpenVPN. When trying to do the Client Export utility, no client executables appear in the OpenVPN Clients section of the Client Export Utility page. There is this note next to it: "If a client is missing from the list it is likely due to a CA mismatch between the OpenVPN server instance and the client certificate, the client certificate does not exist on this firewall, or a user certificate is not associated with a user when local database authentication is enabled." Update2: I managed to remove the original user cert after I removed it from someplace else, the delete/trash can symbol appeared. The Client Export executables were not showing up b/c I had not created a new user cert. Now I can ping the pingable devices behind the pfsense firewall. I can also create a mapped network drive to those devices. However, I need to use their private IP addr. instead of their Windows name. Is it possible to use the computer names for creating network drives? And is it possible to make network drives to these devices with their firewalls enabled? Also, is it possible to restrict connections to the vpn by MAC addresses that I specify? If so, how?

Tried drips the srv does not respond. My machine neither. The weirdest point clock responds to. And the 3 equipments are in the same range https://uploaddeimagens.com.br/imagens/captura_de_tela_2019-10-25_as_11-13-57-png https://uploaddeimagens.com.br/imagens/captura_de_tela_2019-10-25_as_11-11-41-png

@sonnyboy said in Can connect to VPN from LAN but not from WAN: rules yes, i think its firewall rule issue only with wan interface in new 3p update of pfsense, there was no issue in previews update, i have practiced and implemented more than 10 time before this update, but now i am not able to get successed with same steps and documents which i was following before, i tried more than 10 time with 3p patched update of pfsense but no luck!, again i am searching and practicing to find the issue.

Probably the server isn't reachable from the client with the given IP/port.

Op did hear the news the NordVPN encryptions keys have been stolen? https://techcrunch.com/2019/10/21/nordvpn-confirms-it-was-hacked/

the routing table now is the same ? maybe it was something else on the configuration