I want to force the client to use its own internet gateway. In my scenario, the client must definitely use its own internet. Some clients can send all traffic over VPN and the internet can be accessed through the VPN server's internet. I prevent this situation with security rules, but this time the internet cannot be accessed in any way. Even if routing is done to access the internet via VPN, my VPN server must not allow this and force it to use its own gateway. How do I do this?

@lifeboy Does the windows client machine have other network adapters such as vmware virtual adapters ?

@guillaume14 I made some tests with 2 pfsense box on the remote site: the first one (192.168.10.254) is the default gateway for the remote site computers (192.168.10.0/24) the second one (192.168.10.129) has only one interface (WAN) with 192.168.10.254 as a the default gateway and the OpenVPN client instance to the OpenVPN HQ instance If i add a route to the HQ site (192.168.14.0/24) on the first pfSense box using 192.168.10.129 as the gateway i cant access devices on the remote site (copier web interface for instance) from a computer in the HQ site but i can do a tracert to the same copier. Any clue ? Thanks

@JonathanLee Thanks this fixed worked for me. My iPhone would not connect without it.

Thanks @viragomann that works perfect

A reboot fixed it, but would be interesting what can cause this issue.

The problem still exists in 2.7. If during the OpenVPN client connection the interface, specified in client's config, is down, the connection happens through another gateway (which could be a metered backup connection for example). This is a major issue in my opinion. UPD: "Do not create rules when gateway is down" option is checked BTW.

@mathais said in pfsense+ NordVPN slow speed: What do you think about going to Torrent download sites and downloading Torrents without a VPN? No need to use a VPN to access a torrent access point, right ? Also, downloading something from a torrent, and "secure my network infrastructure" is imho somewhat contradictory. @mathais said in pfsense+ NordVPN slow speed: In France, we have HADOPI which tracks downloads. So the VPN is useless? I know. I've dealt ones with them. Received a first warning, and I knew it was coming as I discovered earlier that a night auditor was using one of the PC's at work (hotel !) to download 'Disney' movies during his working hours, night time. He told me : "don't worry, I only download "VO" (original, English spoken language - no french subtitles) movies so no risk". Well ... he was wrong. I received a message from HADO and he was fired for this. He still didn't got the message afterwards, and had the great pleasure to meeting the "Disney lawyers" in court. That didn't went well at all. On the other hand : I do something that is considered totally insane : I share 'my' (work) internet connection with an entire hotel == a whole bunch of people unknown to me, also known as my "clients". They can do whatever they want with the connection I offer. If things go downhill, no problem, the owner (the one that subscribed to the internet connection" will do some jail time or has to pay the fine. Great. Basically, you can share your internet connection with everybody as long as you agree to assume all consequences - no exceptions. But I discovered something : during my 20+ year of internet sharing, and ten (hundreds) of hotel clients later, I never received another HADOPI message again. I do use pfBockerng on my hotel's captive portal access to block the most obvious IP and DNSBL destinations. That seems to do the trick, I'm not sure. Maybe people stopped doing illicit things while using a public hotel network ? Or : right after connecting to the portal : they active their VPN.

@kstlan02 First off, it's not wise to use public IP ranges in the local network, even for docker. Then I'm wondering, why don't you run the OpenVPN server on pfSense. Do I have to do the port forwarding from the WAN to the LAN or do I have to do it from the WAN to the Docker container that is running OpenVPN? "LAN address" is the wrong destination here for sure. This is an IP assigned to pfSense itself. Hence forwarding to it, is not that, what you want. The question is then, how can pfSense reach the container? I'd expect, that the container gets its traffic forwarded inside the VM. But don't know, how you did configure it. So you have to forward the OpenVPN traffic either to the VM address or to the container IP. In the latter case, you would need to add a static route for it on pfSense of course.

@viragomann said in XG1537 and OpenVPN: There are pfSense installation out there, which treats hundreds concurrent connections. -Rico

@viragomann I am unsure where are you going with this??? The routing table are being updated on the clients ends. Hence, the users are able to reach the LDAPS Server in the 10.101.xxx.xxx/24 subnet. Otherwise the authentication will fail since there is not LDAPS in pfSense. If you would like to see the routes: ------- ----------------- ------- ----------- -------- -- 22 192.168.xxx.255/32 0.0.0.0 256 25 Ac 22 192.168.xxx.1/32 0.0.0.0 256 25 Ac 22 192.168.xxx.0/24 0.0.0.0 256 25 Ac 20 192.168.xxx.0/24 10.10.xxx.xxx 256 25 Ac 20 172.16.xxx.xxx/24 10.10.xxx.xxx 256 25 Ac 18 172.16.xxx.255/32 0.0.0.0 256 35 Ac 18 172.16.xxx.xxx/32 0.0.0.0 256 35 Ac 18 172.16.xxx.xxx/24 0.0.0.0 256 35 Ac 20 10.101.xxx.xxx/24 10.10.xxx.xxx 256 25 Ac 20 10.23.xxx.xxx/24 10.10.xxx.xxx 256 25 Ac 18 0.0.0.0/0 172.16.1.1 0 35 Ac As youcan see, the routing table updates are working. The routes are present tin the routing table. But, on piece of information I forgot to provide, there are multiple VPN Servers running, unsure what the max number of VPN servers that pfSense can run concurrently. The interesting route in the pfFW: 10.10.xxx.xxx/24 link#11 U 14 1500 ovpns3 10.10.xxx.xxx link#6 UHS 15 16384 lo0 Looking at the logs, set to level 4, the only one I see right now is "Clock Unsynchronized" Other than that the VPN logs are cleaned and the same for the FW rules. Thank you again for your patience and assistance.

@viragomann Hello, any benefits to pass clients via pfsense non-transparent proxy and than via openvpn client on pfSense to internet? Will this traffic catching if use non-transparent proxy? Benefits for security i mean