Good news is that it is not sorted and I have the devices split over the VPN and WAN as needed. Only issue I am having ensuring that the VPN us using the VPN DNS servers. I have the VPN client set to "Pull DNS", however when doing the leak test, it is showing that Cloudflare DNS is being used, which is not too surprising as I use Cloudflare (1.1.1.1) as my remote DNS server. That being said, earlier in this topic, we created a rule to redirect my VPN clients to 1.1.1.1 as shown below. [image: 1709468429986-e7bab4a5-59b0-4ebe-8435-7875a0fc3857-image.png] So I altered this to the DNS of the VPN provider (5.254.106.2), unfortunately after doing that I cannot get websites to resolve for clients on the VPN. I have confirmed I can ping the VPN DNS servers (When connected/disconnected from VPN), so all is well on that end. While possibly completely unrelated, I went into the DNS settings and input the DNS servers for the VPN and allocated the VPN DNS entries to use the VPN Gateway as per the below screenshot. [image: 1709466241974-bcd36cb3-e464-4e0c-a65e-ea13c4acb4a3-image.png] Any suggestions ?

@the-other said in Switch OpenVPN to IPv6: you write that you want to change to IPv6 udp for openVPN but your screenshot shows you configured TCP port 1194...might be a problem, since UDP 1194 is standard port for openVPN (default), with TCP most ppl chose 443 (in order to reach your VPN in strict surroundings > hotel where UDP ist closed). I made a mistake, I changed it to IPv6 UDP (1194). That was the problem. Now it works :-)

In doing some more research I think I may use PIA (Private Internet Access) for my VPN rather than NordVPN. It is easier to configure. I appreciate all of the help I have received so far. Thanks to all.

@panzerscope said in Configure Which Machines Use VPN vs WAN: but failed to find a decent guide and that is to configure on PfSense Here https://www.youtube.com/@NetgateOfficial/videos on that page you'll find Advanced OpenVPN on pfSense 2.4 and Advanced OpenVPN on pfSense 2.4 They are old, but they with show what needs to be done. What you probably want is this : Policy Routing Configuration.

@viragomann Now i can't connect to proxmox server only, but any other service is working

@viragomann OH! I get it now! I thought I needed to configure it by editing the VPN's config/wizard. But still, I knew it has to have an easier way. Thanks a lot!

@romega3 No it's pfSense OpenVPN on both sides.

@hispeed A ha, yeah, you're using a /24 for the tunnel. No need for that. If you used a /30 or /31 you wouldn't need CSO at all.

@johnpoz Johnpoz, Hey JohnPoz, I think you're the only one who can help me. I have done a refit of my network with Catalyst 3750 and 4948-10GE. I have a serious DNS problem. I have a few switches/routers that run OSPF, 1 router is connected via a /30 subnet (lag of four ports) to the firewall. All clients behind the ospf routers can reach the pfsense GUI webpage, but they cannot access the internet. Windows 10 diag indicates the DNS server is unavailable. Windows DNS server is configured with the IP address (LAN interface) of the firewall. A null route is configured on the ASBR (0.0.0.0 0.0.0.0 next hop IP) and has been propagated to all ospf switches/routers. In pfsense there is a static route (the lagg link) back to the internal ospf network. So I know that routing works from the client to the edge firewall and vice versa. I have configured a rule that allows the internal network (summary route) to the firewall and for outbound NAT, allows the internal network (summary route) to everything (*). Normally every client should be on the internet, but that doesn't happen, Windows 10 complains about DNS unavailable, I don't understand what is wrong. In pfsense I did a few tests with nslookup in diagnostics for msn.be for example and the output is positive. I do not immediately see an error in the output. Can I assume that DNS resolution works on the firewall? One way to test is to connect a PC in a /30 directly to the LAN port, but the /30 LAN port has a port channel, and I tried one link instead but that didn't work, couldn't connect to the firewall, probably because of the static route which expects another network device, I dont' know. Do you perhaps have some advice?[image: 1708813404380-example.jpg]

@marcelobeckmann Thanks really thankful for this :) will look into it.

@CoffeeOrTea said in OpenVPN Firewall/tun Question: At the time I made this post, I didn't realize that you could assign an interface to OpenVPN. I eventually did, which added a 2nd tab to the firewall rules area, so now I have two OpenVPN tabs in the firewall rules area pfSense show particular interfaces on the rules page in upper-case letters. So I'd expect, that it is rather shown as "OPENVPN" there in addition to OpenVPN, wich is the interface group. if I have no rules at all on the OpenVPN tab, but then add a rule to allow WAN traffic on the OpenVPN interface tab, I don't get WAN access. But if I allow WAN on the OpenVPN tab, then it works. So you presumably did something wrong. OpenVPN is just the interface group and the interface is a member of it. Note that rules on interface groups have priority over ones on member tabs.

Thanks, that seem to solve the issue but feels like a workaround.

@viragomann It works !! Thank you SO MUCH for your precious help... I now need to adjust firewall rules. Thanks again Robert

In the end I turned off NAT reflection for all but the VPN rule. The rest worked fine with the split DNS approach and no NAT reflection. I don't think it is doable to have the android openvpn client requery dns when transitioning networks. Though I guess you could have forwarding rule on the LAN that redirects VPN traffic to the pfsense interface where openvpn server is listening.

@deet said in site-to-site ssl/tls with ospf: I'm moving forward now with a separate OpenVPN tunnel per remote site, each on a /30 point-to-point link. Deprecated or not If you are willing to spin up a new VPN overlay why not just use IPsec. Easier to maintain and run dynamic protocols and there are no deprecation notices.

That was the key clue. A Google search for that line led to another discussion in this forum. The last post in that discussion hinted at adjustment of the compression configuration. When I switched my server’s like this: [image: 1707971705823-screenshot-2024-02-14-at-11.34.21-pm.png] i.e., set the compression to “Refuse any non-stub compression,” I could see my client’s pfSense appliance at 192.168.4.5. Voilà!