https://www.netgate.com/resources/videos/openvpn-as-a-wan-on-pfsense.html -Rico

Assuming you have rules to allow it, login to the sever gui and check the OpenVPN tab in the firewall rules. Or the assigned interface tab if you have assigned the OpenVPN server as an interface. Steve

@trazom ???? The same way as you configured it. Fire up a browser and connect to pfSense. They're under Firewall > Rules.

@gertjan yes your onto it ;) yes its tun, "IPv4 Tunnel Network" ---> 10.10.77.0/24 Do you policy-route this 'call-in' network also ? ive tried to set it as follows.. Firewall / Aliases /IP Network or FQDN --->> 10.10.77.0/24 (OpenVPN) Firewall / Rules / LAN Interface (LAN) "also tried the openvpn here too" Source > Single host or alias "OpenVPN" Gateway is set the expresssvpn with that set like this, when the phone is connected, its works, but the internet connection is still show as my wan ip, and not the expressvpn ip

Yep, LAN net is double NAT'd - I'm now working with ISP for switching router to bridge. My net is: [image: 1551583408831-c15a2547-b459-4c5e-8722-b83f9f7cff6f-image.png] On VPS I have OpenVPN server + Zabbix (10.8.0.1). On pfSense I have Zabbix agent + proxy (10.8.0.2). Pfsense self-monitoring works fine (without proxy). I want to monitor some devices in LAN - 192.168.1.101. Now i've been stuck in settings - pinging LAN devices from OVPN interface is not work, but pinging pfsense LAN address works fine. UPD dev ovpnc1 verb 1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_client1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp4 cipher AES-256-CBC auth SHA512 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 10.10.10.4 tls-client client lport 0 management /var/etc/openvpn/client1.sock unix remote <ip> 31194 ca /var/etc/openvpn/client1.ca cert /var/etc/openvpn/client1.cert key /var/etc/openvpn/client1.key tls-auth /var/etc/openvpn/client1.tls-auth 1 ncp-disable resolv-retry infinite route-nopull link-mtu 1601 remote-cert-tls server My goal is to set up Zabbix monitoring from VPS (IP 10.8.0.1) of devices on the LAN network (IP 192.168.1.101) through a proxy installed on pfSense router (IP 10.8.0.2). Now zabbix says "Timeout while connecting to "192.168.1.101:161"." In the diagnostics tab of the pfsense router in the ping section i can successfully ping pfsense itself: 192.168.1.1 from 10.8.0.2, but 192.168.1.101 from 10.8.0.2 fail: packages are lost somewhere

@eric-marshall I guess that was just way TL/DR. Sorry Guys.

Thanks for the info guys

@artware said in Only first IP connected have acces to network: Certificate are different In that case, you could switch to : [image: 1551452935790-3f385396-4483-40f0-a99b-7a9e484c020a-image.png] De-select Duplicate Connection. Firewall rules ?

Which version of pfSense is this on? If it's not current, upgrade. Otherwise you might want to report this specific error condition upstream to OpenVPN: Feb 28 20:43:38 openvpn 1805 username/83...79:1194 Assertion failed at ssl.c:1929 (ks->authenticated) Feb 28 20:43:38 openvpn 1805 username/83...79:1194 Exiting due to fatal error

@uwscia said in ACL with HAProxy through OpenVPN: HAProxy is not seeing the OpenVPN client with the assigned subnet IP. Seems like the wrong chicken created a egg explanation cause/result.. :) I think you mean.: The openvpn client is not using the VPN to connect to the IP the domain name resolves to. To solve that, make dns resolve a different ip that is part of the vpn network routes that could perhaps be done with a hostname override in the dnsresolver settings, or make the vpn the default gateway for all traffic? or perhaps push routes for the public ip that needs to be directed over the vpn?

Yes that should not be a problem as long as everything is using different tunnel addressing, etc.

It's the Windows clients in Azure that need the route. That can either be added on each client or you can add it to the Azure routing for your VPC (or whatever Azure are naming the local subnet there). That will then apply to traffic from any client that hits the Azure gateway. You can assign the OpenVPN interface there to get an additional logical interface. Because it would be the second interface it will appear as LAN which might make things even more confusing! WAN and LAN are just names though. Steve

@zeranoe said in Settings to utilize AES-NI: OpenVPN to use AES-NI https://sourceforge.net/p/openvpn/mailman/message/35041969/ ?

Can ping from one side but not the other Either firewall rules on the OpenVPN tab (or assigned interface) on the side you can't ping OR a firewall on the device you can't ping itself. OR policy routing on the side that cannot ping the other forcing connections over a different path.

Thanks Jim, appreciate it.

I enabled it again and it continues to work which confuses me since one of the first things I tried was to disable NAT rules so I don't know why it didn't work then.

I appreciate your input but not sure if thats the real reason. I know it can be done on the IOS platform becuase at work we have cisco anyconnect and sonic wall VPNs that do it just fine. So maybe in the future it will be added. Other wise, I am happy with PFsense and the community!