Restarted and working perfectly, thx cmb!

Could you at least answer the questions JimP asked? There are no apparent issues there, if we can get some details about your config maybe we can find something.

Yes, but at the web interface you can use standard routing table and add the ipsec security associations info to have all the routing related info in a single place [IMHO]…

@lagreca:

On this end, I can ping a remote LAN machine using the Diagnostics -> ping functionality.

If you do that pfSense uses the VPN IP, which is known by the Asus router, of course.

If you cannot add a static route to the router, you can also solve this by NAT.
Go to Firewall > NAT > Outbound, if it do automatic rule generation, check hybrid or manual and hit save.
Add a new rule:
Interface: OpenVPN
Source: Network and enter your LAN network
The rest can be left at defaults, save it.

If you have more than one OpenVPN connections, you have to assign an interface to each at first and use this in the rule here.

Is this close to being correct? If not can you draw it out?

If this is close your asa needs to know how to send packets back to the 192.168.0.1

So a route on the asa for 192.168.0.1 next hop should be 10.0.50.2

    ASA                                      PFsense                                    Remote Network +---------------------+                  +--------------------+      open^pn      +-------------------------+ |                    |                  |                    |                    |                        | |    10.0.50.1/24    +-------------------+10.0.50.2          +--------------------+  192.168.0.1          | |                    |                  |                    |                    |                        | +-------+-------------+                  +--------------------+                    +-------------------------+         |         |         |         |         |         |         |         |         |         |   +-----+--------+   |              |   |              |   | 10.0.50.3    |   |              |   |              |   |              |   +--------------+

@divsys:

It's happening on more than one user

Do you mean its happening with more than one certificate on the phone or on more than one phone?

If more than one certificate, then definitely try dropping/changing (upgrading?) the phone app.
Normally I like OpenVPN Connect as well, but perhaps it's being problematic here.

If more than one phone, I'd be tempted to try another OpenVPN Server instance using a new port, CA, Cert to get a clean install.

More than one phone and more than one user.

The OpenVPN connection for the laptop needs to pushed routes for East,North, and West.

Each of East,North and West also need the route to reach your laptop connection.
Central will need to push each of them a route to 192.168.50.0/24 and/or possibly the laptop's "home network"

Check the server, make sure it's set to 'net30' for the topology, save on the server then save on the client to restart it fully.

if you have WPAD it should grab the proxy. Did you check the auto detect proxy on firefox or chrome?

Would a CPU with AES-NI instructions help with this configuration?

Hilarious!

Thanks Marvosa…I must have been very tired last night!

I must have tried three or four times so was convinced I had typed it correctly,

M

Wow, that seems nuts.. for such a large network wouldn't you normally just see a typical mpls cloud or sdn or sd-wan..  Managing 200 some s2s vpns seems nuts.

Ok, great, thanks.

~~Do I need to do something with the advanced configuration here, too? Like push route or so?
(It was necessary for the windows clients.)

Ah, and is there a way for me to remote connect to the branch office pfsense via this active site-to-site setup or do I need to run an OpenVPN server instance on the branch office pfsense as well?

I'll hope you bear with me ;-)~~

Best regards,

Mel

Edit: Got it working.

Answering to my own post

After 2 days of struggle….  I disabled "Allow communication between clients" and now openvpn client can see internal LAN. and can see internet traffic..

Before client would connect to openvpn server but would not be able to go anywhere.. not even pinging the openvpn server interface
prior to pfsense openvpn I used OpenVPN Access Server Virtual Appliance server and did not have these problems (same setup NAT..) and openvpn clients would see each other..

Luckily.. i do not need the vpn clients to see each other...

Its a tun client. But I can access ressources through my VPN tunnel from external.

I set the pull-noroute option and also disable gateway monitoring of the VPN interface. But it doesn't changed anything.

tcp dump was showing dns requests from the firewall where using the openvpn ip and across the networks their respective network address.

Even though I had allowed bind to answer to the openvpn ip it still didn't work.
There doesn't seem to be an option to let bind specifically listen on the openvpn interface, but even adding this by hand didn't work.

I have now solved it by putting NAT on hybrid and forcing the lan ip to be used when requesting port 53 over the vpn.
This works, but is not really elegant….

The best solution is probably OpenVPN assigned interfaces so you can put rules specific to each VPN endpoint on their own firewall rules tabs. You could just block source any dest LAN net and dest This firewall (self).

Otherwise you probably want to block traffic from both the tunnel endpoint (in case they assign an interface and outbound NAT) so that would have to be static in a CSO, and the remote network(s), in both cases with destination LAN net and probably This firewall (self).

as there are no GCM cyphers available in the current implementation of openvpn, the performance gain is minimal. its confirmed to be in openvpn-2.4, no clue when that will be released.
https://community.openvpn.net/openvpn/ticket/301

openvpn uses the openssl library, that library automagically uses aes-ni if available.
https://forum.pfsense.org/index.php?topic=94553.0

I've decided to create a second VPN for users that need to connect from a device not owned by our company, and therefore not controlled by our security apps. This VPN uses udp/1195

There are a couple of places this can be problematic certificate wise.
I would suggest that the 2nd OpenVPN server needs it's own certificate.
As long as the new Cert. is created using the same CA used for the first server, you should be OK with your current setup.
You may need to enable "Allow Duplicate-cn" if you're trying to connect to both servers using the same client (that may or may not sense in your setup).

You might want to go so far as to create a new CA as well as a new server Cert for the second instance.
If you do, you'll need dedicated client certs for the 2nd server.
In many scenarios, that's a good thing (if only for enforcing separation of who's connecting and from where).