The interest is in methods of registering with DNS Resolver

ie its resolvable ;)  What is the point of registering it in resolver if your not wanting to resolve it?? ;)  So yeah the desire/need to resolve is clearly debatable…  Why should we discuss doing something that has no actual value??

Eitherway other than an override I do not know a way of registering that IP, which again could be lots of different IPs for each vpn client based upon their /30  What name would it be?  If going to resolve it, has to have a NAME..  so just going to be pfsensename? or pfsense.openvpn.yourdomain.tld ?  What name would you use to resolve it with?  If just PTR, what name would it return?

Guess you could ask for a feature request or do some coding to come up with a name for these IPs being used.. So that it could be registered in resolver without override.

To resolve this issue, I had to edit the openvpn server.

If you have checked off 'allocate only one IP per client' under CLIENT SETTINGS, then uncheck this setting and your 'Client Specific Overrides' should now work.

This is what resolved the error for me.

Jits

you are loadbalancing and something is problably wrong with ONE of the two routes/connections between the network.
test both individually to figure out which one is causing the issues.

if you are natting either of them, then stop natting vpn's between private subnets ;)

SBSI ?? For policy based routing?

https://doc.pfsense.org/index.php/What_is_policy_routing

Your VPN is your gateway, you setup a rule to use that gateway when you wan to use it, either based on dest, port, source IP..  Put this rule above your other rules that allow other traffic to internet..  Do you really need a picture of such a basic concept?

Guess I can fire up a vpn connection to one of my vpses and show you a picture..

Well, strangely whatever I tested couldn't get it to work.
Changed the drive and NIC's to another physical system and connection of OpenVPN is active.
Allthough I added all the Firewall rules traffic doesn't pass over the link.
Any ideas?

Kind regards.

Thanks. I'll try it out and I'll come back with the result :)

I'm pretty lost now…

My iOS client gives me the following line in the log file: "redirect-gateway def1"
My MacBook client (Viscosity) does not have this in the log file but when I go to whatsmyip.com I do get the (external) IP from my OpenVPN server.
But when I check the options in Viscosity client the box that says: "send all traffic over VPN" is unticked.

Just to clarify a few things…
I do have IPv6 working though the VPN. i.e. When a client connects they can access things via IPv4 and IPv6. The issue is how you initially connect to the VPN server. You have to use the IPv4 address to connect because OpenVPN is only listening on the IPv4 address. I want the server service to listen on both IPv4 and IPv6.

Per your suggestions, I could listen on "any" interface or start another OpenVPN server on the IPv6 interface.  I also thought about adding another "lcoal" line with the IPv6 address in the config file for the server.

I've read that using "any" is not recommended in pfSense as it breaks things and it is only there to facilitate upgrades from older systems. So, I think that's out.

As for starting a 2nd OpenVPN service, I'm ok with that, but what bothers me is that if I give it the same tunnel IP ranges won't that cause conflicts? Do they have to be different?

Is it possible to add a second "local" line to the config file for the server?

Thanks,
Steve

it works

I've added a NAT outbound rule to allow communication

interface : openvpn
source : any
source port : *
destination : any
destination : *
nat port : *
satic port : no
nat address : OpenVPN address

Ping works from a client LAN host to another client LAN host.

OUFFFFFF.

This just happened to me as "Socket bind failed on local address [AF_INET]192.168.100.10" following a TWTC Internet outage. The logs indicate that pfsense briefly picked up 192.168.100.10 from the motorola cable modem. The question I have is, why did OpenVPN hang on to it?

If you back to your first message, you can edit it an add a [SOLVED] to the title for posterity's sake  ;)

Why would the traffic for you public IP go thru the tunnel, did you hand out routes to the clients that the public IP is down the tunnel?  When your call is ssetup, the client should be told what the private IP is so it will go down the tunnel just like the call setup.

It could be that the VPN is unstable enough that windows falls back to the original route through the school. I think windows does this automatically.

In your config you should have a line "redirect-gateway def1". This is what adds these routes:

          0.0.0.0        128.0.0.0      192.168.2.5      192.168.2.6    20         128.0.0.0        128.0.0.0      192.168.2.5      192.168.2.6    20

These are supposed to be preferred by Windows over this one:

          0.0.0.0          0.0.0.0    192.168.43.1  192.168.43.164    25

Try removing the "def1" from "redirect-gateway def1" in your Windows config. See the following for details on redirect-gateway.
https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html

Edit: If you don't have redirect-gateway in your config it's because it's being pushed by pfsense. Turn off the "Redirect Gateway" check box in pfsense and add "redirect-gateway" to your windows config.

What did you do to fix this? Whenever I've run into this, I've had to set my APN to IPv4.

The openvpn vmware package or the native tools?  But if your using e1000 vnics then I am not aware of any issues either way.

esxi 5.0?  Well that doesn't even support pfsense 2.2 that is based off freebsd 10.1  – which was added in 5.5u2

@heper:

check "Don't pull routes". that way the default gateway will not be overwritten by PIA.

you then have to add policy routing to your lab rules

Is that the check box in the OpenVPN client page? I've recreated the NAT rules for the LAB network.

Thanks for the help :)

ops!
Solved my own issue..
Forgot to add a nat rule.
All is well and yes I can do that :P

It's a bit tricky, but you can probably pull that off a couple different ways, the first that comes to mind is:

1. Assign the OpenVPN instance as an interface (assign, enable, set to 'none' for addresses, save, then re-save the VPN instance to reset it)
2. Add a rule at the top of the local interface for that .0/25 segment using the VPN interface gateway only
3. System > Advanced, Misc tab, check "Skip rules when gateway is down"