Hi @JKnott,

Our telco company here in country is so greedy ☹

great tutorial, thank you!
are these instructions still valid for the current version of pfSense?

The road warrior VPN clients need routes to the subnets at site 2. At site 2 you need a route tor the road warrior tunnel subnet.
That is all done in the OpenVPN settings.

So at site 1 in the access server settings add the subnets of site 2 to the "Local networks". That pushes the routes to the client.

At site 2 in the site-to-site settings add the road warrior tunnel subnet to the "Remote Networks". So OpenVPN sets a route for it pointing to the remote endpoint when the connection is established.

Also ensure that your firewall rules allow the intended access.

I intend to activate the firewall part in a second time. For now it's open door.

Perfect, that explains very well the use cases of the two options. Thank you

Problem has been resolved, I created a new Interface for VPN and made a Rule on Manual Outbound NAT and some Firewall Rules.

@Sparty thanks for your input. sorry for replying late.
Yes . I was trying trying to access the remote client PC via the tunnel .

you can just use the export package.. And you can download an exe that has the client and the config already in it.

If you want an msi, you could convert that exe to one.

@viragomann
it's just for me and about 3 other people
i think the long term plan (this is replacing a cisco vpn), will be to add an IP on the other firewall, (or a secondary IP at least) since it is still bridged on that vlan.
then i can just add it to the firewall as a secondary ip, and add that subnet to the same policies and address book entries allowed to get to everything.
depending on how many static routes there are elsewhere however, the masq/nat option works easier at least for now.

@darrenh I figured it out, it wasn't related to tun or tap mode at all, nor the VMware.

I found one other person had done it, buried in another forum from 5 years ago.
you have to setup a nat outbound rule by changing to hybrid mode, and setup the LAN interface, network being your vpn user subnet, and set the destination to either just the local lan, or in my case I set it to any, and use the fw interface as the masquerade.
that way the traffic from the vpn users gets masq'd as the local lan and not the 192.168.55.1 it auto assigned for the tunnel subnet.
as soon as I did that, I can get to everything fine :)

seems to be all working.

think i got confused on what the "OpenVPN clients" are.
kept seeing the services being stopped, so thought it was a error.

am i correct in saying its...

for either connecting to another vpn server elsewhere (aka p2p router connection)

and generally for exporting the config files for win/linux clients, instead of doing it manually.

the client isntance doesnt actually get used for imcoming openvpn conenctions from say a windows client

bad news, after i set up a new phone system one of the changes i made must have fixed it, the issue stopped right then and there! sorry no solution here!

@Derelict

Alright, fair enough. Thanks for looking into this.

In this case we will just keep the VPNs on the old Edgerouter for now and migrate them to pfSense whenever a remote office router needs to be replaced.

Migrating everything else to pfSense worked like a charm and even though I might not have sounded like it, I really like pfSense and the netgate products.

i got a new problem

VPN can connect no matter what

even if i revocate a user cert

vpn server is set to SSL/TLS + User auth

edit:
forget that fixed. didnt have revocation list selected in server. just clients.

think im good now. thanks for the help

Once I logged into the Aircard I found that VPN Passthrough was already enabled.

I disabled it and enabled the DMZ option. Now works.

Been using it for a few days now for a mobile IP phone, and it works fairly well. Unfortunately, it is a bit cumbersome.

I'm going to see if I can find an old laptop with a 4g card that I can run pfSense on. This will put everything in one package and will have battery on board.

Hmm. All I can think of at this point is to try it with a different client just to rule that out.