im sure im done this wrong.. and not trying to get you mad.. just learning as i go
and ok ill check out that stuff

reason i put the block on is.. its below the NordVPN and doesnt that mean
yes when NordVPN service is working it does that rule.. but if the NordVPN is offline it would skip that rule right ..or does it still keep that rule... as thats the reason i put that block below nordvpn incase the service would shut off then the rule gets skipped and goes to allow it..
because the last line is your Default Lan so when the NordVPN goes down.. i still can use the internet im just not behind it anymore...

so thats how i thought it worked
NordVPN up -----> all computers are behind vpn
NordVPN goes down -----> blocks the 1 computer... ---->runs last rule that allows rest of the computers to access the internet...

thought thats how those rules worked i have set....

as for the block of the tunnell here is the image but im sure i did it wrong.. but im trying and ill google the info you mentioned thanks so far0_1536417090501_openvpn5.JPG

This fixed my speed issues.

In your open vpn client settings I added this to my custom options.
My speeds went from 40Mbps, to 90Mbps.
My ping times also went from 27ms to 20ms
This was recommended from this thread. https://forum.netgate.com/topic/114212/aes-ni-cryptodev-openvpn-help-a-n00b-understand/23

fast-io
sndbuf 524288
rcvbuf 524288

What are addresses VPN net and VPN address If you assigned an interface to the OpenVPN instance then set addresses and gateways on that interface you did it wrong.

Why port forward at all? Why not just directly route to 192.168.0.5?

Hello

okay i got it working now :)

If you have only a "private" RFC 1918 address, then you're out of luck. To set up a VPN, you need an address that you can reach from elsewhere. Those private address won't work for that.

Assign an interface to the OpenVPN instance in Interfaces > Assign.
Then edit all you LAN firewall rules which allow upstream traffic, open the advanced options, go down to Gateway and select the gateway of the corresponding OpenVPN instance.

Consider that rules with stated gateway only allow traffic passing that gateway. So if you also need access to other destinations like DNS on pfSense itself you have to add additional rules to permit that and put them to the top of the rule set.

Hi,

LAN rules aren't important, as initial traffic goes out the LAN, not coming in.

"VPN"(or, if absent, "OpenVPN" tab rules) rules are important :

0_1536296717294_ef132e19-b33e-4ea1-8446-ed0be1b97912-image.png
do you see the state counters going up ?

And, as you didn't mention : some other little details, like the local LAN from where you run your Mac with Viscosity must be different as the remote LAN on pfSense with OpenVPN.

@viragomann
Worked like a charm - thanks!

100+ users. Probably time to think about an alternate authentication scheme like LDAP or RADIUS.

You can put it on any unused port you want. Just choose Other and specify the port number.

I also find this under Status / System Logs / System / DNS Resolver:
using nameserver X.Y.Z.11#53 for domain qwerty.se

.11 = the old DC that is out of the picture. This should be .37.
Looking at Services / DNS Resolver / General Settings .37 is stated in domain override for qwerty.se (the internal domain).

Pontus

I've got a really stupid question but have you rebooted your pfSense box (on both ends if it's site-to-site). I had some trouble last week getting an OpenVPN connection set up. I've done it so many times I can't remember. I even wrote myself a step by step tutorial a few months ago just in case. But no matter how many times I reset everything and started over I couldn't ping the other side. Even tried resetting the firewall states after re-configuring.

I rebooted the pfSense boxes on both ends and BAM! It worked fine.

Last thought, you've got the firewall rules in pfSense, right?

No.

You are asking about limiting access based on routes that already exist. That is accomplished with firewall rules passing the desired traffic.

How to route the traffic in the first place is a different question.

On my side, I have the same setup as you explain but I use RCDevs OpenOTP (MFA authentication server) instead of DUO security products. RCDevs provides a custom OpenVPN package who can be installed and configured very quickly. Active Directory and OpenOTP works very well together and are very easy to setup.
I worked with DUO 2 years ago, but pricing for enterprise company are more interesting with RCDevs products and support/dev teams are great !! I asked for a special feature and they added it in 1 day !!! And for small company the product is free up to 40 users. Wonderfull product and team. I advise you OpenOTP and RCdevs company ...

James

Didn't even know that the OpenVPN app for iOS 11.4.1 was updated .... ☺
I was always using the exported config from the Client Export package.
I switched the slider, and was connected without any issues.

PIA on pfSense

@jknott Yes!

@soarin said in NAT OpenVPN Client Traffic:

@johnpoz @Derelict Oh man, if you saw the horrors of other ranges and configurations I had setup trying to get this to work you would have to read a pfSense bible to try to forget what you would've seen.

I still fail to see a valid reason to stray from RFC1918.