Your not going to run a business behind a carrier grade nat.. Get a new connection would be suggestion 1.

Suggestion 2, get a vps somewhere. Run a vpn connection to that, and tunnel down any traffic you need to tunnel down into your actual location. But better yet would be to put the services the public needs to get to there in the first place.

Your not going to find a "vpn" service to do what you can do way cheaper and easier with a simple vps or multiple vps all over the globe, etc.

Must've been legacy config or some such as the uninstaller doesn't clear down old files.

Uninstall, manual deletion of old files from c:\Program Files\OpenVPN and a full reboot before reinstall seems to have done the trick.

This can be closed but uninstaller needs work ;)

I haven't tried this myself, but it may be worth a shot.
Create one user only and export the ovpn config. Save the config as user1_split.ovpn.
Copy and rename the same config as user1_full.ovpn.

Edit user1_full.ovpn and manually add "redirect gateway def1" (check correct syntax)

You may also need to add "--route-nopull" so the server won't push other gateways and override your manually set "redirect gateway def1".

See:
https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway

--route-nopull
When used with --client or --pull, accept options pushed by server EXCEPT for routes and dhcp options like DNS servers.
When used on the client, this option effectively bars the server from adding routes to the client's routing table, however note that this option still allows the server to set the TCP/IP properties of the client's TUN/TAP interface.

Hello,
Thak you for your reply. I already try this possibility but with this solution the user will not be able to connect during the day when she is not at home but in office.

I tried already before and it works.
That is correct solution

Thank you,

If that was me I would put the bridges on their own interface at the pfSense 1 side and create a transit network for the link between the sites.

In other words, I would get the unify bridge off the LAN over there and on its own interface. Then it's a matter of making router decisions in pfSense itself instead of dealing with asymmetric routing for the hosts on the pfSense #1 LAN.

But, yeah. In order to swing the routing for the two networks from one interface to the other you might need to use something like FRR/OSPF.

I would not attempt that before adding the transit network described above though.

OK so that's a port forward on the OpenVPN interface.

I would not NAT to the tunnel address there. I am not 100% certain that the DNS resolver even listens on the tunnel address. I would NAT to a LAN address or probably localhost (127.0.0.1)

Forward both TCP and UDP. DNS can use both.

But it looks like what you have should work. Pretty sure you do not need an assigned interface to do that.

I get that. But the client was also able to access vlans on different subnetd when connected to the VPN server while originating from a home vlan. That is what confused me. (As noted earlier, this does not occur if connecting to the VPN server from outside the home)

What kind of safenet token?

If the authentication is out-of-band (like Duo) or something can be prepended/appended to the user's password (like an OTP) it can probably be made to work.

I don't know of any way to do a second discrete password entry.

The user certificates are in the .p12 file. Try exporting with Microsoft Certificate Storage enabled. You are exporting for Linux, not Windows!

By default pfSense passes nothing into WAN. You need firewall rules to pass traffic into WAN. Even pings.

You shouldn't need to change anything. All of my setups let the client immediately reconnect.

Are there any errors in the client or server logs when it fails?

@imparker

Glad to hear.. 😃

Hence opened a bug - https://bugzilla.redhat.com/show_bug.cgi?id=1611812

If I'm reading correctly, it sounds like your subnets aren't routing between each other?

Set the local and remote networks correctly in the OpenVPN config
Add custom rule to OpenVPN as follows:

push "route 192.168.10.0 255.255.255.0";

Make sure that firewall rules are set up - bearing in mind they only affect traffic coming in to the interface, and so can only deny traffic going out on that interface (not altogether).

HTH.

@patrick0525 If you're completely certain that nothing on your end changed, it stands to reason that maybe something on their end did? I'm not familiar with the provider, but have you checked to see whether they have an updated configuration guide? Have you tried connecting to them from a PC instead of the pfSense machine? If they support TCP as well have you tried that? Just a few thoughts for preliminary troubleshooting steps.

@jimp said in Error Pfsense 2.4.3 and PureVpn error SSL:

It can't validate the server certificate for that site. So either you need to load a different CA for that server, or there is something wrong on the server. Contact PureVPN to find out why.

Thank you for your answer but I already contact PureVpn, after chat life and email, no solution, he send me a new certificate! I just tried to put the old one and it works, I still have to configure the NAT and GATEWAY thank you very much for your help ;-)

That makes sense.

Thanks for your Help !