@jimp
I'm doing rds through vpn no there is only one traffic on port 1194 i have 2 wan so in case one crash the other takes over the same port vpn a sdsl and an adsl

Thanks a lot Jim. That worked !!!

Is there a firewall rule on the OpenVPN interface which allow the access?

For communication between clients check "Inter-client communication" in the server settings.

If multiple clients connect to the server you cannot make use of policy routing in filter rules.

But it's possible to route some destination networks to a client. However, this is applied to the hole network.
If you want to do that, you have to add a client specific override for the concerned client to set the routes. Add the networks you want to route to the client to the "Remote Networks" in CSO.
CSO only works with SSL auth, cause it is based on the common name in the client certificate.

If you are running multiple OpenVPN instances additionally assign an interface to that vpn server.

Thank you, You steered me in the right direction to double check all my routes.

I fixed the problem by replacing push "route 10.0.9.0 255.255.255.0" with route 10.0.9.0 255.255.255.0 on Site-To-Site connection server side. I guess I put it there by mistake.

For anyone readying this in the future here are additional steps to make this work:

Site-to-Site:

server side: add route 10.0.9.0 255.255.255.0 to "Custom options" field client side: add 10.0.9.0/24 to "IPv4 Remote network " field (in addition to 192.168.1.0/24)

Remote access:

server side: add push "route 10.10.0.0 255.255.255.0" --> will probably work without this if you route all traffic via this tunnel from the client.

@sasansgh said in Question about Virtual Address:

But why do we need a virtual IP? Why not just use the public IP assigned by the ISP?

When a computer on your network has a packet to send to the device at the other end of a VPN, it will send it to the router (pfSense), which will in turn forward it to the destination via the appropriate route. If you use the public IP, the router will send it out the WAN port, instead of the VPN. By providing addresses for both ends of the VPN, the router can determine the packet has to travel via the VPN and use the tunnel addresses to do that.

Hi Johnpoz
Do you get any solution for me?

So you had messed with your outbound nat like I brought up way earlier in the thread.. If your outbound nat is automatic when you run through the openvpn wizard it will add your tunnel network to the nat..

Did you switch to automatic, or did you create some nat - mind posting your outbound nat screen..

@onyxfire reason I set it to hybrid is because the few youtube videos posted for xbox and Double Nat Type for pfsense said you need to set it for this and then set a bunch of ports but it never helped in the end.. ill worry about that later...
as for the alias ah cant be bothered I just have xbox one and 360 and a ps3 but only xbox one hooked up
as for the wizards I see it now I didn't see it before.. also with dyslexia I miss read words.. like "mother" I sometimes read as "hello" reason why I need to re read things 3 4 times or so sometimes bad case I have..

and reason I was using cell phone was easier for me to take to tim hortons or home depot and test the OpenVPN then taking the laptop in the store and then I installed Ping program so I could see if I could ping my local network least then I could test with a laptop..

as I originally wanted to do Remote desktop server1.example.com remote desktop server2.example.com but was told I idiot no point In setting it up you need vpn as I been doing like 3389 port for server 1 3391 port for server 2.. and I didn't wanna do port forwarding anymore I wanted to connect like I do at home or least have reverse name look up I think its called like remote desktop server1.example.com

@johnpoz and sorry I didn't see the wizard you mention ill try again.. I miss read the screen..

You could enable a feature on the server side that requires OpenVPN 2.4 and then older clients would fail to connect. Harsh, but that's about the only way you could require a minimum version from the client end.

It was a bad source configuration at my VLAN over WAN, I had WAN instead.

Thanks anyway!

Firewall > Rules, WAN tab, edit that rule, pick UDP for the protocol, save, apply Update to the latest version, that bug has already been fixed in 2.4.3-p1, released a month ago.

@mightyschwartz

Hi, did you ever find a solution for this? I know this is an old topic but I'm having the same issue...

Thanks,
B.

Figured it out. You have to have a separate "user" cert and a separate "server" cert. Doh!

Ok, I think I get it now, It confused me when the VPN is added it appeared to 'cutoff' the normal traffic from LAN to WAN

Dave.

Would need more info to offer more targeted troubleshooting help, but a few gotchas that I've seen and learned:

Once you assign the tunnel to an interface, make sure you bounce the tunnel afterward

If you're running a remote access server, edit the rules on your OpenVPN tab so the source address is explicit to your tunnel network. Otherwise, incoming traffic will match on the wrong interface. In other words, if there's an any/any rule on your OpenVPN tab, either remove it or modify it so the source address is explicit to the other services you are trying to run (e.g. a remote access server or another tunnel)

Verify your Outbound NAT mode is in either Hybrid or Manual and that you have NAT mappings NAT'ing egress traffic to the PIA address on the PIA interface.

Verify your port forwards are configured on the PIA interface and have a Destination Address of your PIA address

Verify the policy routing rule on your LAN tab is configured with the correct source address, has the PIA gateway and is above your LANnet/any (or any/any) rule that would otherwise send the traffic out the default gateway.

Fixed. Thanks for pointing it out.