Thanks for the assist.  Turns out, I had to generate a new VPN profile for my client to get it working.  Editing the old VPN config (changing port numbers and IPs) did not work…

@Derelict:

It works if it is positioned ABOVE the policy-routing rule in the interface rule set.

Forgive me, I guess I mix up the terms…
Please see attached screenshot, that is what I thought you meant by putting it on the WLAN interface.

But now I made a new floating rule like the 2nd screenshot and it works, I guess that is what you meant is a more neat solution?

Finale.PNG
Finale.PNG_thumb

One of the nice things about OpenVPN is that clients can be behind other routers with generally no problems.

If the tunnel is coming up and the site2 pfSense has a route for 192.168.190.0/24 into the ovpncX interface, then that is configured correctly.

If that is the case I would check the firewall rules for OpenVPN at main to be sure they pass the traffic.

If they do I would check the firewalls on the main hosts themselves to be sure they are not blocking the traffic.

What server are you connecting to?

Have you tried another server with the same results?

also given the errors in your logs you have not followed/ matched the OVPN files.    match those as close as possible

Thanks for the response. I know I have set this up in the past with the ip being pushed from the server to the client, but starting to question myself also if it can be done client side. I dont see why not, I dont pull routes from the VPN provider.

I did manage to assign static ip client side using the client specific overrides. This was based on assigning static ip per certificate authority. Unfortunately, all the VPN clients share the same certificate authority though - so although I have proven you can assign static ip client side I still havent managed to do it per client.

It seems that the ifconfig-push directive works in the 'Client Specific Overrides' section but not in the 'Client' section.
'
I dont understand why in the 'Client' section you cannot just specify the ip in 'IPv4 Tunnel Network'

@gschmidt:

Hi,

I bought a 4xNic aes-ni mini pc with pfsense  to replace my home router.
The main reason i want to replace my home router is to setup an openvpn client ( Expressvpn). Is it possible to select the ip's which will be using the VPN tunnel? Or is it only possible to exclude the ones not using the VPN tunnel?

Greetzzz,

Gerben

Expressvpn will leak your DNS. You can not setup pfsense with their dns servers. I inquired with them. You will have to point to 3rd party open dns server which will cause you leak dns out.

Well i have the vpn link up now.

However i can only ping one way, from the conel 4g router i can see all my devices on the pfsense network.

I can ping the virtual ip of 192.168.99.2 and access this via web interface to reach the conel router home page.  I cant however reach any of the devices on the local lan of the conel (192.168.1.xxx).

Is there something i'm missing in terms of routing etc?#

Thanks

See here:
https://forum.pfsense.org/index.php?topic=139073.msg776861#msg776861

Entered what data?

So your using a tls authentication mode - so the user needs also ta.key, etc.

So your client would need 3 the CA, the User and the ta.key…  You imported those all into your nas?

https://doc.pfsense.org/index.php/Multi-WAN

So after doing some research I have realized that I do not need to assign a bridge to an interface with an IP. I can simply just bridge VPN and LAN with the LAN interface having the IP address. Once I've made those changes everything on the LAN works perfectly fine however I can no longer ping the LAN IP from the OpenVPN client.

illustration11.png
illustration11.png_thumb
illustration12.png
illustration12.png_thumb

Awesome. I could ping the server from the internal LAN, so I didn't think much about the Windows firewall. After turning that Windows firewall off to test, I could access the server over the VPN just fine. I turned the firewall back on and added a rule allowing incoming traffic from my OpenVPN IP range. We're all good now. Thanks for the help!

It's a VPN. Connect from the outside.

When you connect from the inside from an address that is in the subnet that is supposed to be routed over the VPN it is not going to work.

@Censor:

@mislav:

I'll try to completely remove all users, certs, freeradius and then try to install it from scratch. I will update you with VPN results. Thanks for now.

Hi, to remove the freeradius package and any other dependant package which are no longer needed you have to use this command "sudo apt-get remove –auto-remove freeradius"

pfSense is not based on Linux and does not use apt. It uses FreeBSD and pkg.

@cobrahead:

@bcruze:

Have you tried enabling aes-ni?

I have not. You?

yes mine is enabled and being utilized.

I would:

Set the VPN hosts I want to route only over the VPN to use free, outside name servers (google, quad-9, level3, etc) using DHCP or Static or whatever.

Policy route the DNS queries out the VPN with all the other internet traffic.

And you're done.

Everything you just described is fine until the VPN is down and all of your DNS breaks for everything.

@johnpoz:

what is the bank fqdn… Did you validate that it resolves and is in the table for your alias?

Why would you need to hide the fqdn of some bank... That is like not wanting to post this website I search for stuff on is www.google.com -- but keep that on the DL ;)

For example I bank with chase, they are www.chase.com, but that is also a cname...  See

;; QUESTION SECTION:
;www.chase.com.                IN      A

;; ANSWER SECTION:
www.chase.com.          3571    IN      CNAME  wwwbcchase.gslb.bankone.com.
wwwbcchase.gslb.bankone.com. 3571 IN    A      159.53.84.126

and then might get redirected to some other fqdn in your browser, etc.. So you need to validate that your alias is populating with the IP your actually going to, etc.

I should have asked if it was ok to name the bank in question, which is Bank of America.

I was not able to validate that it resolves, in the table I put bankofamerica.com  and secure.bankofamerica.com  for the fqdn.

The bookmark I have in my browser is my login page  - secure.bankofamerica.com/myaccount/etc  -    I got that bookmark by going to www.bankofamerica.com and using the link to login.

When I ping bankofamerica.com it returns IP 171.161.203.100 … should I be using that instead of a fqdn in the alias table?

Thanks!

Thanks for answers

I'll explain the real situation, I'll have more than 100 clients (router with a local network), so my OpenVPN will give IP to the router.
Let's take:

-> Router A: VPN IP 10.2.2.2 | Local network: 24.1.1.0/24
-> Router B: VPN IP: 10.2.2.3 | Local network: 24.1.2.0/24
-> Router C: VPN IP: 10.2.2.4 | Local network: 24.1.3.0/24
….
....
....

So I want to block communication between all router (easy, I just disable the option "Allow communication between client)

But I'll create user to my OpenVPN (example for my windows computer)
-> Client A: VPN IP: 10.2.2.40

And for this client, I need to allow communication to all routers.

So what can I do?
Disable "Allow communication between client", and can create specific rules for the user I want to allow communication?
Make a second server for my users and configure it to communicate to all the clients of the first server? (BUT HOW?)

Thanks for your help