True, every day learning more …

You do not need to create user in pfsense to allow for vpn access.  You just need to create a user cert using the CA you setup for your openvpn.

:)

No opinions at all?
Is this soo bad cfg approach that noone won`t even comment it? :)

@Derelict:

Then you are still performing NAT there. Turn that off.

Would you be able to explain?

Thank you

@johnpoz:

I would try the fast i/o option and play with your send/recv buffers while doing your testing  Does that help?

It got a little better when enabling fast i/o, It seemed like I got the best speed (~4 Mbit/s) with 2.00 MiB send/receive buffer. I still think I could expect higher speed than this no?

https://forum.pfsense.org/index.php?topic=135680.msg743942#msg743942

@marvosa:

What is the LAN subnet on both sides?

thanks. fixed by defining "Client Specific Overrides" and```
iroute 192.168.1.0 255.255.255.0;

SUCCESS!

Looks like it was me all along. I had left the /8 mask on my LAN Network. So really I was running 10.0.0.0 255.0.0.0

I changed my LAN Interface to 10.0.0.0/24, rebooted DHCP devices (or release/renewed) and suddenly I can access all my local devices.

OI!

It makes sense to me now because my VPN IP pool was technically WITHIN my LAN network.

Ever have one of those days? The last 3 were that for me.

Oi… Hope this helps someone else!

Post the server1.conf from the server and the client1.conf from the client, so we can offer a targeted troubleshooting effort.

I see one issue right off the bat:

I have set "IPv4 Remote Network(s)" on both client and server to use the same IP network.

In a routed solution, all LAN subnets have to be unique and non-overlapping… i.e. the server-side LAN has to be different than the client-side LAN, which should be reflected accordingly in the IPv4 Remote network(s) box on both sides.

In order to do the outbound NAT to effectively use an OpenVPN provider you must create an assigned interface.

Rules on the OpenVPN tab will only affect inbound traffic (which should be none in almost all cases) not outbound.

Yeah figured give you the good news ;)  Not that its been on the books for a year… heheeh

The only drawback of this could be that you possibly override other routes on the client with that.

Yes, that happened ;D so I had to refine the pushed routes a bit.
Now it seems that things are working as intended.

I will ponder a bit about NATing the traffic and if it might improve things, but the origin problem is solved.

Thank you very much for helping!

think i have worked it out, I set them to assigned instead of static added the static leases in pfsense, and they seem to be applying okay,

I have two dns servers set to the static leases, but when i run a leak test four are showing? why does this happen?

Thanks again!

Thanks for the answer! I'll give it a shot.

Hi All,

let me give you an update on this.

I finally got it resolved last week but just wanted to see how long it's going to last before giving you any update.

I deleted all my previous OpenVPN configurations, CA's, client certificates and interfaces, and defaulted firewall NAT Outbound rules and some how I got and assigned the correct vyprvpn interface (I was previously prompted to always assign ovpnc2 interface that is not working properly instead of ovpnc1, and finally I got ovpnc1 interface assigned which might resolved that issue with web traffic).

I did start following the guide from the link https://forum.goldenfrog.com/t/opnsense-firewall-openvpn-client-working/3630 (mainly OpenVPN client setup) which help me to get vyprvpn connection to vyprvpn server hk1.vpn.goldenfrog.com up and running but  setting NAT –> Outbound --> to Hybrid and adding a rule manually didn't work for me so I just set NAT --> Outbound --> to Manuall and added new mapping rules based on existing ones, and changed the interface to vyprvpn in my case on all mirrored rules, and then I finally set a Gateway from GW_WAN  to VYPRVPN_VPNV4 in my case in Firewall-Rules-LAN.

I'm happy to say that my vyprvpn connection to vyprvpn server has been up and running for more than a week. That test was done in Europe so I'll help my team mate who is located in China to set pfSesne as VyprVPN OpenVPN client at our China's office and test the connection. Hope it will end up ok.

If someone needs more info regarding to that case I can provide a screenshots with my full pfSense VyprVPN OpenVPN client and firewall rules configuration.

Thank you all for your help once again.

meh, after some further fun trail and error I found the problem. There was an old and disabled IPSec rule in conflicting subnet range. It looks like also it was disabled and definitely offline it still hindered OpenVPN to add its routes. After deleting it completely and another restart site-to-site works. And for further reference: yes, now also the routes to the remote OpenVPN subnets show up in "Diagnostics / Routes".

Don't do that. Set the assigned interface to "None" for IPv4 and IPv6.

OpenVPN will manage the address internally, setting it there is messing it up.