Nope. Figure out how to route the traffic instead.

Check "Don't pull routes" and policy route LAN traffic to the VPN gateway.

Or, leave "Don't pull routes" unchecked and policy route Wifi out the WAN gateway.

Yes I did use the wizard!

Found the problem, it was the Protocol setting in the VPN Server.  Was set to 'UDP IPv4 and IPv6 on all interfaces (multihome)' so I changed it to 'UDP on IPv4 only' and it all worked.

Thanks for you assistance and have a great Christmas.

Greg

What is the network scheme of the local network the remote client is connecting from? 192.168.1.0/24?

My sanitized client config

dev tun persist-tun persist-key cipher AES-256-CBC ncp-ciphers AES-256-GCM:AES-128-GCM:AES-128-CBC:AES-256-CBC auth SHA1 tls-client client resolv-retry infinite remote xxxxx.dyndns.org 443 udp lport 0 verify-x509-name "OpenVPN-cert" name auth-user-pass pkcs12 xxxxx-udp-443-me.p12 tls-auth xxxxx-udp-443-me-tls.key 1 remote-cert-tls server

Tunnel network is no 10.8.0.0/24 which should be fine, right?

It should be single NAT'd. I only have one NAT rule configured which translates incoming IPs from the WAN to 192.168.1.1. The static IP of the LAN interface.

The WAN port is connected to a fritz.box. I noticed that it has a way to big subnet aswell: 10.0.0.0/16
So the WAN port get's it's ip from the fritz.box's DHCP.
The LAN interface is configured with as static 192.168.1.1/16 IP?!? Shouldn't this be 192.168.1.1/32?

But I don't see any overlapping networks :/
I attached our network (routers are switches in this image).

network.jpg
network.jpg_thumb
2017-12-20-17:04:34-screenshot.png
2017-12-20-17:04:34-screenshot.png_thumb

Thanks for the clarification. Didn't see that you need a PKI setup. I'll look into it. Currently it's a shared key environment

@Derelict:

I would just remove the entries you do not want there.

Double quotation or single quotation characters ("", '') can be used to enclose single parameters containing whitespace, and "#" or ";" characters in the first column can be used to denote comments.
–-
I have never tried embedding comment there. You are welcome to try, of course. The generated config file will be in /var/etc/openvpn.

For the benefit of anyone who might actually care comments SORT OF work.

VALID COMMENT

;VAILID COMMENT
;SCREWS UP;
#SCREWS UP;

Don't know if this is a bug, or if this is the way it is supposed to work, but it makes it difficult to comment out/document things for test purposes.  Two semi-colons on a like cause the parser to chuck it's cookies and OpenVPN client won't start due to a syntax error in the config file.

As an aside… with no changes, I haven't had a problem for several days... don't know if this is because of the pfSense Update, or if the conditions for failure haven't yet occurred.

I just put in the changes as per the post recommended here:

@Derelict:

There also appear to be some changes as VPN providers continue to experience growing pains. I found this interesting:

https://forum.pfsense.org/index.php?topic=137438.msg754714#msg754714

If I have more problems, I'll post again, and if I remenber, I'll post an update, but no news can be considered to be good news.

Does not matter. All that means is he has to forward from upstream too.

The traffic will still arrive to WAN address:1004. That is what needs to be forwarded.

If the upstream router knows about the 192.168.10.55 address he's doing it wrong.

Hi,

I saw the option to choose subnets but not a gateway address. Although I'm able to get a connection to the servers using a tun connection, I need to be able to use tap so homeworkers are able to use there VOIP phones.

Do you have any other ideas on what I could try?

Thank you for your response.

Regards,

Robert.

@Derelict:

Upi would have to write php to do that then call the proper command in the format already referenced.

thanks for reply, ja it can be written with php or a simple script but my question is, how can i reference my Clients to the names which i want.
because as i know Clients are referenced automatic by numbers, such as Client 1 ,Client 2 and so on…, now i want to know how can i reference Client 1 as for example "a" , Client 2 as "b" and ...

Hi,

Got this very same issue. Moved a from working with v6 (ovpn) config from 2.2 (yeah, old !)
to 2.4.2, and reconfigured openvpn.

Before with the same settings in 2.2 I got everything (including openvpn v6) working now,
I got in the (same as you) situation where I see packets over v6 coming to the openvpn link,
but no reply from the (outside) net, while I set rules on the ovpn interface to allow both v4 and v6.
I have the tunnel interface net defined as a /64 from my providers /58.
V6 routing on non-openvpn interfaces works great !

Do I need a static route to the ovpn interface maybe ?! (not needed before)

It might be due to the fact that the prefixes in the /58 that I use in the client subnet have not
explicitly been requested by dhcpv6 or so ? where before this just worked..
(note, I only changed the version of pfsense, nothing else)

Related question, how do I tell the dhcpv6 client to request that specific prefix as well as the others
that are distributed through the wired interface (ipv6-follow)

Rudi

Excellent guide, especially the part to get Plex working correctly, much appreciated!

I just wanted to add a caveat I found regarding Plex. I had followed the guide and couldnt get Plex to connect remotely at first but I soon found out it was pfBlocker that was the culprit. Specifically, the geoIP blocks. Plextv uses AWS servers that are located in Ireland, so you must allow inbound connections from there in order to get Plex to connect remotely. Just FYI for anyone who may have a similar problem.