@claes_hellgren: @petros: Hi Guys Here is how I got it working. 1. Disable Automatic NAT as you suggested. I created a NO NAT rule for the OpenVPN interface. 2. Created a static mapping in the local WINS database for the remote Domain Controller. 3. Go to Sites and Services on the remote DC and make sure there is a connector set for the local DC in the NTDS settings. 4. Go to Sites and Services on the local DC and make sure there is a connector set for the remote DC in the NTDS settings. Thanks for the help. How dose your NO NAT rule look? The topic is old but it does help me for the same situation. I just disable Automatic NAT as suggested and change to Manual Outbound NAT rule generation  (AON - Advanced Outbound NAT). A NO NAT rule may not needed but if you want just select the option "Do not NAT Enabling this option will disable NAT for traffic matching this rule and stop processing Outbound NAT rules". I just try with or without NO NAT rule, both DC replicated without issue.

well i could not find anything either thanks for reading any that did. i worked around the issue by turning off transparent proxy and blocking http at firewall for all other networks except my own trusted and on that one i have two web browsers now one configured for squid the other not. so browser one is going through proxy second browser goes via VPN without leaking. i am going to try and configure wpad so i don't have to manually configure browsers, its not perfect but anyone finding themselves in same situation at least you can have a semi work around. thanks all

Haha yes sir it is. Still, there is zero question that ISP is selling everything they can about you. They all do it so there is effectively a monopoly, their business is not affected when people know they are doing this. VPN providers very well may do this, some have been caught doing so, but it is bad for their business if they are found doing this. VPS providers I'm guessing probably do not engage in this activity much as they often serve large companies that would and could fight their data being sold. Both options at least have the potential for improvement over ISP.

Unfortunately my partner rebooted the system whilst I was away so I'll have to wait another couple of weeks to pull logs.

Under LAN of Site A. I tried setting rule: SRC * DST * DSTPort 25 GW OPTVPN That looks reasonable. and also SRC Port 25 DST * DSTPort * GW OPTVPN Setting a source port is almost never right, and is certainly not right in this case. I have no problem routing inbound internet traffic -> 99.99.99.99:STMP to 10.10.0.15 So if that is the case, you want to check: The rules on the OpenVPN tab/interface at Site B to be sure the traffic is allowed from site A (10.10.0.15) to any You have outbound NAT in place on WAN at site B for the 10.10.0.15 source address. That is also where you would specify 99.99.99.99 as the source address if there is more than one choice.

Done! thanks

Not sure why your trying to hide your 192.168 address?? But your problem is 192.168.x.1/24 is not a network, that is a host address.  A /24 network would be 192.168.x.0/24

FOUND IT!! When you create a new vpn server or editting the actual, you can see almost at the end of the configuration: Advanced Configuration In Custom options you can add whatever you want, for example:  reneg-sec 36000 THank you!

What does it show when you go into the OpenVPN status page? I would start by checking your OpenVPN log to see if there is a problem. You may want to post some screen shots of the settings you used to configure your openvpn client and the  ovpn file itself.

HI Both,  Excellent thanks that worked. Much appreciated.

Is this happening on your phone when you are connected to your VPN from the outside? If so you could have the option to force traffic through the tunnel and are missing the allow rule on your OpenVPN interface. Can you post a screenshot of your interfaces tab and of your OpenVPN config?

You need a route on the client settings to the server side subnet and the iroute on the connecting client to the server side subnet in order for the Clint subnet to respond to packets from the server side subnet. Example If your server side subnet is 10.2.0.0/24 you need to add iroute 10.2.0.0/24 to the client specific overrides section of the OpenVPN configuration on the client side

If you open a command prompt and run a route print do you see a route to the server subnet through the tap interface IP?

Install the OpenVPN client exort utility package. After you get a tab for the export utility in VPN > OpenVPN. Use this tool to export the certs and config and check "Password Protect Certificate".

Yeah outbound NAT on LAN