this is exactly what I am working on right now. I have it even working more or less, but as I am new to developing with php and also with pfsense, I am not sure how to implement it the correct way to be sure, that with the next official release it won't get overwritten. My user portal page which I made now is kompletely based on the export-module (due the lack of php and pfsense development knowledge, i'd probably broke more than I invented). Sadly I did not understand 100% yet how the access model for the files works in pfsense. Users can login with android, and due to the right mime type, the openvpn connect app will directly open the file after it was downloaded. (No anoying "Import from SD card" anymore) The user portal is done in a cloned version of the vpn-openvpn-export.php. Sadly, in order to make the download button in the users profile working, I have to allow access to the regular export page too. May be someone can give me some hint, how I can get this in production with a good feeling? many thanks in advance [image: pf_userexp.png] [image: pf_userexp.png_thumb]

I found the same problem in one of the posts here in the forum. However it had not been solved: https://forum.pfsense.org/index.php?topic=40672.0

Thanks!  I will wait for 2.4 then…

I fixed this, I upgraded my server to an Intel Xeon E31270 and moved from VMware to bare metal which gave me more constant throughput via openVPN, but the thing that really helped was setting the MTU and MSS in the openvpn client manual options and on the openvpn WAN interfaces as this needed to be lower for my OpenVPN connection.

Have you tried  Diagnostics -> Command Prompt ls -la /var/etc/openvpn chmod 0600 /var/etc/openvpn/client1.up

Viragomann, thank you very much for your help to Shaddoh and I.  Ended up fixing it by deleting the server and client setup and doing it step by step according to this article – https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site.  Previously we'd been trying to make it work based on the steps in this article -- https://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_(SSL).  I'm sure either ought to work, and I know for sure that I've gotten a 4-site setup doing the steps in the PKI/SSL article, but I don't have access to that setup to do testing, and I think the way we ended up doing it ought to work plenty well enough for what we're trying to do right now. Thanks again, we appreciate the help stepping through the debugging process.

Is it possible to upload the configuration setting that worked for you  ?

Thanks for the responses! Turns out my problem was that I could only choose "default" as the gateway for my two internal subnets despite having two WAN connections (WAN + VPN). I had the protocol for each firewall rule set to IPv4 + IPv6 but only the WAN connection has IPv6. Once I changed VPN to IPv4 only it seems to be working. I can select the right gateway for each subnet and create firewall rules to allow the two internal subnets to talk to each other.

A brief bridging vs routing discussion can be found here -> https://community.openvpn.net/openvpn/wiki/BridgingAndRouting Is it as simple as just flipping the device mode from Tun to Tap on both ends? The short answer is no.  You also need to assign the tunnel to an interface and bridge that interface to your LAN.  Then you need to coordinate the addressing of your devices, so there's no overlap.  Not to mention, both sides will need to prevent their DHCP server's broadcast traffic from traversing the tunnel and causing issues on the other end. In general, unless there is a specific requirement to access an application that only relies on broadcast traffic, a routed solution is your best bet. My guess is Plex also supports some sort of direct IP mapping.  In which case, I would stick with a routed solution. It will perform better, it's a simpler setup and it will only forward traffic that is destined for the remote end.

No, it should work on any interface IP, but just try it. Maybe you will have to restart pfSense, which doesn't matter since it is a CARP setup.

If the VPN between the to sites is up, the NAT does not matter. Maybe you've a kind of routing issue. Post your OpenVPN setup from server and client and the IPv4 Routes of both sites.

@johnpoz: "Removed VLAN90 (a VLAN I had setup for VPN)" That would be my guess to your problem…  Revo list and or what certs is being used as long as they auth have nothing to do with it.. Possibly, but the weird thing is one user DID have access through the VPN. I can't reconcile how any of these changes suddenly let all users through instead of just the one. I'm glad I have it working, but I still can't figure out why haha.

I agree, use the "OpenVPN Remote Access Server Setup" wizard…. VPN -> OpenVPN -> Wizards Here is a link to the wiki for more info -> https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server

There are multiple ways of solving this issue assuming it's DNS related.  Some solutions are more efficient than others, but let's say your domain is example.com: Leverage the DNS forwarder and add example.com to the Domain Overrides. Configure a DNS server on site B.  Add a conditional forwarder for example.com that is pointed at the DC on Site A Configure a DNS server on site B.  Add a primary forward zone for example.com and create an "A" record for example.com and point it at the DC on Site A In theory, you could also do this -> While option 1 is in play (or add example.com to the hosts file here), Spin up a Server on Site B, join the domain, promote this server to a backup domain controller. Add example.com to the hosts file on every machine in site B.  (A management nightmare and the most inefficient method, but will work)

That was the ticket.  Thank you for your help.  It works correct now. Joe

It can work in SSL/TLS mode but it has to use tap, not tun. It won't work in net30 or subnet topology last I tried it. The rest of the setup can be similar, just use tap mode with a /24 tunnel network and ignore the bridging parts.

It's a workgroup, so no domain controller. PfSense router is the DHCP and DNS server for each subnet. It serves DNS fine locally and via Remote Access OpenVPN, but doesn't seem to like this configuration. However, DNS Resolver worked when I added the server to the list of Host Overrides. Thanks!

SUCCESS! I did as you said, added the openvpn server as a separate interface. Then I copied the any/any OpenVPN rule to the new interface, and deactivated it on OpenVPN interface. Both internet and LAN hosts are now reachable through my VPN server, and the VPN providers port forwarding to me works. :)

I do plan to eventually make the SG-1000 my primary router for myself, but currently I have a lot of special configuration on the router that I don't want to replicate and I don't want the "production" network to go down if I screw-up the SG-1000 configs. Also, I want to have the option to use SG-1000 as an "OpenVPN appliance" that I can just "drop-in" to client networks by having it completely pre-configured.  The LAN port would get an address by DHCP, so the only configuration I would have to do is define a DHCP address reservation on the foreign/main router and add one port forward to it and then the SG-1000 would just be a "plug and play" device to add a short-term inbound VPN to the network.  A "keep in the toolkit" and deploy so I could minimize time onsite and do the more advanced network administration (of the other stuff, not the SG-1000) via a secure remote access VPN.  (Theoretically, I might even be able to FedEx it to a client and talk them through the minimal installation without a physical trip.)