It was a switching problem at the server side lan  :o

That link is to openvpn access server, not the community edition that is installed to pfsense. If they are authing to your AD, why don't you just lock out the AD account.  I think that is your typical AD out of the box setup, so many failed and locked.

This is still not working

huh??  Why do you want a host specific route?  So what is your vpn tunnel network?  For example mine is 10.0.8.0/24, so yes pfsense has a route to that network via the openvpn interface. So client connects and gets an IP in the 10.0.8.0/24 network - so pfsense yes knows how to get to it down the tunnel.  Why would you want/need a host specific route?

I think the best solution is to switch VPN provider. I am Plex Pass member, pfSense user and AirVPN user. Those 3 work pretty well together. AirVPN allows you to setup port forwardings (up to 20) so you basically apply the same concepts you set on routers.

SOLVED!!!! Really thanks you!!!

See attachments, I have two internal networks: 192.168.5.0/24 and 192.168.6.0/24 nginx webserver used in portshare it's 192.168.6.2 [image: OpenVpn1.png] [image: OpenVpn1.png_thumb] [image: OpenVpn2.png] [image: OpenVpn2.png_thumb] [image: OpenVpn3.png] [image: OpenVpn3.png_thumb]

It didn't help, same problems. If the same user tries to connect via different user, e.g. my user - it's a success, every time in first attempt. However, yes, with his account/mobile OTP - problem. It's definitely not his PC, as he's able to log in with different accounts from the office and it's also not VPN client problem. Only difference is where OTP is generate, either his mobile or ours. EDIT: We've found the problem. Starting with point that he can connect as described above, we knew it's mobile-related problem. It seems like somehow his time on phone was ahead in time and once I increased OTP Lifetime from 3 to 6 on freeradius settings he was able to log in always in first try. Thanks for all the help!

Thank you Derelict, it works!

@johnpoz: the use of multiple dns that can not answer the same questions the same way is bad idea.. You can never really be sure which dns will be queried.  Windows uses many different things to figure out which dns is queried, just because you have them listed 1 and 2 doesnt mean that is how its always going to  be queried. this is a very common mistake..  The dns you put in your client should be able to resolve the same stuff the same way.  If you want to resolve local stuff then you should point to your server(s) that are authoritative for your local stuff, and have them query or forward to something else that can resolve public stuff. Pointing to a local and public at the same time is going to give inconsistent results depending on how exactly the client determines which dns to use.  Once windows for example finds that dns 2 gives answers, when it had an issue with 1 - its not going to go back to 1 unless there are issues with 2, etc..  Getting a NX for query does not mean that dns is bad.. how does the dns resolver know it should check its other dns?  what if it gets back soa vs nx.  etc. etc.. if you need to resolve work stuff, when you vpn to remote site its prob best to just create host file entries on your host for what you need to resolve on the vpn side. your problem is that you want to resolve 2 different local domains with different name servers that are authoritative for their respective local domains.  your other option would be to run another nameserver say on your client that has specific forwards setup to where go ask for specific local domains, and where forward when its not a local domains. So you could have a forward on this server that asks work dns when looking for work domains, and the vpn dns when looking for vpn domains, etc. But splitting nameservers on your client is never going to function the way users think it does.  And also can be leak in dns info, where your asking the wrong server..  For example work server might now your looking for lots of records for some odd local domain.  or if your asking your vpn for these work domains, it will either try and resolve them directly which isn't all too bad.  Or maybe it forwards to your ISP dns and now your ISP has records of all these odd queries.  This is only an issue depending on how tight your tinfoil hat is.  But is another problem with having split dns on a client where the nameservers do not have the same info on them.. Thats true.. didnt think about it that way. Thank you!

any solution? dose anyone use Radius with OpenVP?  :(

If you can enter a default route in the static routes, then enter one pointed at the pfSense interface. That would be the preferred method.

Just found this thread after posting.  https://forum.pfsense.org/index.php?topic=111557.0 Looks like it is the TPLink hardware.  Will refer to the responses there.  There is no access point mode in the router setup on the AC3200 either.

push "route-ipv6 ::/0" <= think that fixed it

To put things graphically, here's what I want to do: _______  <vpn vlan="">________ <vm eth0="">/ <gateway interface="">–--------<                                                   ________ <local net="">________</local></gateway></vm></vpn>

Yeah. Your walkthrough has the workstation behind pfSense. You have it in a triangle. Give the Hyper-V VM and extra NIC as LAN, and connect your workstation to that and try again.

Ok. I understand this is due to OpenVPN topology change in new release. Now my next question is how do I specific IP for client with "Subnet – One IP address per client in a common subnet" ? I tried to specific client IP in the same subnet by enter "10.8.1.200/32" into tunnel network settings for user.cert.name, and I can see vpn established but traffic unable to pass through. Also with the new topology, can I specific client's IP in other subnet? Thank you.