Here is working script i do run on a pc to make it work you need to already imported into directory files like .cert .ovpn .tls for this certain profile configuration. What script does; Request cert from windows domain CA, export it as a pcsk12 with private key and then import it and config into OpenVPN application. By that design no any action on user side is needed. Just smoothly click on openvpn, click connect and provide password # Function to generate a random password function Generate-RandomPassword { $length = 16 # Set the desired password length $chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789' -join ((Get-Random -Count $length -InputObject $chars.ToCharArray())) } # Generate a random password $pfxPasswordString = Generate-RandomPassword $pfxPassword = ConvertTo-SecureString -String $pfxPasswordString -AsPlainText -Force $username_only = $env:Username $cert = Get-ChildItem -Path cert:\CurrentUser\My | Where-Object { $_.Subject -like "CN=$username_only" } if ($cert) { Write-Host "Certificate already exists for user: $username_only" } else { Get-Certificate -Template "Template_Name" -CertStoreLocation cert:\CurrentUser\My -SubjectName "CN=$username_only" $cert = Get-ChildItem -Path cert:\CurrentUser\My | Where-Object { $_.Subject -like "CN=$username_only" } if ($null -eq $cert) { Write-Host "Certificate not found for user: $username_only" exit } } Export-PfxCertificate -Cert $cert -FilePath $env:USERPROFILE\OpenVPN_Configuration\Profile_Name\$username_only.pfx -Password $pfxPassword cmd.exe /c 'C:\Program Files\OpenVPN Connect\OpenVPNConnect.exe' --accept-gdpr cmd.exe /c 'C:\Program Files\OpenVPN Connect\OpenVPNConnect.exe' --skip-startup-dialogs cmd.exe /c 'C:\Program Files\OpenVPN Connect\OpenVPNConnect.exe' --list-certificates cmd.exe /c 'C:\Program Files\OpenVPN Connect\OpenVPNConnect.exe' --import-certificate=%userprofile%\OpenVPN_Configuration\Profile_Name\%USERNAME%.pfx --password=$pfxPasswordString cmd.exe /c 'C:\Program Files\OpenVPN Connect\OpenVPNConnect.exe' --list-certificates $certId = (cmd.exe /c 'C:\Program Files\OpenVPN Connect\OpenVPNConnect.exe' --list-certificates | Select-String -Pattern '"cert-id":\s*"([^"]+)"' | ForEach-Object { if ($_ -match '"cert-id":\s*"([^"]+)"') { $matches[1] } }) cmd.exe /c 'C:\Program Files\OpenVPN Connect\OpenVPNConnect.exe' --import-profile=C:\Users\%USERNAME%\OpenVPN_Configuration\Profile_Name\profile_name.ovpn --name=%USERNAME% --username=%USERNAME% --certificate=$certId cmd.exe /c 'del %userprofile%\OpenVPN_Configuration\%username%.pfx'

@evang yeah and you have 2 nat routers so you would have to port forward twice if you have something behind pfsense

@viragomann Thanks. It's fixed. So basically switching /24 to /30 solved the issue. Thank you again!

@mark-musil is this what you are looking for ? [image: 1727885054613-screen-shot-2024-10-02-at-12.03.46-pm.png]

Thanks for the advise I will double check and redo the config

@Tom777 As a test, disable gateway monitoring. [image: 1727427724285-2ef89efc-c44e-41f8-9a5d-11c50119273f-image.png]

@Bambos said in Upgrade existing Site to Site Open VPN Tunnels Shared Key to TLS: Sep 25 18:54:08 openvpn 4548 plant30/publicIP:44210 MULTI: Learn: 192.168.30.0/24 -> plant30/publicIP:44210 BTW: this is the line showing, that the route was set inside OpenVPN.

@Sateetje I think I have found it. I had an allow all rule at the bottom of the rules on the LAN interface. In the rule I set the default gateway to a gateway group, look like this was the issue.

@leptdre What do you mean with "outbound traffic"? The upstream traffic from connected clients? If this you can simply policy route it like traffic on any other interface.

@jhg said in OpenVPN pfSense to pfSense (peer-to-peer) connected but not routing: It seems you need all of the following non-default settings Client System/General Setup/DNS Server Override ON As mentioned multiple times, I think, this setting affects pfSense itself only, as long as you have not enabled DNS forwarding in the Resolver. You still didn't mention if you have this. Anyway, it has no affect on a domains, which you have configured an override for. VPN Client/Tunnel Settings/"Pull DNS" This also has no affect on a domains, which you have configured an override for. So you don't need to set this for your purposes and I never suggested to enable this option. Custom firewall rule on OpenVPN interface to allow incoming traffic That's pretty plausible. pfSense is a firewall, all intended traffic needs a rule. Server DNS Resolver: add an ACL permitting the remote LAN to query the server's DNS resolver That's by design of Unbound (DNS Resolver). You need ACLs for all unknown source IPs. Some comments: If you use the wizard to create multiple VPNs you'll get duplicate firewall rules for incoming VPN traffic Also note, that the rule tab "OpenVPN" is in fact an interface group including all OpenVPN instances your are running, can be servers or clients. Hence rules, you add there are applied to all. For better separation you can assign interfaces to the OpenVPN instances. However, remember that rules on the interface group have priority over ones on a member interface.

@Gertjan Thank you for your response. I solved the issue by creating certificates by setting the digest algorithm as SHA245.

Yes, that was it. What I have settled on LAN = 192.168.0.1/24 VPN = 192.168.1.0/24 CIDR 192.168.0.0/23 "covers" them both perfectly I'm not quite sure what to do if I want another VPN. If I made it 192.168.2.0/24 I'd have to use 192.168.0.0/22 to cover both VPNs and the LAN, but now the Maximum Address is 192.168.3.254 -- so it "wastes" 255 IP addresses. But I'm not there yet and there's probably a better way to do it. Thanks for all your help.