If they change their password using "passwd" or similar at the CLI, that does not change it in the pfSense configuration. You can grant them a password change permission and then they can login to the GUI to change their own password. Giving them shell access is fairly dangerous though. Keep in mind it's a firewall not a general purpose multi-user shell server.

And hence my "hours of work" remark. I would not even know where to start. hosts-file, firewall rules, NAT-table? I "know" a rulebased setup of some kind should work. if bbc.co.uk use ovpnc1 if play.svt.se use ovpnc2 if netflix.com, hulu.com use ovpn3 else use WAN (em0) I have 5 client connections included with my PIA subscription (I can use it on 5 machines). So I'm thinking 5 regions on my pfSense box ;-) I'm going to try unblock.us today and see how that goes. This seems a bit easier. But you have to agree that it's a good thought, and if anyone has a working example of this, I would love to pick your brain? Thanks for your input, again.

@sparkynerd: Thanks for the help so far- My setup is fairly simple: Modem–>pfSense-->Router While it should be Modem (bridge mode) -> pfSense and you'd have no issue like this with settings things in 3 different places.

@viragomann: Configure your Android VPN client to use a public DNS server or set up the OpenVPN server to provide DNS servers to clients which are capable to resolve the hostnames. Thanks for the reply. I was using the OpenVPN connect and this did not have the option to change DNS (that i could see). so i tried OpenVPN for Android and set google DNS - but same issue. Any ideas?

Thanks for the nudges in the right direction.  verb 3 wasn't giving me the info I needed, so I went after verb 4 and finally got more granular logs in my openvpn.log file. The first and big pointer was ERROR: could not read Auth username from stdin My auth-user-pass config didn't specify any txt file with the credentials in it, which makes me think the Synology's passing of the GUI entered credentials is fubar'd.  I commented the auth-user-pass config out, and of course, I got all sorts of TLS handshake errors. The connection requires a user/pass. Connected as we speak as long as I pass the credentials as a file. I really appreciate your help.  It says something when an OpenVPN thread in the Syno forum needs to be approved by a mod before it gets posted.  Lots of ambiguity on their front end presentation to a very robust VPN.

Just in case anybody else is sharing the same problem - changing the unix socket in openvpn.inc to tcp socket solved my problem.

Update Actually there was no privileges issue. The script could not execute the root commands because it couldn't recognize them. I could fix the problem by specifying the full path to the commands. Examples: /usr/local/sbin/bgpctl reload (using just 'bgpctl reload' inside the script wasn't working) /sbin/route add -net $ifconfig_pool_remote_ip/30 -interface $dev -static Now it works.

John, thank you, answer was right in front of my face ;-)

My experience with SIP has been bittersweet at times (and I know I'm not alone). I find things have improved between providers and the current releases of FreePBX/Asterisk/pfSense such that mucking about in pfSense is mostly not needed anymore. No to mention the SIP protocol itself has evolved (somewhat) for the better, although I still use IAX2 with some setups to avois the NAT nightmare that can SIP can be. Very often it "just works" which is gratifying after years of trying to resolve  Voip software/ DID provider/Hardware manufacturer issues when everybody pointed at the other guy as the source of the problem <sigh>. Glad you're up and running.</sigh>

It it nice when the magic finally works  :) Glad you got i working. Feel free to ask more if you hit any particular road blocks or have some new config questions.

Understood!!! THANKS!

Hi fgmoyses, Can you send me the details of client and server setup for multiple sites.Because I am tying almost one week to fix this issue.I am very glad if you send me your setup. Thanks and regards.

I see what you're saying. Thanks.

I know it's an older thread but I wanted to throw out two things that helped me.  We have a CARP setup so two routers. router2 couldn't ping the OpenVPN-LAN subnet. Routes looked fine.  Solution: reboot router2. When testing, router1 worked fine. Router2 connected and I could ping the router but not further. Solution: devices on the LAN are set to the CARP alias IP as their gateway, so the VPN through router2 will only work if CARP failover is in effect so that IP is shifted to router2.

You just need to create an outbound NAT rule which translates source IP of packets leaving pfSense on your "problem interface" to the interface address. This solution works, no matter if DHCP is on or not.

Hrm. After increasing the logging level to 4 again from the recommended 3 I'm now seeing this message a lot: MULTI: bad source address from client Gotta get to bed for tonight but it seems like the IP that is showing up at the OpenVPN server is that of my local wifi connection and not the VPN IP that should be showing up. ~Brett OpenVPN config: <openvpn><openvpn-server><vpnid>1</vpnid> <mode>server_tls</mode> <protocol>UDP</protocol> <dev_mode>tun</dev_mode> <ipaddr><interface>wan</interface> <local_port>7696</local_port> <custom_options><caref>snip</caref> <crlref><certref>snip</certref> <dh_length>1024</dh_length> <cert_depth>1</cert_depth> <crypto>AES-128-CBC</crypto> <digest>SHA1</digest> <engine>none</engine> <tunnel_network>172.16.snip/24</tunnel_network> <tunnel_networkv6><remote_network><remote_networkv6><gwredir>yes</gwredir> <local_network>192.168.snip/24</local_network> <local_networkv6><maxclients>10</maxclients> <compression>adaptive</compression> <passtos><client2client><dynamic_ip>yes</dynamic_ip> <pool_enable>yes</pool_enable> <topology_subnet><serverbridge_dhcp><serverbridge_interface>none</serverbridge_interface> <serverbridge_dhcp_start><serverbridge_dhcp_end><dns_domain>snip</dns_domain> <dns_server1>192.168.snip</dns_server1> <dns_server2>8.8.8.8</dns_server2> <dns_server3>8.8.4.4</dns_server3> <dns_server4><push_register_dns>yes</push_register_dns> <netbios_enable><netbios_ntype>0</netbios_ntype> <netbios_scope><no_tun_ipv6><verbosity_level>4</verbosity_level></no_tun_ipv6></netbios_scope></netbios_enable></dns_server4></serverbridge_dhcp_end></serverbridge_dhcp_start></serverbridge_dhcp></topology_subnet></client2client></passtos></local_networkv6></remote_networkv6></remote_network></tunnel_networkv6></crlref></custom_options></ipaddr></openvpn-server></openvpn>