thanks its a really good reply, but i fear my only option is to change the gateway of service.domain.com

I already have an internal DNS and that is part of the problem, because that points to a lan host with a different gateway.
i need this DNS for other services.

LAN clients gets DNS server from DHCP and openvpn clients gets it from openvpn server.
i can se that DNS resolver is enabled in pfsense (its on per default) maybe i can do some magic here.

what if i make a Host Override in resolver and in openvpnserver sets pfsense as primary DNS and the internal as secondary.
service.domain.com is a mailserver so i dont wants to screw anything up here.

What do you want to disconnect on? If less then X bytes in Y seconds.. Or just leave off bytes and put in how many seconds of idle (no traffic) and then will be disconnected.. If you wanted to disconnect after an hour it would be 3600

Sad to report back that a switch to OpenWRT/mwan3/WireGuard did the trick. pfSense needs WireGuard bad AF :|

@viragomann I have now tried 2 different certs ( both server and client use the same in each instance ) and she still does not show up in Client Export - my own was an existing entry in CE and I can now see the target network - incidentally, I only have one server in the dropdown for Remote Access Server in CE - ok I just reran the wizard to wetup the other server (duh!) and she shows up under the new server; however she cannot see the remote network - I have made a few adjustments - will update tomorrow when I know more
UPDATE:
She's in! I needed to make a new cert for her that matched 100% - sorry, this was very confusing to me. Thank you, everyone for your insight and assistance!!

Possibly the Windows host firewall is blocking the access.

@seejay said in OpenVPN TAP pfSense Gateway Website Inaccessible:

Ultimately no matter which TAP/bridging configuration I've employed for site-to-site TAP I have odd issues like the one outlined in this post, or random packet loss and/or TCP resets. You've seen me go through things like the MTU and other diagnosis ad nauseum to no avail.

One thing you'll have to bear in mind is the bandwidth mismatch between the VPN and LANs. The LANs can handle data a lot faster than the VPNs. So, if you're bridging the LANs, as you do with TAP, then there's no way the VPN can pass all the data between them. In my case, the LAN is Gb, but my Internet connection runs at about 91 Mb down and 11 up. That's a ratio of over 10:1 in one direction and almost 100:1 in the other. This is before we even can consider the limitations at the other end.

@CM350 Changing from UDP to TCP also worked for me. Same port is fine. But I think the ISP may have been have been having issues with UDP.

Thank you for the reply, that did the trick i rebooted and it started to work flawless
Thank you again for all the help

SOLVED!
I reviewed my settings: I made NAT rules for WAN Address instead of CARP VIP.
Changed NAT Rules to CARP VIP (openVPN Port) -> localhost.
Now it works like a charm and failover is great!

Sorry, I misread your OP. I thought you were connecting to your office from home, but it's the other way around.

There are two possible scenarios for what you're experiencing:

You configured a full tunnel deployment at home and all traffic is being routed over the tunnel upon connection. There are some overlapping subnets between your office and home LAN, so once you connect, traffic that would normally be routed locally via the default route is now being routed down the VPN.

If you post your server1.conf (located here -> /var/etc/openvpn), it'd be easy to verify. However, the quick check would be to go to your config and see if you have the "Redirect IPv4 Gateway" option checked. If so, unchecking it would move you to a split tunnel deployment and will now only route traffic down the tunnel that is destined for your Home LAN subnet, which should solve your issue.

If you unchecked the option or it was never checked and still have issues, then you most likely have a subnet conflict and you will have to move your home LAN to a new subnet and then reconfigured your OpenVPN server accordingly.

@JeGr said in pfSense won't let me save OpenVPN settings:

BTW: if you wrote your IP in the local port field you showed in your screenshot above, you have other problems at hand... the IP goes in the box below ;)

LOL my bad...missed it when I edited the screenshot. I edited the post :)

Thank you for the explanation.

As I said, everything used to work with the same VPN config with my OpenWRT router, I just figured when the VPN was connected the domain information was getting passed through before. But I went and found the domain passthrough and set it up, and it is working like it used to now, I can connect just by ComputerName. Not sure how the other router worked without the same setting. Thank you both for your help.

@marvosa

That actually was the problem. I was mistakenly connecting the router's WAN port to the LAN port of the Netgate. Admittedly I should have recognized the issue with having the two networks (Netgate - Router, then Router's LAN).

So, everything just about works. I want to access a particular host on the LAN (a network share). I looked up the DHCP client list and found its assigned IP address and was able to remotely (through the VPN) connect to it. Because I wan't this to be reliable, I assigned a static DHCP rule for this specific LAN host. But now the VPN client's cannot see it anymore. What could be going on? All other dynamically allocated DHCP slots remain reachable from the VPN.

I have a rule on the OpenVPN group to allow any to any, which is why the first part worked. But for some reason the statically assigned DHCP rule is acting as if it were not part of the LAN? I did notice that the host was marked as "offline" in the DHCP client list despite being active and reachable from other hosts on the LAN.

I tried adding a rule specifically allowing access to this static IP from the VPN, but of, course, the any to any rule takes precedence so this new rule does not get used.

Any ideas?

Actually, the issue seemed to have resolved itself after some time.

Post your server1.conf (/var/etc/openvpn).

@scilek said in Clients cannot communicate with each other.:

I have learned through hardship that it is a good idea to reboot your router after configuring router OpenVPN clients/servers

A reboot is not necessary. Only stating this so future readers will know.

Glad you got past whatever problem it is you were having.