@johnpoz
Had a moment of weakness. Confused it with pinging TO localhost in terminal. Rookie booboo like we all do at times.

@Rezoyen

LIke any VPN, OpenVPN provides an encrypted tunnel over the Internet. This means the traffic cannot be read by unauthorized people. It can be used between offices, between a mobile device and home and some people use them to cover their tracks. There are commercial services for the last one.

Show the exact entries you have in custom options, the errors you receive in the OpenVPN log, and the resulting OpenVPN config file from /var/etc/openvpn. Without knowing the exact input or what OpenVPN is claiming the error is, nobody can say for sure what the problem may be.

You use firewall rules on LAN to control which gateway traffic from specified IPs/ports goes out. Make sure you place it above your Allow All rule.

Welcome, glad you have it working now. ☺

-Rico

@Rico Since ping is working between pfSense and the VM, I believe routing is fine. But if you could let me know the way to check, I will do that and post the result here. Thanks.

Please find below the result of netstat -rn4 :
pfsense-openvpn-nat.png

@JKnott Thank you so much, finally fixed with the IPSec tunner phase 2 need a extra entry with the openvpn tunnel network (e.g 10.0.1.0/24) in site A an B, now the ipsec tunnel have two phase 2 entry one is local network and one is the openvpn tunnel network address.

@BlazeStar Install the iperf package on both pfSense nodes. Run one as client and the other as server. This will test the throughput from WAN to WAN.

https://www.youtube.com/watch?v=D4KVh5sId54

As already mentioned, how to configure WAN interface, depends on your ISP. However, as you stated above, your WAN is already working. So there is nothing to change for DynDNS.

Get an account from a dynamic DNS provider. Then you can choce a hostname in given domains like yourhost.dyndns.com.
Configure the Dynamic DNS service in pfSense (Services > Dynamic DNS > Dynamic DNS Clients). If it is set up properly it will update the dynamic DNS at provider every time your WAN IP changes.
So you can configure you openVPN clients to connect to yourhost.dyndns.com. The hostname is ever the same, the IP behind may change.

Are you using NAT to map OpenVPN clients to an outbound WAN address? If you're not using NAT for clients to access the LAN network, you may need a route in place on pfSense to direct traffic back to the OpenVPN clients... If you can be more specific with subnets in use and also show a copy of the routing table on pfSense that would be a good place to start...

The most secure way is also the most convenient way: Use a separate OpenVPN server.

Any time you need different levels of access, it's best to setup an isolated VPN structure (different CA & server cert, different server, different subnet, etc)

@abidkhanhk
Can you ping it localy?
And more generally,
a. disable/adjust host firewall and
b. make sure it has a default gateway , or routes to the gateway serving the vpn

That's assuming you haven't done specifing firewalling in pfsense somewhere else.

@KOM giphy.gif

You'd need some way to tell the user's devices which VLAN to connect to. There is DHCP option 43, but that's based on MAC address. By the time a user logs in, it's too late. The normal way to restrict access is to configure it in Active Directory. Why do you think you have to do it with VLANs?

@boelter said in PfSense OpenVPN > Ubiquiti USG > LAN not routing properly:

PfSense (W:DHCP / L:10.42.9.0/24 / OVPN:10.90.0.0/24) -> USG (W:10.42.9.12 / L:10.42.8.11) -> LAN

Wow, does this actually work with DPI stats in the Unifi controller? Do you have any VLANs behind there? I.e., can the pfSense do the VLAN routing and let the USG just be a "dumb" router/bridge?