Show the exact entries you have in custom options, the errors you receive in the OpenVPN log, and the resulting OpenVPN config file from /var/etc/openvpn. Without knowing the exact input or what OpenVPN is claiming the error is, nobody can say for sure what the problem may be.

You use firewall rules on LAN to control which gateway traffic from specified IPs/ports goes out. Make sure you place it above your Allow All rule.

Welcome, glad you have it working now. -Rico

@Rico Since ping is working between pfSense and the VM, I believe routing is fine. But if you could let me know the way to check, I will do that and post the result here. Thanks.

Please find below the result of netstat -rn4 : [image: 1572508771800-pfsense-openvpn-nat.png]

@JKnott Thank you so much, finally fixed with the IPSec tunner phase 2 need a extra entry with the openvpn tunnel network (e.g 10.0.1.0/24) in site A an B, now the ipsec tunnel have two phase 2 entry one is local network and one is the openvpn tunnel network address.

@BlazeStar Install the iperf package on both pfSense nodes. Run one as client and the other as server. This will test the throughput from WAN to WAN. https://www.youtube.com/watch?v=D4KVh5sId54

As already mentioned, how to configure WAN interface, depends on your ISP. However, as you stated above, your WAN is already working. So there is nothing to change for DynDNS. Get an account from a dynamic DNS provider. Then you can choce a hostname in given domains like yourhost.dyndns.com. Configure the Dynamic DNS service in pfSense (Services > Dynamic DNS > Dynamic DNS Clients). If it is set up properly it will update the dynamic DNS at provider every time your WAN IP changes. So you can configure you openVPN clients to connect to yourhost.dyndns.com. The hostname is ever the same, the IP behind may change.

Are you using NAT to map OpenVPN clients to an outbound WAN address? If you're not using NAT for clients to access the LAN network, you may need a route in place on pfSense to direct traffic back to the OpenVPN clients... If you can be more specific with subnets in use and also show a copy of the routing table on pfSense that would be a good place to start...

The most secure way is also the most convenient way: Use a separate OpenVPN server. Any time you need different levels of access, it's best to setup an isolated VPN structure (different CA & server cert, different server, different subnet, etc)

@abidkhanhk Can you ping it localy? And more generally, a. disable/adjust host firewall and b. make sure it has a default gateway , or routes to the gateway serving the vpn That's assuming you haven't done specifing firewalling in pfsense somewhere else.

@KOM [image: 1572397743300-giphy.gif]

You'd need some way to tell the user's devices which VLAN to connect to. There is DHCP option 43, but that's based on MAC address. By the time a user logs in, it's too late. The normal way to restrict access is to configure it in Active Directory. Why do you think you have to do it with VLANs?

@boelter said in PfSense OpenVPN > Ubiquiti USG > LAN not routing properly: PfSense (W:DHCP / L:10.42.9.0/24 / OVPN:10.90.0.0/24) -> USG (W:10.42.9.12 / L:10.42.8.11) -> LAN Wow, does this actually work with DPI stats in the Unifi controller? Do you have any VLANs behind there? I.e., can the pfSense do the VLAN routing and let the USG just be a "dumb" router/bridge?

@Gertjan said in OpenVPN Command Line Arguments: @RHLinux said in OpenVPN Command Line Arguments: /etc/rc.d/openvpn ? FreeBSD doesn't start daemon like "Linux" based OS's .... pfSense isn't even following pure "FreeBSD" conventions. To finalize : editing core file will probably get wiped (re written) when saving config, and for sure when upgrading. If you really have to, look here : /usr/local/etc/rc.d/openvpn Thanks for the information, I'm used to Fedora, Debian/Ubuntu Linux distros :)... It's purely for testing, I realize they will be overwritten during upgrades, but they shouldn't be overwritten by config changes. RHLinux

Did you hand your vpn client your dns in your openvpn config? I use this every day, all day.. Is there some reason your using the forwarder (dnsmasq) and not unbound on pfsense? [image: 1572263143444-dnsvpn.jpg] When your client connects.. Look in your interface details with ipconfig /all Do you see that it was handed dns? When I get to work this morning, I will connect as always and show you how it should look. You are running your openvpn server on pfsense right?