@Gertjan I am planning to setup the OpenVPN server as the central VPN gateway and expand the network if needed. If I fix this , I am pretty sure I can.

@sgw said in lock client hardware:

My customer wants to make sure that his employees only use the openvpn-configs on company devices.

As long as he doesn't lock the company devices down to almost "dumb" mode, a user can always run its own OVPN configuration as they could simply run the OVPN exe with their config. That won't work.

Right now we set up authentication against Samba-ADS, so there is basically one overall ovpn-file for all the allowed users. If we can deploy that via group policy objects or so and let openvpn-client run as a service this should do the trick, right?

Yes every client can/will get the configuration via the group policy. But that won't stop the user from making manual changes (OK could be depending on where you deploy the ovpn configuration and if they have local admin rights) or using their own ovpn config.

Is the way to deploy/install the provided windows installer exe from the client export tab maybe?

If you wanna roll out that config via group policy I wouldn't use the windows installer exe. AFAIK you'd need an MSI anyways. Simply install OpenVPN on the clients (either manually or per group policy and with the official installer from the website - I think they even have an MSI there anywhere) and just deploy the configuration to the necessary directory. It can either be in %programm_path%\config (C:\Program Files\OpenVPN\config or sth.) or in %user%\OpenVPN (C:\Users\%Username%\OpenVPN\config).

But as it is I certainly doubt you can lock up the config in a way that a user couldn't just take it and copy it to another device if they want to. Only thing you can enforce is that one user could only login once with the same certificate/username combination so noone can use both at the same time.

nevermind. I think i fixed my problem. After setting a firewall rule for LAN. I had to reboot PFsense once and everything is woriing now.

Hi @JKnott,

Our telco company here in country is so greedy ☹

great tutorial, thank you!
are these instructions still valid for the current version of pfSense?

The road warrior VPN clients need routes to the subnets at site 2. At site 2 you need a route tor the road warrior tunnel subnet.
That is all done in the OpenVPN settings.

So at site 1 in the access server settings add the subnets of site 2 to the "Local networks". That pushes the routes to the client.

At site 2 in the site-to-site settings add the road warrior tunnel subnet to the "Remote Networks". So OpenVPN sets a route for it pointing to the remote endpoint when the connection is established.

Also ensure that your firewall rules allow the intended access.

I intend to activate the firewall part in a second time. For now it's open door.

Perfect, that explains very well the use cases of the two options. Thank you

Problem has been resolved, I created a new Interface for VPN and made a Rule on Manual Outbound NAT and some Firewall Rules.

@Sparty thanks for your input. sorry for replying late.
Yes . I was trying trying to access the remote client PC via the tunnel .

you can just use the export package.. And you can download an exe that has the client and the config already in it.

If you want an msi, you could convert that exe to one.

@viragomann
it's just for me and about 3 other people
i think the long term plan (this is replacing a cisco vpn), will be to add an IP on the other firewall, (or a secondary IP at least) since it is still bridged on that vlan.
then i can just add it to the firewall as a secondary ip, and add that subnet to the same policies and address book entries allowed to get to everything.
depending on how many static routes there are elsewhere however, the masq/nat option works easier at least for now.

@darrenh I figured it out, it wasn't related to tun or tap mode at all, nor the VMware.

I found one other person had done it, buried in another forum from 5 years ago.
you have to setup a nat outbound rule by changing to hybrid mode, and setup the LAN interface, network being your vpn user subnet, and set the destination to either just the local lan, or in my case I set it to any, and use the fw interface as the masquerade.
that way the traffic from the vpn users gets masq'd as the local lan and not the 192.168.55.1 it auto assigned for the tunnel subnet.
as soon as I did that, I can get to everything fine :)

seems to be all working.

think i got confused on what the "OpenVPN clients" are.
kept seeing the services being stopped, so thought it was a error.

am i correct in saying its...

for either connecting to another vpn server elsewhere (aka p2p router connection)

and generally for exporting the config files for win/linux clients, instead of doing it manually.

the client isntance doesnt actually get used for imcoming openvpn conenctions from say a windows client

bad news, after i set up a new phone system one of the changes i made must have fixed it, the issue stopped right then and there! sorry no solution here!