Will do, in the mean time I got something more stable using limiters on in and out at half our DSL capability. Seems like when the link is saturated, the copy get frozen and not when the limiters are reducing. Might very well be due to failover of our SDSL WAN to ADSL second link activates (automatically in suppose due to poor ping)

https://www.netgate.com/resources/videos/advanced-openvpn-on-pfsense-24.html Multi-WAN Tactics starting at around 40:05min. -Rico

I think I touch something but I do not know exactly what. But when this happens it's better to start again :). thanks!

FreeRadius and hand IP addresses (framed) out that you can use in firewall rules for the clients, I do it with IPsec so I can access everything and friends can only access the internet. Sort of pointless if all the users PCs the LAN side of pfSense are all on the same subnet. "andy" Cleartext-Password := "XXXXXXXX", Simultaneous-Use := "1", Expiration := "Apr 11 2027", NAS-Identifier == strongSwan Framed-IP-Address = 172.16.8.4, Framed-IP-Netmask = 255.255.255.0, Framed-Route = "0.0.0.0/0 172.16.8.1 1"

Give an idea about your configuration and post the full log as text not picture. -Rico

Thank you for your reply. When I check the widget, it only shows me the default gateway WAN_DHCP and does not show the openvpn gateway as a choice.

@viragomann "Second" P2 is the key word Solved, Thank you very much

@vidarne77 said in Openvpn site to site Problem: Reason for the Manual nat/was as for at main site it is needed for getting the right clients and servers over the proper vpns and vlans, atm you are right it is not needed for the basic setup so is at the offsite. (old habits setting it to manual) Glad it's working. Although just to throw it out there again, if you have access to both firewalls you don't need any NAT's for communication. All you need is routing and the firewall rules to allow the traffic. If you needed to add NAT's to get traffic flowing that tells me there are routes missing. By NATing, you lose granular auditing functionality, which may or may not be a concern for you. Personally, I always like to know exactly what is connecting to what. If you post your configs, we can offer more targeted info.

Trying to understand your problem here - your saying if you route traffic out a vpn, you can not load that site? What does that have to do with pfsense? They prob just block your vpn service.. Just like forums here blocks many vpn IPs.. What IP are you getting when you route through a vpn.. Is prob on a shitton of black lists..

@johnpoz I am certainly not an expert with pfnonsense... I solved my issue by moving to a 2.4.4 release. I was running on an old piece of hardware (32bit/2.3.x). I was trying to use OpenVPN client on PFSense to connect to ExpressVPN. It was clear in the logs that SSL3 was being used in the negotiation and the cert verify was failing as a result. Not an issue on 2.4.4. I am used to enterprise networking products where there is a clear documented way to control those settings client or server. I assume you are talking about OpenVPN server custom settings. I am not running OpenVPN server. Thanks!

Glad you have it working. -Rico

Glad you have it working again. -Rico

@derelict said in Dual routing from OpenVPN server to Client Internet: Negative. The moment you assign the interface the VPN breaks. THEN you have to stop and start the server process. Client or server. Does the same thing. Show me in the manual where it says not to assign an interface to an OpenVPN server. You are right. It worked. Many thanks.

Yes, if you have checked "Don't pull routes" like it is shown in the tutorial, just add a firewall rule for that traffic (source = the two laptops) and leave the gateway setting at its default. Place this rule to the top of the rule set, so that it matches first.

grateful, but it does not help me yet. I just want to get the cadastral information of my openvpn clients. the suggestion given brings everything (usable and revoked) and would have to be done one by one. Understood ?

@philip2019 I'm not sure, finally it worked. It can't be test in the Lan inner in my situation, I can't ping my Wan public IP address from inner lan PC when it set a DMZ, I have to use another Internet connection to ping the Modem ip address. because the modem(router, Bell hub 2000), set a inner PC as DMZ, so in this pfSense server (as DMZ PC in Bell router), should allow ping in Wan interface, it's a simple firewall ruler, this help me know only another Internet connection can easy get the DMZ. other thing almost same with some guide in Youtube or web article, the only change is configuration will show the DMZ pfSense server Wan ip address as remote address(it also a Lan ip address), it impossible be visited for the Lan ip reason, change this IP to public IP address can be OK.

No there were not. I have deleted everything related to the RoadWarrior Server now and recreated it with another cipher, but same settings/TunnelNetwork/Buffer/Rules. It seems to work now. Could it be that pfSense sometimes doesn't activate rules unless you recreate them? It felt like that, though I dont really know why it didn't work and now works.