For posterity...

I decided to set up a separate OpenVPN server for each group of users. In the end it was the cleanest way to differentiate between the groups by assigning a unique subnet to each instance of OpenVPN. Client Specific Overrides is an interesting feature and might have allowed a portion of what I was looking for, but did not offer a complete solution.

Thank you,
cdunbar

Jimp. I already solved it, what happens is that they have to wait about 3 minutes for the openvpn to discard the connection through the wan that is below. Thank you

@pippin thanks for the advise. I haven't set up this particular pfsense myself. I needed to stabilise the VPN and I will build a clean one with the first chance. There are too many crap stuff in there too many changes have been made inside there from people who didn't actually know how to configure it properly. Will do my study before I make a clean one.

I got a Rule that sorts out traffic trying to connect to my LAN from the radio network.
For the rest its fine since i run the other network anyway 😁

@rico Thanks for sharing

What would fail with bogon still blocked is bogon's - but pretty sure pfsense pulls the rfc1918 space that is normally in bogon out... And lists in the different rfc1918 listing.

rfc1918 is a bogon ;) Well if you want to get technical about its - better term is prob martian...

I watched this Youtube video from Lawrence Systems: https://www.youtube.com/watch?v=7rQ-Tgt3L18

At the 13 minute mark, he points out that one needs to add a line to the end of the config file created by VPN on the local computer being used to access the remote computer: redirect-gateway def1

On another website it was suggested that I might need to add a line in the pfSense firewall to the file found under VPN/OpenVPN/Server. I edited the file and under Custom Options added: push "route 192.168.xxx.0 255.255.255.0"

I'm not sure which of these two additions did the trick, but the net result is that now I can connect from a remote location both to the pfSense GUI and to my desktop computer.

So ... problem solved!!

ok thank you I look at it

Now all of a sudden DNS resolution stopped working on all of the clients on my internal network. o_O

Restarting unbound and the client machines doesn't fix it. My network just hates me right now.

edit Disabling pfBlocker fixed DNS resolution.
edit2 Suddenly, my firehol blocklist rule was adding all of the internal clients on my network to blocked hosts.

To close resolve) this one :
@rsaanon said in [Solved] dnsleak results show no leak, but IP address lookup shows internal/lan IP:

I would have like to have pasted the screen shot of the above two tests, but I'm not sure how to include the screenshots on this forum.

Copy the image fist (hit the print screen touch on windows keyboard to have the entire screen or use the build in capture tool) and then Paste it here while your typing your post (windows PC : Ctrl-V) .

0_1544291117302_fa375696-e1a0-491f-bfd2-6170242f562e-image.png

You need to push the IPv6 /64 as a route. It needs to be distinct from the tunnel network. I assume you have more than a /64 to use? /48 or /56?

Similar to how HE's TunnelBroker provides IPs, Unfortunately TunnelBroker does not work in this case because they Block CloudFlare (YES THEY FREAKING BLOCK CLOUDFLARE!!!).

Based on my experiences with HE over the years, if they did in fact block these sources, they have a good reason for doing so.

Client-specific overrides are is required for SSL/TLS with a larger than /30 tunnel network when you have remote subnets/routes above and beyond the tunnel address for a Remote Access client.

There is really no difference between a Remote Access server and a point-to-multipoint site-to site network other than different requirements for pushing routing and CSOs. They are the same OpenVPN server mode.

Them will tested, thanks for your help.

@treborjm87

I'd be curious about this as well...

I think you need to establish how much throughput/bandwidth you need and how many concurrent user connections you anticipate, etc? (Is this box dedicated to routing and VPN only or more exotic use cases like running VMs, etc)

I've seen some charts floating around with hardware recommendations based on required throughput here and at the servethehome website.

@AlexVP I ended up using only one WAN.

As soon as I got rid of the second WAN, OpenVPN started working correctly. Under Firewall > Rules, I added rules to both LAN interfaces so they can't access each other. For the WAN interface, I added rules & under NAT > Port Forward I mapped the WAN ports to the CCTV LAN so it works how we need it to.

I know our network is fairly simple, but if you can make it work with one WAN it'll be a lot easier to manage. If I do set up a second WAN, I'll let you know what I did to make it work.

Thanks for the tips @Gertjan. If I had added logs it would've made it a lot easier to figure out what I did wrong. I made it work with one WAN, and I'm leaving it that way unless I need to change it.

Hi Rico,

thank you for your answer. I had a look to your link. I think this would work, but if the subnet on LAN on the pfsense boxes is changed I need to reconfigure everything.

Is there no option like:

On the VPN Server:
Route ALL traffic from User-01 to VPN network of pfsense box1

On the Pfsense Box side:
Route ALL traffic on VPN network to OPT1 network

Sorry for my question, but I´m a beginner with OpenVPN and pfsense...

Thank you so much for your support.

@jknott said in Unable to get Openvpn 2.4.6 to work on pfsense 2.4.4:

You don't set up DNS on the VPN. You do it on the client or DHCP server config.

My mistake, there is a setting on the server config, under Advanced Client Settings.