So your running HA pair setup... Kind of should of mentioned this out of the gate ;)

Why would you be running public IP vip on a rfc1918 network and then forwarding to it?

If you have traffic hitting interface X, and you wan it to be able to get to the IP and port your vpn instance is listing on - then just put a rule on that specific interface X to allow allow it.

Install the FreeRADIUS3 package and setup OTP/GA in there, and setup OpenVPN to hit that for auth, and use it today. No need to use an extra OpenVPN plugin or to reinvent the wheel.

Client export is not for Site-to-Site. It is for exporting configurations for Remote Access clients.

Configure both sides to match and you should be all set.

@bigsy wow! thanks. After trying stuff for 3 hrs this tip was the answer.

https://www.netgate.com/resources/videos/advanced-openvpn-on-pfsense-24.html

@kekskrümel said in No Traffic into OpenVPN Tunnel until Static Route is set:

0.0.0.0/1 to the tunnel gateway 10.100.6.29

0.0.0.0/1 is only the half IPv4 range, so this cannot stand for the default route.

Furthermore, how have you set that route? A static route on pfSense or a CSO?

Are you talking about an access server and you want to route the whole traffic of only one client over the VPN?
So if the server uses TLS/SSL auth set up a CSO for the clients cert common name and check "redirect gateway".

What VPN provider is this?

Have you verified that the routes being pushed actually cover the addresses of the sites you think should be routed that way?

Are any of the route add logs indicating failure?

Are the pushed routes actually going tinto the routing table?

If so, pfSense and OpenVPN are working fine here.

https://www.netgate.com/docs/pfsense/virtualization/virtio-driver-support.html

How are you trying to access your resources? I see one issue:

You are pushing a DNS domain of 192.168.11.1 to your clients, so all of your name searches are being appended with "192.168.11.1" which is incorrect. The DNS Default Domain box in your config should have the name of your domain (e.g. MyDomain.com) in it, not an IP. Are you even using AD? If not, you shouldn't be pushing a DNS default domain.

I also see you have an AirVPN client tunnel configured. Is that new? I would modify the firewall rule on the OpenVPN tab, so it's explicit to your remote access tunnel network and your LAN. In other words, change the source to 10.0.11.0/24 and change the destination to "LAN net".

What do the rules look like on your AirVPN_WAN_HK tab? Hopefully, you don't have an any/any in there :)

Another question, what version of PFsense were you running on your old hardware? What version are you running now?

In the OpenVPN Server configuration on pfSense.

A push route configuration on a client makes little sense.

@gertjan Oh ! this issue is solved, because my "IDM" (Internet Download Manager), i have disabled IDM and download config file with native browser downloader and it's work !!!!!

Thank for reply and support me !!!!

@viragomann When I added the NAT rule you suggested I left the other NAT rule. It didn't help. I took a look at the routing rules and eventhing is correct. Both now have the explicit routing rule but no change.

Ok so i think i have found the issue but need some help fixing it

I think it maybe a MTU size issue when copying over smb. I have tried some options fragment 1400 mssfix 1400

The server seems to accept it but when i add to client and click connect it errors saying failed to connect to management service.

Anyone got any ideas?