@yannie Thats the tunnel network. Nothing to worry about. And it is the address of your side of the tunnel network. Using your username and password will bring up your box.

@trazom said in no connexion from client on internet to lan connected at pfsense: debug: [openvpn] Sat Dec 22 09:17:34 2018 Attempting to establish TCP connection with [AF_INET]192.168.1.254:1195 [nonblock] debug: [openvpn] debug: [openvpn] Sat Dec 22 09:19:34 2018 TCP: connect to [AF_INET]192.168.1.254:1195 failed: Connection timed out That's the key part of this log. Where are you connecting from? It's trying to connect to 192.168.1.254 so would have to be on that same private subnet to connect to that. I suspect your pfSense box is behind another router and you have used the client export wizard to create that config with the 'Host Name Resolution' set to Interface IP address. You will need to have that set to a real external IP or a hostname that resolves to it. Steve

How about you share your screen shots, describe what is happening, and we can tell you what to change.

Looks like the problem was the first OpenVPN rule that was there to allow the VPN server to route traffic to the internet but for whatever reason, it was confusing the pfsense routing. I have deleted that NAT rule and now it works as expected

i use KVpnc to configure my client; i'm going to try to use basic client. where can i find client's configuration doc on a kali linux distribution? thanks

Nope. that's the weird thing i was talking about. the client secret is connected to the server with port 1202 but when i print the log on the server (cat /var/log/openvpn.log |grep secret) it prints the above. Hope not doing something wrong.

@divsys Thank you that makes it very clear. I'll have to change my local subnet, so that at the remote site i'm trying to connect to via OpenVPN has its own unique subnet. Thank you soo much. Will let you guys know when I get it all working

OpenVPN does not set the default gateway like that. It leaves the system's default gateway alone and inserts two routes: 0.0.0.0/1 128.0.0.0/1 This covers all traffic and is a longer netmask so it is controlling. Undo whatever it is you did to make that default route go to ovpnc1 and let OpenVPN do what it's supposed to do.

That was it, I changed destination and gateway to my WAN instead of wildcards and it all started working. Cheers.! OpenVPN rule for future reference.

@thenmanbr said in pfsense bypasses firewall rule: @chpalmer however, in the event of a reboot, do you know how would i prevent this issue from happening? (i'm assuming it's the order things are loaded, first vpn then filters... if that even makes sense) I do not.. I comes as a little bit of a surprise to me as well. I use separate VPN servers for each of my tunnels and Im the only road warrior connection here. If I was to stop a connection to a site I would first go to that site and delete the client. Can you try a "reject rule" and see if that does it?..

So troubleshoot resolving names from one of the connected clients and see where the process is breaking down. Do you know how to troubleshoot DNS issues using tools like dig and drill? Yeah. we know you have had nothing but problems with pfSense insert feature here lately. So troubleshoot it.

Even in the logs, I can see that the server is pushing its own address as the gateway, yet pfSense does not use it as the gateway IP: Dec 21 02:45:36 openvpn 67745 PUSH: Received control message: 'PUSH_REPLY,route-gateway 172.27.120.1,topology subnet,ping 10,ping-restart 120,ifconfig 172.27.120.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'

No. I used some tutorial of PIA open vpn client.

@viragomann said in Bypass VPN for specific www site: If I access www.alliantcreditunion.com I get redirected to www.alliantcreditunion.org, which is another IP. So you will have to add this FQDN to your alias as well. Also the site may contain further parts which come from other sources and also need to be directed over the WAN GW. You can use browser tools to investigate. Interestingly enough is I am able to access www.alliantcreditunion.org just fine. Something will not allow me to access the login page

pfSense does not impose any requirements on passwords at the moment. You will get a warning if the password is left as pfsense but that's it.

The first thing I would do is update to 2.4.4-p1

no i have a static ip so i am not using aliases. i just think i am doing it wrong. no one confirms if i am doing it right or wrong. can someone help. here is my exact setup and what i am doing openvpn server 192.168.1.0/24 openvpn client 1 192.168.2.0/24 (tunnel 10.0.1.0/30) openvpn client 2 192.168.3.0/24 (tunnel 10.0.3.0/30) client 1 and 2 reach the server with NO issues but client 1 talking to 2 or 2 talking to 1, does NOT work. i can only reach from 1 or 2 to the main openvpn server so i was told to assign the 2 openvpn on the main server to an interface. then i enabled those 2 interfaces as soon as i do this. client 1 and client 2 lost their connection to the server then i was told to go to firewall rules, openvpn tab, create a new rule as follows: action: pass interface: openvpn address: ipv4 protocol: any source: the assigned interface from client 1 openvpn destination: the assigned interface from client 2 openvpn i wrote a description and saved. but this does NOT do anything. i am still without connection to the main server openvpn from both clients. not sure what i am doing wrong! please advise

@chpalmer The machines in question are a linux box (firewall off) and grandstream phones. (cant connect to the phones web interface and the phones can't register to the pbx server (the linux box). Oh plus there is a synology NAS that can't be reached either. So no, no windows firewall or any other firewall.

All, many thanks for the help and the insight. This honestly wasn't supposed to be difficult. I've decided to get rid of pfSense altogether and use the facilities my commercial host has. It's not ideal, but it does work. All I was trying to do was access my private network remotely as I've done numerous times before with a variety of products. This has just cost me too much time as it is. Thanks again