@derelict said in iPhone/iPad no longer works after update: Have a look at Services > DNS Resolver, Access Lists and see if adding the tunnel network to an Allow list there doesn't start allowing queries. That fixed it. Thanks,

@alexxtasi said in Using Radius for accounting only, Ldap for authentication (using Radiusplugin ?): it a radiusplugin problem of openvpn in general ? thank you @alexxtasi, you forgot to reply to yourself and tell us that you have fixed this crash:)

IIRC on Windows you had to run the OpenVPN client as Administrator or it wouldn't create the routes propeprly. It would look like it was working but you had no error messages and no access.

Doubt fix, I just use the tunnel created, thanks.

Welcome.

Ok, thanks, I will plan for one user/cert per TC then. EDIT: That means creating one user/cert per Thin Client on pfsense, and creating one specific profile (in terms of IGEL UMS) per TC (deploying the individual cert, configuring the VPN-connection to use that cert). Bit more work but manageable for 4 TCs as in my current case. btw: I plan to name the users/certs after the MAC of the TC to keep it traceable and not get something like user-names in there. OK?

There is no web-based or in-browser VPN available on pfSense.

In your diagram pfsense has ZERO to do with your client running openvpn and connecting to some outside vpn server? Zero!! Unless pfsense is blocking the port your wanting to connect to the vpn server on, default UDP 1194 pfsense has nothing to do with it. Did you modify the default lan rules? because out of the box they are any any and that client would be allowed to do anything it wants outbound to the internet.. Are you wanting instead this configuration? [image: 1539079606325-vpn-resized.png] Where pfsense is the client to the vpn server, and 1 machine or multiple machines behind pfsense can be used to use the vpn to go to sites on the internet, while other machines just go out the normal internet?

@execcr said in OpenVPN in existing enviroment: could only ping clients but not reach other ports, firewall completely opened.: a Zyxel UTM Why do you not just run your vpn server there just replace it with pfsense? Running an vpn server that is inside your network is always going to be a asymmetrical mess...

Yes indeed that would be it. Nice to see it got implemented: https://forum.netgate.com/topic/120569/oddity-with-viscosity-openvpn

I think his question is already answered here https://forum.netgate.com/topic/136428/setup-multiple-subnets-with-dhcp-question -Rico

Yes. You have to use an extended query so the authentication fails unless the user is a member of that group. Those VPN access permissions have nothing to do with OpenVPN.

Did you set Firewall Rules in the OpenVPN Group tab? -Rico

OK, I've just found the reason. The hiding of the "IPv4 Local networks(s)" edit box is simply because of the selected option "Force all client-generated IPv4 traffic through the tunnel". As soon as that option is deselected the elusive edit box is displayed again.