Well i tried to configure openVPN using my default WAN adapter. I had some weird issues, i got errors after configuring openvpn and pfSense admin page displayd some filter reload erros. Also after restart i had no internet connection on my lan devices. So i took the openVPN server down and removed all the firewall rules and did a fresh restart. After that, when i set up openVPN again, on the default WAN interface, at lease i got it to work. Weird is also the fact, that this is almost a fresh installation, i havent really configure anything. I think this was the issue with the virtual IP also, but i am going to reconfigure the openVPN when i have enough free time.

All settings are default. The NAT between the LAN-WAN (and OPT1) works as expected. (I use dual-WAN config and Gatewas groups). Packet capture was showd the packets with original addresses. [image: ovpn_nat_settings.png] [image: ovpn_nat_settings.png_thumb]

try viewing this website for the PIA DNS servers: https://helpdesk.privateinternetaccess.com/hc/en-us/articles/219460397-How-to-change-DNS-settings-in-Windows then go to system > general.  and add them there THEN go to services > dhcp server > servers / DNS.  add them there post again after you have rebooted the pfsense router i have found adding DNS to the general tab is what causes the leaks.. when i use the PIA DNS servers on the actual SERVER DNS it fixes leaks for me. this is for PIA and AIRVPN… i also do not use the DNS forwarding tab. its disabled,  i use the DNS resolver tab not a pro, just sharing my experience with my setup

In your tunnel settings for the OpenVPN server: You state that you MUST check "Bridge DHCP" - this is NOT a MUST: I don't check this in my config I guess it depends on how you want to provision your network.

Did it on iOS - All correct. Re-installed on Samsung & rebooted; all is working correctly. Thanks for your help anyway, it made me go through and check all settings.

I got it figured out after reading a few more articles, and examining firewall logs! In the end, I still needed to do a few things: Create an Outbound NAT entry for the VPN Create a LAN FW rule to explicitly permit SiteB traffic to VPN Gateway Fixed VPN FW rule to allow all types of traffic (not just TCP/UDP) Thanks for your feedback guys. It was helpful knowing I was headed in the right direction.

I don't think you read my OP very thoroughly. I pretty specifically laid it all out as to why I want this. It's not a matter of hating on IPV6 or not wanting to ever use it, only that in its current form my privacy and security cannot be protected with IPV6 like it can with IPV4. The second that changes I will be the first to jump on using it but not until then. IPV6 isn't the problem, VPN providers not supporting it is. I think it's pretty self-explanatory.

That's a bug in the OpenVPN wizard. It is known and fixed in next release. Edit the OpenVPN firewall rule created by the wizard and set the protocol to UDP and save it. It should work then.

"So i'd like to keep the /8 for the LAN (if possible)." For what possible reason would you need such a large mask… Do you have 1.6 million some hosts on this LAN? A /8 makes zero sense on an interface - its only uses would be firewall rules and or summary routes, etc. Use of such a network means that you will have nothing but issues with vpn clients that are coming from any network using 10.x.x.x address space... Pick a realistic network size.. Love to help you work out whatever issue it is your having - but setting such a mask is just stupid, and made a new promise to myself not to deal with stupid ;)

Hi you can set advanced parameters in the config screen VPNOpen -> VPNServers -> Edit -> Custom options there you can add a line like: keepalive 60 300 Ping every 60 seconds, restart after 300 seconds without a reply. regards tohil

Edit that OpenVPN rule on WAN, set the protocol to UDP, and save it again.

At that scale, per-user certs are impractical. You can do it, but you'd have to manage them manually. Better to use a central auth setup like RADIUS or LDAP and go with an auth-only VPN. You still have the static TLS key available for an extra factor if you want. Not as air-tight as Certs+Auth+TLS Key but still good and scales a lot better.

Assuming you don't have set "Redirect gateway" in the access server settings to force all client traffic over the vpn, add the Atlanta LAN network 192.168.2.0/24 to the "IPv4 Local network/s". On the Atlanta pfSense in the site-to-site settings add the access servers tunnel network 192.168.100.0/24 to "IPv4 Remote Networks". Ensure that the firewall rules on both sites allow the access.

@buomque: Thanks for the info Marvosa! One more question, is there a way to route all available LANs from site-to-site tunnel to Remote Access tunnel? Or pushing each LAN is a more proper way to do? buomque, it depends on what kind of solution you want to end up with.  One way to achieve your objective is going full tunnel, but then all traffic is routed down the tunnel.  If you want to stay split tunnel, then every subnet you want access to will need to be pushed out to your clients. @drummrman85: If I understand your original post correctly, you appear to have a similar circumstance as mine. I have a main office in NY that is connected to an office in Atlanta via S2S VPN. Users also want to be able to remotely access their network from home and have access to files on both servers. Two questions for you: Is what you described in your original post capable of doing that (that's what it looks like to me) Can you elaborate on how you achieved this? I understand, conceptually, the need to push to the client, but what exactly were the steps you took? Thanks, I know this thread is a little old, but I'm trying to figure out to route traffic such that users can connect from home and access files on servers at each office. drummrman85, he may or may not answer, but regardless… I would start a new thread and provide specifics so we can offer targeted guidance based on the details of your network

@jimp: Since you won't post the rest of the certificate it's impossible to say what it means. Read it and see what is there. If it isn't the correct CA, I don't see how it could have ended up in that bundle. It goes by what's set on the server, and it doesn't offer anything to download that doesn't match. I was not trying to be difficult by not posting the rest of my certificate, I was just being cautious.  I generated new Certs and CA's in the Certificate Manager and all works great now!  Thank you for all your help as you pointed me in the right direction!  Now when I download the Viscosity.visc bundle and look at the version of ca.crt it says: Version 3.  Who knows what happened, maybe something during one of my pfSense upgrades as I have not touched those settings in a few years.  Thanks again!

Luckily that's an easy fix then. Update to 2.3.5 or 2.4.3

Ummm… This board is about pfSense, which runs on FreeBSD and uses pf, not iptables.  Are you sure you're in the right place?

Hmm, the username from openvpn should be in one of the environment vars it's checking. Open a bug report at https://redmine.pfsense.org/ and we'll take a look at it to see why it isn't getting the username as expected.