"So i'd like to keep the /8 for the LAN (if possible)." For what possible reason would you need such a large mask… Do you have 1.6 million some hosts on this LAN? A /8 makes zero sense on an interface - its only uses would be firewall rules and or summary routes, etc. Use of such a network means that you will have nothing but issues with vpn clients that are coming from any network using 10.x.x.x address space... Pick a realistic network size.. Love to help you work out whatever issue it is your having - but setting such a mask is just stupid, and made a new promise to myself not to deal with stupid ;)

Hi you can set advanced parameters in the config screen VPNOpen -> VPNServers -> Edit -> Custom options there you can add a line like: keepalive 60 300 Ping every 60 seconds, restart after 300 seconds without a reply. regards tohil

Edit that OpenVPN rule on WAN, set the protocol to UDP, and save it again.

At that scale, per-user certs are impractical. You can do it, but you'd have to manage them manually. Better to use a central auth setup like RADIUS or LDAP and go with an auth-only VPN. You still have the static TLS key available for an extra factor if you want. Not as air-tight as Certs+Auth+TLS Key but still good and scales a lot better.

Assuming you don't have set "Redirect gateway" in the access server settings to force all client traffic over the vpn, add the Atlanta LAN network 192.168.2.0/24 to the "IPv4 Local network/s". On the Atlanta pfSense in the site-to-site settings add the access servers tunnel network 192.168.100.0/24 to "IPv4 Remote Networks". Ensure that the firewall rules on both sites allow the access.

@buomque: Thanks for the info Marvosa! One more question, is there a way to route all available LANs from site-to-site tunnel to Remote Access tunnel? Or pushing each LAN is a more proper way to do? buomque, it depends on what kind of solution you want to end up with.  One way to achieve your objective is going full tunnel, but then all traffic is routed down the tunnel.  If you want to stay split tunnel, then every subnet you want access to will need to be pushed out to your clients. @drummrman85: If I understand your original post correctly, you appear to have a similar circumstance as mine. I have a main office in NY that is connected to an office in Atlanta via S2S VPN. Users also want to be able to remotely access their network from home and have access to files on both servers. Two questions for you: Is what you described in your original post capable of doing that (that's what it looks like to me) Can you elaborate on how you achieved this? I understand, conceptually, the need to push to the client, but what exactly were the steps you took? Thanks, I know this thread is a little old, but I'm trying to figure out to route traffic such that users can connect from home and access files on servers at each office. drummrman85, he may or may not answer, but regardless… I would start a new thread and provide specifics so we can offer targeted guidance based on the details of your network

@jimp: Since you won't post the rest of the certificate it's impossible to say what it means. Read it and see what is there. If it isn't the correct CA, I don't see how it could have ended up in that bundle. It goes by what's set on the server, and it doesn't offer anything to download that doesn't match. I was not trying to be difficult by not posting the rest of my certificate, I was just being cautious.  I generated new Certs and CA's in the Certificate Manager and all works great now!  Thank you for all your help as you pointed me in the right direction!  Now when I download the Viscosity.visc bundle and look at the version of ca.crt it says: Version 3.  Who knows what happened, maybe something during one of my pfSense upgrades as I have not touched those settings in a few years.  Thanks again!

Luckily that's an easy fix then. Update to 2.3.5 or 2.4.3

Ummm… This board is about pfSense, which runs on FreeBSD and uses pf, not iptables.  Are you sure you're in the right place?

Hmm, the username from openvpn should be in one of the environment vars it's checking. Open a bug report at https://redmine.pfsense.org/ and we'll take a look at it to see why it isn't getting the username as expected.

Or it could be Mac issue. I just tried Viscosity and it has the same issue.

@cmenning: LAN clients can access AWS assets via private IPs using the IPSec tunnel. So you will have set up an IPSec phase 2 between your LAN and the AWS LAN. The same thing is necessary for the OpenVPN tunnel network and the AWS LAN to get access to the remote devices from road-warrior clients. However, I'm not sure if multiple phase 2 are possible on AWS.

Yes, it was the firewall. After installing Kaspersky there was "another" firewall manager above the Windows firewall. There I had to add the subnet and add the connection to "Local LAN". Thanks a lot! -demux

OpenVPN itself doesn't support that. You can make a copy of the server and keep everything the same except for the tunnel network and protocol, adjust your WAN firewall rule, and then you can pick either protocol on the client.

It wasn't a pfSense problem but a FreeNAS one. I was run the OpenVPN client on a jail. Once I use the OpenVPN build in FreeNAS the problem has disappeared.

bump

No. I am getting same IP results with whatismyip.host and other  websites such as whatismyip.live I am using PureVPN and visited both websites. Here are the results: http://whatismyip.live  IP results: [image: Screen_Shot_04_19_18_at_03_27_PM.png] http://whatismyip.host results: [image: Screen_Shot_04_19_18_at_03_27_PM_001.png]

You need to: add all of the remote networks each site should be able to access to the Remote Networks at those sites be sure the OpenVPN firewall rules pass the necessary traffic into each firewall

U have show me that this setup must work and doesn't have any conflict, different instances. jimp I will jump into the setups, 1 site is not under our management only. I will go deep into the setup and let u know our progress. Thanks. :)