Cellular ISP does carrier grade NAT within their network.  Cell connections are generally not on connectable public IPs. You shouldn't need any NAT on your side to get a site to site connection working More like a) pfsense VM as OpenVPN server peer-to-peer on a regular fixed connection (fibre/cable/dsl)     Can be with public IP (bridge mode), or port 1194 udp forwarded from ISP side router b) pfSense router behind 4G connection, as Open VPN client, peer-to-peer. b) connects a), and maintains the connection, over 4G , 3G, whatever. You can access all of b)'s network from a), or even do a NAT port forward on pfsense a) to any b) address.

No worries, I'm glad it worked out!

Thank you very much for your help.

OpenVPN is routed, IPsec traffic selectors are in the kernel You can policy route into OpenVPN, not so with IPsec Along those lines you can forward traffic from the internet over OpenVPN to a target host and get the benefit of reply-to for the reply traffic. Not so with IPsec. IPsec generally performs faster than OpenVPN You generally don't have a lot of interoperability issues with OpenVPN. IPsec, particularly IKEv1, can be, umm, challenging. That's my short list of important differences

I figured out the problem guys, if anyone is interested. I guess my wireless carrier is utilizing some IPv6.  In the APN settings on my cell phone, it was set to IPv6/IPv4.  As soon as I set it to IPv4 only, my VPN started working as normal over the cell network.  It may be a bandaid solution but at least it is all working now.

I think I found the solution for my problem. I checked the two users which I used for testing and noticed that the CN in both user certs was the same. So I changed one of the CN and till then everythink works fine.

@panz: Yes, but my Foscam cameras are on a different and physically separated interface; the reason is: Foscam (and Dahua) "disable p2p" function on the GUI doesn't disable it at all, so I put them on a different network (different from my "trusted" LAN). I'm no It guy at all, but I kind of thought that one of the reasons we use pfSense is because it is versatile enough to work around shitty implementations like Foscam. By that I mean, why does it matter if the GUI for the webcams doesn't work? pfSense automatically blocks anything you don't write a rule to pass, and you can assign static IP's to your cameras and write rules specific to your webcams. So even if you specifically configured your cameras to make all of your feeds available to the world, if pfSense doesn't let that traffic out, it isn't going anywhere. You can even log all of the traffic on your webcams if you wanted to. Basically, is it really necessary to isolate the webcams on their own subnet? It seems like an extra, unnecessary step that is complicating things.

You need a static public IP or a DDNS service if your IP is dynamic to get a static host name. Set up the VPN server is self-explanatory when using the wizard. VPN > OpenVPN > Wizards

Hub and spoke from the perspective of one running OpenVPN server and a bunch of clients only works with SSL. Hub and spoke from the perspective of many external places connecting back to one datacenter can be configured with shared, but you'd need to set it a different OpenVPN server for every client. Which is why I didn't want to go down that path. The client override only applies to certificates that exist in the certificate manager, whether imported from somewhere else or created internally.

UPDATE: I notice odd things happening (like local pings being routed outside my network) with my network after routing each Interface down different gateways. I have since  improved my firewall rules so that ONLY protocols like DNS and HTTP are allowed to route directly out through its assigned gateway. I've included an example rule list picture. Note that I setup the same rules as in the image on the OPT1 interface. I also had to set a network bridge between the OPT1 and LAN interfaces. Now me and the kids can play minecraft on the local network again!!!  

It seems that there is something messed up in your ISP router. It translates the source address of incoming packets to its WAN address??  :o That's not a normal behavior. Some routers may translate all incoming traffic source to their LAN address, but WAN? Also very strange or a great accident is the exactly same source port of both connections. In the capture from the external connection attempt you can see the response packets from pfSense sent out to the WAN address. But obviously the router doesn't forward them.

Anyone perhaps able to tell, if this (LAN 2 LAN connect) is possible at all in this setup?

Some more playing around and I seem to have sorted it, dnsleak test performed and successful, snort installed and working as far as I can tell….just need to work out my poor speeds....

Hi marvosa. So let me preface with that I am running pfsense virtualized, under proxmox.  I also have 2 pfsense instances in a CARP, but I'm currently just trying to setup OpenVPN on the primary so I don't think the fact that I'm running in a CARP pool is relevant (could be, I suppose).  The physical hardware running these pfsense instances will eventually be going to colo, but I'm trying to get them setup on my local network first to configure (then just change WAN IP's and ship it to the colo). So let me try to explain my network setup. MY LAN, 172.16.1.0/24 COLO WAN (VLAN on my real LAN), 172.16.2.0/24 COLO internal LAN, 10.10.10.0/24 COLO internal VPN, 10.10.0.0/24 pfSense WAN IP - 172.16.2.26 (CARP VIP to 172.16.1.28) pfSense LAN IP - 10.10.10.251 (CARP VIP to 10.10.10.254) I have a CentOS instance at 10.10.10.250, on my colo internal LAN.  From this box, 10.10.10.250, I can access the internet…so that means that pfSense is routing traffic out 172.16.2.26, through my real firewall, out to my real WAN.  On my real firewall, I am NAT'ing UDP/1194 to my pfsense WAN IP, and I'm able to connect to the OpenVPN instance running on pfSense. So.. WAN <--> pfSense WAN/172.16.2.26 <--> pfSense LAN/10.10.10.251 <---> LAN/10.10.10.0/24                                                                                                           |                                                                                                           --> VPN/10.10.0.0/24 [2.3.2-RELEASE][admin@fw01.colo01.<redacted>]/var/etc/openvpn: cat server1.conf dev ovpns1 verb 8 dev-type tun tun-ipv6 dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-256-CBC auth SHA512 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown client-connect /usr/local/sbin/openvpn.attributes.sh client-disconnect /usr/local/sbin/openvpn.attributes.sh local 172.16.2.26 tls-server server 10.10.0.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc/server1 username-as-common-name auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' false server1" via-env tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'fw01.colo01.<redacted>' 1" lport 1194 management /var/etc/openvpn/server1.sock unix max-clients 4 push "route 10.10.10.0 255.255.255.0" push "dhcp-option DOMAIN <redacted>" push "dhcp-option DNS 10.10.10.254" client-to-client ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key dh /etc/dh-parameters.4096 tls-auth /var/etc/openvpn/server1.tls-auth 0 persist-remote-ip float topology subnet</redacted></redacted></redacted> Does all that make sense?

Hey, okay, you're right… The more sites are added to VPN, the more complex it becomes because each site has to be configured separately... So I started reconfiguring it from scratch. So I started trying it again... First, to answer your questions: How are you testing? (from where, to where, what are you trying to look up?) I was testing from a windows computer at each site. At each site, the computer is in the same subnet as the pfsense router. What are the configured DNS servers on the host you are testing from? When looking at System -> General Setup of both pfsense boxes, no additional DNS servers are provided. All DNS server input fields are empty. However, there is a checkmark at "Allow DNS server list to be overridden by DHCP/PPP on WAN". When typing "ipconfig /all" at any windows computer, the pfsense ip address is configured as DNS server (e.g. 192.168.1.1). What are the search domains configured on the host you are testing from? etc. On the windows computers, the option is set to receive the DNS server list automatically (DHCP enabled). There are no additional DNS servers entered in the adapter settings of the ethernet controller. This means, the only DNS server a computer from subnet 192.168.2.0/24 is using, is the pfsense box 192.168.2.1. Computers in the subnet 192.168.1.0/24 are using pfsense box 192.168.1.1 as DNS server. When being at the remote site and trying to access the pfsense box of the main site pfsense.garden.tld, I have the impression that the local pfsense router is asked about "what's the address of remote/main site pfsense.garden.tld", but local pfsense doesn't know about it? Windows command prompt shows: C:\Users\Administrator>ping pfsense.garden.tld Ping request could not find host pfsense.garden.tld. Please check the name and try again. For testing purpose, at the remote Site, I don't have any host override configured right now. The only thing I configured at the remote site is a domain override with following parameters: Domain: garden.tld IP address: 192.168.1.1 Source IP: 192.168.2.1 At the main site I have configured Domain Override and Host Override Domain Override: Domain: domain-of-remote-site.tld IP address: 192.168.2.1 Source IP: 192.168.1.1 Host Override: Host: pfsense Domain: garden.tld IP address: 192.168.1.1 According to https://forum.pfsense.org/index.php?topic=98198.0 it should even work without entering host overrides and just using domain overrides… All windows computers on each site are using the pfsense router in the same subnet as dns servers - however, pfsense doesn't know about the remote hostnames - although domain overrides are configured! EDIT: I changed my config from DNS forwarder to DNS resolver. I only have domain overrides (no host overrides) and it seems it's finally working now! Cool :) Thanks for your help so far! That's extremely nice when I don't have to configure host overrides! :)

https://www.reddit.com/r/PFSENSE/comments/3hql33/configuring_openvpn_bridge_with_local_dhcp/

Id guess you have to bridge the tap interface to the lan.  I think that was a change in 2.3 so the old guide doesn't work https://www.reddit.com/r/PFSENSE/comments/3hql33/configuring_openvpn_bridge_with_local_dhcp/

I'd like to TAP for a steamlink.  Broadcast don't need a gateway. Also you can push a default gateway via push "route-gateway 10.80.0.250" in your custom settings area. I haven't had much time to mess with tap mode, but I know chromecast isn't working, another local broadcast type app

Thanks for the suggestion.  But I take that as more of a workaround then solving the problem.  It also doesn't resolve the issue where the port the client is connecting with is not what the server is responding too.

This is a simple User access VPN, not a site to site Internal IP's are 192.168.10.X PFSense is 192.168.10.254 Cisco is 192.168.10.1 PFSense gives out 172.30.30.X addresses to VPN I can access 192.168.10.254 via VPN when connected. My IP address is 172.30.30.2 when connected. Now that the office is 'waking up' I do get some DHCP addresses; the two internal printers are both PING able, but I cannot print to them. Says it's offline. Although the Redirect Gateway option is specified, "Force all client generated traffic through the tunnel" when I connect I don't see it: Connection-specific DNS Suffix  . : corp.com Link-local IPv6 Address . . . . . : stuff IPv4 Address. . . . . . . . . . . : 172.30.30.2 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : I can trace a route to a printer, for example, but not connect: Tracing route to HPOJ8600.corp.com [192.168.10.100] over a maximum of 30 hops: 1    22 ms    19 ms    24 ms  172.30.30.1   2    28 ms    *      21 ms  HPOJ8600.corp.com [192.168.10.100] Which makes me think I'm missing some allow rules, but the wizard added the following rule: 3/10 KiB IPv4 *  *  *  *  *  *  none    OpenVPN Remote user access wizard Do I need to add allow rules from 172.30.30.x to 192.168.10.x and vice versa? == John ==