You need outbound NAT rules that match whatever the tunnel network is on the VPN the clients connect to. No idea from the screen shots if that is the case. The comments there say "LAN" https://doc.pfsense.org/index.php/Outbound_NAT You can determine if you are having a DNS issue by pinging something by IP address. https://doc.pfsense.org/index.php/Connectivity_Troubleshooting

Thanks. I got it to work using the latest OpenVPN installer (in place of the PFsense downloaded client) and using the TAP driver installer. I'm pretty sure I had it connecting correctly running as a user, but when I uninstalled/deleted all software and did a reinstall (to ensure I have a working method for client installations) it will only get routes when running as an admin. Anyway this is an OpenVPN problem so I will use their forums for troubleshooting. Thanks for the help.

Okay I've solved my issue thanks to packet capture. My configurations that I posted were perfectly fine and that was the answer I was looking for but instead of getting that help people wanted to play semantics with my words which was completely irrelevant of the question that I asked. In any case I am good now and for anyone trying to set up an Out of Band Management network please follow the configurations that I've posted because they work.

Thanks for the explanation, Clients don't use ns-cert-type server but they have remote-cert-tls server. As OpenVPN server is working just fine even with this "Server: No" certificate, I'll keep it but in the mean time I'm a bit less ignorant now :)

Fixed or worked around.. They are completely different ;) Source natting would not be a fix to me..  That would be a work around.  To me the proper fix for your issues would be correctly setting the firewall rules on your devices to accept the traffic you want to accept.  Or make the choice that devices on network X behind pfsense do not need a software firewall because they trust all the devices on their same network, and devices that are hostile or not trusted are firewall at pfsense. To a nas.  it should have a gateway set if that was your issue.  Or if firewall - same thing goes.  Tricking something into thinking a connection is from the same local lan as it to get around firewall rules and or lack of gateway is a work around if you ask me. Either way glad I could be of help, but if you went the source nat method.  I would would evaluate if that is the best long term fix vs stop gap workaround until proper setup can be used, etc.

@semprini: I was under the impression that username + password + cert = successful login, and username + password + wrong-cert = failed login. Got to the server settings and check "Strict User-CN Matching". Then it should behave the way you want.

As Jimp suggested Im gonna post logs and related data on the thread I previouosly opened for this: https://forum.pfsense.org/index.php?topic=116670.0 Thx

Good catch on the 172.168 helper!!!  I missed that.

@marvosa: … per your screen shots... you currently do not have any clients to export.  You will see client configs available for export after you've added users to PFsense (System -> User Manager -> Users). [image: 5.png] [image: 5.png_thumb]

Hi viragomann, Thanks for your reply. It works, there are no DNS leaks anymore :) !

OK, my bad. What I am trying to do is set up openVPN for access from iPhone (ios) I had it working but with a bunch of questionable errors in the log. I had created my .conf by hand.  I recently read here that the wizard needed to be used to make sure all was properly done. So started over and blew it by choosing peer/peer.  Lesson - don't do this stuff late at night.  :P My mistake was: setting up server for peer/peer tls instead of remote tls. creating a client, not necessary cause export creates it.  Changing server to 'remote tls' and going directly to client export gives me the missing part of the puzzle. Thanks for pointing me in the right direction.

It looks like I might be having a more basic problem.  Attempting to create a basic interface bridge is failing.  Posted on the General category to get help on that. Did you have a procedure you followed for creating the VPN bridge?

I think the bottom line is that for some use cases we need to be able to manage groups at the VPN server level. The preferred solution is to use LDAP but LDAP is not a accessible for everyone. Having a LDAP to manage VPN permission is for a lot of us overkill. It adds complexity, cost, single point of failure etc … A simple workaround would be to install (package) a local LDAP instance on as a Local LDAP. Ideally this would be sync with the backup instance as well.

Yeah. Outbound NAT on WAN. Good deal.

A server certificate has this attribute: Netscape Cert Type:                 SSL Server The following extensions are non standard, Netscape specific and largely obsolete. Their use in new applications is discouraged. idk. See Also: man x509v3_config I am not 100% sure exactly what needs that to be present, but it's not pfSense. Maybe strongswan and openvpn. You will probably find it easier to keep the certificates on pfSense so you can use the client export utility but there is no requirement to do so. You do have to have the CA certificate installed on the firewall so openvpn can validate client certificates against it but you don't need the private key there unless you are going to generate/sign client certificates there. You will need to import the certificate and key parts as the server cert but they do not have to be generated on pfSense.

Fixed it, I had an old firewall rule from something I was experimenting with that was messing it all up. Works great as you suggested I configure it, thank you! If anyone's interested I was able to figure out the DNS leak issue and patch it by reading this thread: https://forum.pfsense.org/index.php?topic=66305.15

Pfsense 2.3.2-p1