@dbennett:

I want only specific IP's listed in an alias to go through the tunnel.  If place a value in the 'Remote networks' box will that cause any issues with traffic leaving the 'Server' site to the WAN?

That just sets the route to the networks behind the client to the clients IP if the connection is up. It will have an private IP range.
Your server cannot reach this network over WAN.
You can also enter single hosts in this fields.

@dbennett:

I created an interface / Gateway for the site to site (S2S) along with an Outbound NAT rule for the Client connection to route through that interface and gateway.  I did the same thing for the S2S Server.  So I should have two OpenVPN interfaces / gateways on the client side; one for that site's server (1194) and for the S2S Client traffic (1195)?

That's alright. However, bear in mind that you have to define your VPN firewall rules on this new interfaces now.

I think here you will find some useful information
https://forum.pfsense.org/index.php?topic=116626.0

Well if your wan IP is rfc1918, then pick other and put in your actual PUBLIC IP..  Do you know what that is?

Is that really confusing for you??  Not sure how this has anything to do with pfsense.. Do you not understand what a rfc1918 address is or that 192.168.x.x is not viable address on the public internet?  Your the admin??

No offense just confused how this is confusing?

Why don't you just ask him? It is not unreasonable in my opinion as scope tends to creep to LAN-side things eventually.

Regarding logging you could turn on logging on the VPN rules. That will log every connection over the VPN. It might be pretty voluminous.

Make him call to get access and enable/disable the account accordingly if that helps you feel better.

With just HTTPS access he can make a VPN/ssh tunnel, etc any time he feels like it anyway. If you don't trust him you're probably using the wrong guy in the first place.

no your openvpn being udp is just the tunnel, what your seeing is blocks inside the tunnel.

Hi Jimp,

I very appreciate your perfect answer, i followed your tipps and now everything is working like a charm, this make my life a lot easyer ;)

Best REgards
Marco

Usually just a setting in openvpn's server config.  I stopped using it for another reason (reload then it wouldn't work again lol).

Dear sir can you explain how did you do it ?
please
many thanks

Ok, this:

if ( ! openssl_pkcs12_export_to_file( $req_cert, "user.p12", $req_key, "" ) )

is the problem. The .p12 produced only contains the user cert - I need to add the CA cert as well.

However, it doesn't look like there's a php openssl_ function to do this - which is probably why the openVPN Client Export Plugin uses:

exec("/usr/bin/openssl pkcs12 -export -in {$ecrtpath} -inkey {$ekeypath} -certfile {$ecapath} -out {$eoutpath} -passout pass:{$eoutpass}");

Yeah how else would you skin that cat? ;)  If you want user X to be allowed access to device at 1.2.3.4, then yeah you need to make sure user X always has IP address 2.3.4.5 so you can allow that via firewall rule..

User Y that gets something other than 2.3.4.5 would not have access..

If you have groups of users that all need same access you could just create different vpn connections so that users A,B and C would always get ips in network 1.2.3.0/24 and you could then create the firewall rules on that network vs specific IP and if you have other group of users that need different access then AB and C then they could be on entwork 1.2.4/24 etc..

You could add

explicit-exit-notify 2

to your client(s) config.
Then you will see in the server log

SIGTERM[soft,remote-exit] received, client-instance exiting

How can these settings i.e "Backend for Authentification" and "IPv4 Tunnel Network" have anything to do with exporting user certificates?

The export wizard tries to limit exposing users for export that cannot possibly log in. If you had Local database selected in the server, had created the user certificate, but did not create the user in the local database, then that user would not be able to log in so the user is not exposed for export.

When you select the external authentication method then all it will check for is the presence of a certificate issued by the Peer Certificate Authority.

More information is needed to help you.

What is the server?

What is the client?

What are the Local and Remote networks on each end?

Where are you pinging from?

Where are you pinging to?

You generally have to specify a specific source IP address (Like the interface address of a network specified as a Local network in the OpenVPN configuration) to ping across an OpenVPN tunnel from the firewall itself so it's pretty unclear what you're actually doing.

You can't, and you don't want to. Read the last post on that thread.

https://forums.openvpn.net/viewtopic.php?f=15&t=12605&sid=c75d657e002504a39d34ae664ddd9ad5&start=60#p49837

Ok, just to confirm the issue was that the ISP device had a hidden 'advanced' setting which did not forward Internet packets by default, as I thought.

Once this was found, and packets forwarded correctly, it worked fine!

Thanks for your input!!

I used a NTRadPing and I could see there was something wrong with the user so I went back and I checked if the user was member of the vpn group on DC and it was not
i forgot to add the user back in to the group after fiddling around in the DC

this guide works

https://community.spiceworks.com/how_to/128944-pfsense-admin-logins-via-radius-using-active-directory-accounts