Thanks! You are right, that tutorial is wrong. Now it works perfectly!!

In the client export utility select "Other" at "Host Name Resolution" and enter your domain name at "Host Name" below, then export the client config.

Hello,

I follow the step, everything is clear and working thank you verry much!!
I have just problem, the intra client communication is possible?
Client 192.168.2.1 –---> communication ok with Server 192.168.1.1
Client 192.168.3.1 -----> communication ok with Server 192.168.1.1
Client 192.168.2.1 -----> communication not ok with client 192.168.3.1

Thank you

To direct the traffic for a particular website to the client you need a route for this site at OpenVPN server.
This can be set up by "client specific overrides".

Add an override, select the server an enter the clients certs common name, enter a tunnel network that should be used for this client (within the servers vpn tunnel network).
At "Local Networks" fill in your server sites LANs (it's necessary that at least the source IP of the host which want to access sites via this VPN is entered here to get the route pushed to the client) and other IPs or networks that the client should reach over vpn as you did in the server setting and at "Remote Networks" enter the addresses or networks you want to reach via the client from server side.
Set the other options to your fits.

Off cause the access has to be allowed by the clients firewall rules as well as at server side and the clients router must do masquerading also for the servers sites source network.

@heper:

thats exactly what that checkbox is supposed to do…..

Do not create rules when gateway is down
By default, when a rule has a gateway specified and this gateway is down, the rule is created omitting the gateway. This option overrides that behavior by omitting the entire rule instead.

you just need to make sure that there is no rule above&below it that allows the traffic out a different way

Thanks it did work, just wondering if I have multilans what do I need to do to make them work?

I solved it by making a gateway on a dynamic IP and setup a rule in my LAN that is connected to the gateway to transfer all traffic, here's my setup:

Enable your OpenVPN interface (you can rename it)

Create a gateway with a dynamic IP, I set my monitoring IP to my VPN's tunnel IP

Go to VPN -> OpenVPN and go to your server's settings and this line

Go to Firewall -> Rules -> LAN and create this rule (You'll need to click show advanced settings)

Then you can port forward to that tunneled IP you want to host the server on Firewall -> NAT

Last you forward is in Firewall -> Rules -> Opt1 (Destination is the tunneled IP)

Sorry if I missed anything, I hope this helps though or at least point people in the right direction. The goal was to make the server owner who can't open his ports just login to my VPN & then people connect through my IP and they'll join his server, without needing to connect to the VPN themselves.

I fixed this problem.I wasnt related to pfSense at all.I was wondering how can I set MTU 1492 only for OpenVPN.I know how to do it using advanced options but I was wondering I need to change it in the physical interface used for connection.Thank you.

I think I may have just had one of those answered your own question after asking it moments. In following that guide and others, I was using the net30 option but I see that is deprecated now and the default is set to use a subnet topology. Looking at my settings, it seems that in the upgrade my config changed to the new default which I assume would explain it breaking. Since then I seem to have confused myself and have ended up with a net30 config but not with that option selected, so the VPN probably has no idea what is going on.

I think I'll sleep on it and take another look in the morning, hopefully I've understood that correctly and can fix it. Please let me know if I'm still confused though, in case I'm just going down another wrong track. Thanks.

but your hosts are not using dns through the tunnel they are using pfsense.  Pfsense is not sending the resolver traffic through the tunnel is just sending it out your wan.

Yes, I know and this is what I want to change. I want the VPN Clients (and only the VPN clients) to send their DNS queries down the tunnel to the VPN provider.

as for IPv6, I only want to prevent VPN clients, as defined by their alias, from getting or using IPv6.

Came across this looking after finding that the VPN client (OPENVPN ios) stayed connected after I disconnected the user connection from status>OpenVPN by hitting the X next to their connection. I expected the behavior the original post was describing and was puzzled why it not only showed on the client that it was still connected, but also why after attempting to access a resource located behind the VPN connection that it connected back up and worked. Rather than disabling account or trying to change the timeout/reconnect options, I found the best way to have this control to disconnect a session is to set up authentication to another directory (Ldap) and filter approval based upon group membership (memberOf). This way one can remove the account from the LDAP group, then click the X to close the client vpn session from the server side. The client then tries to (automatically) reconnect and fails based on authentication. I found that this is the only clean way to have administrative control over the client vpn session apart from disabling the entire user account or disabling the VPN server itself.

Thanks,

Brian

It's highly unlikely to be a firewall rule problem. If it's getting that far, it's passing through. Check the OpenVPN logs on the client and server for more clues.

No there is no problem with 2.3.1, I use vpn on it every single day, multiple times a day from multiple devices.  I can not recall there ever being any issue with openvpn on any build..

I have never had any issues even with upgrades multiple times all the 2.x and 2.x.x builds and now 2.3 no issues.  Openvpn works clickity clickity.. run the wizard, grab the config and connect it really is clickity clickity if it takes you more than 2 minutes to setup a openvpn connection into pfsense your doing something at a basic level wrong.  Like not going to the right IP.  Not using the wizard and trying to use a user cert vs a server cert.  Using a port that is not open inbound to pfsense either from where your at or by your isp or pfsense is behind a nat at your location and you didn't forward the right port, etc.

The wizard even creates the firewall rule for you.  But if you had created some rules on your wan that would block before it gets to your open that could cause problems.  Using something like snort might cause you grief if not configured correctly, or pfblock if letting it create rules and those are blocking, or even using its aliases and you misuse them in the rules, etc.

Or maybe you didn't answer the questions correctly on the wizard for what your wanting to do, maybe your local networks or remote networks are wrong or maybe your at a location where you have the same IP as the network behind pfsense, etc.  There are for sure lots and lots of things that could be misconfigured or cause problems but out of the block its really click click openvpn server up and running.

Without details its impossible for anyone to help you spot the problem.  But I can tell you for sure trying to connect to a rfc1918 from outside pfsense on the internet somewhere is going to FAIL 100% for sure..

Not sure what your doing different if your saying its working on 2.2.x but not 2.3  But accessing a 192.168 address from the internet is never ever ever going to work.

This is probably OpenVPN`s problem.
There was a discussion about this on the OpenVPN mailing list some time ago.
Maybe take a look there in the lists archive?

Groet

Have you tried doing those same http downloads on the server itself with wget or curl and see how it performs?

No. Changing the IPsec tunnel to accommodate the additional subnet is the best practice.

If your OpenVPN subnet can be summarized into a larger network with your LAN (e.g. x.x.0.0/24 and x.x.0.1/24) then IPsec could just use a wider mask on your side (e.g. x.x.0.0/23). Check a subnet calculator to be sure.

Bump ! Sorry team for bumping this up…

But, do need a solution for this.
Will appreciate any help/pointers/direction of investigation.

Alok

https://redmine.pfsense.org/issues/3478

It would be nice to see, but the way the page was designed (before my time, even), it makes that very difficult to support.

well, pfSense probably hasn't created NAT rules for the vpn subnet.

you could manually add them
or

you could assign an interface to your openvpn: i believe pfSense will add NAT automagically then (don't shoot me if i'm mistaken)

Opened bug ticket here.
https://redmine.pfsense.org/issues/6580