Thanks !

OK, my fault… learned somefink, anyway :-D

The config you state doesn't agree with the behavior you describe. With shared key, the server cannot push a route to the client side, so putting a "local network" on the server settings does nothing. You have to put that route in the client side Remote Network box. If that isn't working, there must be something else already defining that route. Either that, or you aren't really set for shared key, but SSL/TLS, in which case you could be missing an override with a remote network/iroute statement.

It would appear from what you observed in the routing table that the client has a route for the server's LAN, but if that's the case, you can't be using shared key.

Thank You. Some how i changed my user cert to the server cert.

Now Working

Your central CA could be your AD, one of your pfsense firewalls, some public or any other CA you want to use.

Central CA for all certs you sign is a good idea, be it user certs for openvpn, AD, internal websites, etc. more than likely this should end up being the one you use for AD.. most likely the MS built in one.

The only certs you really need from public, are ones that will be used by public with machines that you do not control and can not trust your own internal CA.  If you have a website that is accessed via public, then you need to use a public CA that users browsers auto trust.  If the site or vpn is only access by your machines, or users that you can give the CA cert to trust.  Then internal works great, centralizing that makes for easier management and control.

While using the CAs on pfsense does make it easy, the interface is pretty clean.  But if your going to manage lots and lots of certs it might get a bit hectic.. If it was me, I would most likely leverage the AD CA, since you pretty much use that for all your machine certs as they join your domain anyway.  Might as well just leverage it for all your internal use certs.

Update:
The problem only occurs when the OpenVPN servers are listening on the WAN CARP VIP. If I set them to listen on an internal CARP VIP all servers and daemons start smoothly. I've tested it with 2 other CARP VIPs a couple of times, no failure.

The WAN interfaces of the 2 pfSense boxes are connected to the WAN switch, which is also connected to the ISPs modem, no other devices there.
CARP works without an issue.

So what could be wrong with the WAN CARP VIP?

Now I let the servers listen at an internal VIP on OPT2 on both, master and backup, and I forward the OpenVPN ports from WAN VIP to it. Now there is no fault at start up.

No not PFM.. simple networking..  Again without you posting what you did, its impossible to know what you had missed..  Maybe the guide font was too small and you were missing half of the steps?

Glad you got it sorted, but how are you retired tech and don't know how to ask a support question and post what you did?  What pages to post - how about the pages you edited via the guide?

Good luck with your router and vpn that you believe if PFM… that is not a good sign of success when you don't understand how the tech your using and managing works.. Its ok if the users think its PFM, but the person with the hand on the controls needs to have a little more understanding than I clicked on some shit and now its working..

Yup, that did it.

I went ahead and added a static route to both PFSense boxes, forcing their destination network through the appropriate GW. At least right now, My office can ping and hit endpoints on the clients side. I cannot yet ping my office from the clients side. That may be due to a pending reboot though.

For whatever reason, that seems redundant to me. But I guess you're saying that if the PFSense box is behind another router, then that sort of thing needs to happen? Otherwise if both boxes were up against the public IP/modem, that static routing would not need to occur?

Thanks again for a nudge in the right direction.

Now to clean up my mess, and work on DNS passing through.

-Chrisso

Dropping connections every minute usually means you are connecting from two different clients and have not configured the server to accept connections from multiple clients with the same credentials.

Bingo. That's what I needed. I had configured it from a tablet in trying to troubleshoot and must have set it to SSL/TLS + UserAuth, switching it back brought back the client export list.

Thanks,

One more thing to mention - if you assign your VPN clients IPs from subnet which is different from your LAN - you will need a separate NAT rule to allow this traffic to leave your pfSense box.

In the future there is no need to hide or try and obfuscate your local address space (rfc1918) ie 192.168/16, 10/8, 172.16/12

We all use the same addresses, it does not route on the internet.  If I tell you I use 192.168.9.0/24 and my machines address is 192.168.9.100 and my vpn clients use 10.0.8/24 as their tunnel.  It doesn't give away anything at all that could be used to find you or know who you are, etc. etc.

To me hiding it does 2 things, it make it harder to understand so can help, and 2nd thing is it makes me think the person posting is not the bright bulp in the pack when it comes to networking.. Should prob talk to them like they are 3 going on 4 years old and had a hard time in preschool with learning their colors ;) heheheeh  You know the kid sitting in the corner drooling eating glue..

Yes its called policy based routing.. Your going to want to make sure you don't pull routes from vpn client connection on pfsense.  And then just create firewall rules to send what traffic or devices you want to send down the pfsense client vpn connection.

I've solved. In common name i use the username from active directory and advanced config with ifconfig-push. It work with or without user certificate.

I manual start  freeradius  but  openvpn+motp not login

so i use this method agin

click services->freeradius->users

and find not login user click "edit this item" do not change any thing and click "save"

then login again , motp is login OK

so  the freeradius motp  has bug

Thank you for your reply, and for providing me with a recommendation. Sorry if my post was a little confusing at first. Originally I thought of this but wasn't completely sure as I have felt that even on a network of the same private ip of my local home network; tunneling thru the vpn still worked for me. I wanted to see if there was something else to try as changing my local home network would require me to edit all my static IP I've created  :'(