huh??  Why do you want a host specific route?  So what is your vpn tunnel network?  For example mine is 10.0.8.0/24, so yes pfsense has a route to that network via the openvpn interface.

So client connects and gets an IP in the 10.0.8.0/24 network - so pfsense yes knows how to get to it down the tunnel.  Why would you want/need a host specific route?

I think the best solution is to switch VPN provider. I am Plex Pass member, pfSense user and AirVPN user. Those 3 work pretty well together. AirVPN allows you to setup port forwardings (up to 20) so you basically apply the same concepts you set on routers.

SOLVED!!!!

Really thanks you!!!

See attachments, I have two internal networks: 192.168.5.0/24 and 192.168.6.0/24
nginx webserver used in portshare it's 192.168.6.2

OpenVpn1.png
OpenVpn1.png_thumb
OpenVpn2.png
OpenVpn2.png_thumb
OpenVpn3.png
OpenVpn3.png_thumb

It didn't help, same problems.

If the same user tries to connect via different user, e.g. my user - it's a success, every time in first attempt. However, yes, with his account/mobile OTP - problem. It's definitely not his PC, as he's able to log in with different accounts from the office and it's also not VPN client problem. Only difference is where OTP is generate, either his mobile or ours.

EDIT:

We've found the problem. Starting with point that he can connect as described above, we knew it's mobile-related problem. It seems like somehow his time on phone was ahead in time and once I increased OTP Lifetime from 3 to 6 on freeradius settings he was able to log in always in first try.

Thanks for all the help!

Thank you Derelict, it works!

@johnpoz:

the use of multiple dns that can not answer the same questions the same way is bad idea..

You can never really be sure which dns will be queried.  Windows uses many different things to figure out which dns is queried, just because you have them listed 1 and 2 doesnt mean that is how its always going to  be queried.

this is a very common mistake..  The dns you put in your client should be able to resolve the same stuff the same way.  If you want to resolve local stuff then you should point to your server(s) that are authoritative for your local stuff, and have them query or forward to something else that can resolve public stuff.

Pointing to a local and public at the same time is going to give inconsistent results depending on how exactly the client determines which dns to use.  Once windows for example finds that dns 2 gives answers, when it had an issue with 1 - its not going to go back to 1 unless there are issues with 2, etc..  Getting a NX for query does not mean that dns is bad.. how does the dns resolver know it should check its other dns?  what if it gets back soa vs nx.  etc. etc..

if you need to resolve work stuff, when you vpn to remote site its prob best to just create host file entries on your host for what you need to resolve on the vpn side.

your problem is that you want to resolve 2 different local domains with different name servers that are authoritative for their respective local domains.  your other option would be to run another nameserver say on your client that has specific forwards setup to where go ask for specific local domains, and where forward when its not a local domains.

So you could have a forward on this server that asks work dns when looking for work domains, and the vpn dns when looking for vpn domains, etc.

But splitting nameservers on your client is never going to function the way users think it does.  And also can be leak in dns info, where your asking the wrong server..  For example work server might now your looking for lots of records for some odd local domain.  or if your asking your vpn for these work domains, it will either try and resolve them directly which isn't all too bad.  Or maybe it forwards to your ISP dns and now your ISP has records of all these odd queries.  This is only an issue depending on how tight your tinfoil hat is.  But is another problem with having split dns on a client where the nameservers do not have the same info on them..

Thats true.. didnt think about it that way. Thank you!

any solution? dose anyone use Radius with OpenVP?  :(

If you can enter a default route in the static routes, then enter one pointed at the pfSense interface. That would be the preferred method.

Just found this thread after posting.  https://forum.pfsense.org/index.php?topic=111557.0

Looks like it is the TPLink hardware.  Will refer to the responses there.  There is no access point mode in the router setup on the AC3200 either.

push "route-ipv6 ::/0" <= think that fixed it

To put things graphically, here's what I want to do:

_______  <vpn vlan="">________ <vm eth0="">/
<gateway interface="">–--------<
                                                  ________ <local net="">________</local></gateway></vm></vpn>

Yeah. Your walkthrough has the workstation behind pfSense. You have it in a triangle.

Give the Hyper-V VM and extra NIC as LAN, and connect your workstation to that and try again.

Ok.

I understand this is due to OpenVPN topology change in new release.

Now my next question is how do I specific IP for client with "Subnet – One IP address per client in a common subnet" ?

I tried to specific client IP in the same subnet by enter "10.8.1.200/32" into tunnel network settings for user.cert.name, and I can see vpn established but traffic unable to pass through.

Also with the new topology, can I specific client's IP in other subnet?

Thank you.

Assuming the remote end is allowing ICMP thru and the Backup site machines are running Windows, it's because Windows denies ICMP echo replies to IP's outside of its local subnet by default.  You either have to disable the software firewall or add an exception to the firewall.

Unfortunately, we need more info… and since you are not in control of the remote end, that make things difficult.  There are a couple things at play... some of it may depend on the remote end's implementation of OpenVPN.... and the other is your device is behind an edge router, which means you will need to forward port 1194 (or whatever you have configured) to PFsense and possibly add a static route in your the edge router for the PFsense OpenVPN tunnel network.

So, from my perspective, we need to know if the tunnel is actually being established and there's just a routing issue.... or are we having issues establishing the tunnel itself because of a config mismatch or possibly because of incompatible implementations of openvpn on the two devices.

What are the logs showing?

In a routed solution, all subnet ranges on both sides have to be unique.

@daviddst:

Hi,

I'm using multiple VPN Express connexion on pfSense without Issue.

Configuration sample :
Server mode : Peer to Peer
Proto : UDP
Device mode : tun
Interface : WAN
Host : miami-cluster1.expressnetwork.net
Port : 1194
TLS Auth / Enable auth of TLS packet : copy/pass OpenVPN Static Key
Peer Cert Auth : select the OpenVPN CA (need to be imported)
Client Cert : select you OpenVPN cert (need to be imported)
Enc algo : BF-CBC (128 bits)
Auth Digest Algo : 160 bits
Compression : Enabled with Adaptive Compression
Advanced : fragment 1300

Good luck ;-)

hello,
i am so happy that you ware found on this forum, please excuse me if i ask you for much, i am not a network or computer guru,
Can you please provide me with a image set by step tutorial in the new pfsense GUI. i am not asking you for show me your internal and external ips, just want a example of how it is done.
thanks you very much for the truble