Howdy. Jediah!

This thread may be able to help: https://forum.pfsense.org/index.php?topic=107415.0

Good luck!

You'd need some other script to actually mark the tunnel disabled before calling the stop, and then marking it enabled again before calling the start.

probably easiest using the developers shell. record a new macro to disable/enable the vpn & then use cron to call that macro

some clues:
config snippet when disabled:

<openvpn-server><vpnid>2</vpnid>             <disable><mode>server_tls_user</mode>             <authmode>Local Database</authmode>             <protocol>UDP</protocol>             <dev_mode>tun</dev_mode></disable></openvpn-server>

config snippet when enabled:

<openvpn-server><vpnid>2</vpnid>             <mode>server_tls_user</mode>             <authmode>Local Database</authmode>             <protocol>UDP</protocol>             <dev_mode>tun</dev_mode></openvpn-server>

so basically you going to need to set/unset the <disable>tag in the xml with something like:

unset($vpnconfig[disable]) ;

or

$vpnconfig[disable] = true;

don't copy past above, it needs some work to … uhm work  ;)

https://doc.pfsense.org/index.php/Using_the_PHP_pfSense_Shell
checkbox: https://github.com/pfsense/pfsense/blob/master/src/usr/local/www/vpn_openvpn_server.php#L628-L633
disabling: https://github.com/pfsense/pfsense/blob/master/src/usr/local/www/vpn_openvpn_server.php#L470-L472</disable>

:D Im fix the problem , the problem ocurr when you Have NPS in Windows Servers 2012 , you need ensure that the account in dial-in dialog say allow access and not NPS Policy in active directory , when you change the value you test with authentication pfsense option , and is succesfully , when you try again with openvpn work , remember install the certificate in root trusted in Windows Cerificates

It works!! thanks

You could also switch to hybrid outbound NAT (or manual) and add a rule to NAT outbound on the internal interface from a source of the VPN subnet to a destination of .1, natting to the firewall's address in that subnet. If that works, there is definitely a filter or routing/gateway issue of some sort on .1

I found the issue. I had some rules that imported from the upgrade to 2.3. They were all incoming rules. 1194 was at the top of the rule stack, but for some reason the other rules had the firewall jacked up. I deleted all the rules and nat rules. Basically cleared everything out. Cut pure NAT on and re added all the rules to NAT and the firewall and the VPN connected. I did all this after sniffing the WAN traffic that cmb suggested and seen it hitting the firewall. I can ping the server side subnet from the client. All is well now.

Thanks for the input guys. This has been a real headache, but a lesson none the less. I could prolly instruct my grandmaw on how to setup openvpn now.. over the phone and just waking up with a hang over.    :)

OK.  I think OSPF does routing, but not load balancing, though.

So it sounds like the only way to do this would be to create two separate OpenVPNs on both sides (one for each remote branch WAN), then assign interfaces for them on both sides, and then policy route the traffic through the tunnels on both sides.

I'm thinking that since the traffic would be policy routed on both sides, neither side would have a routing conflict (even though the same subnets are configured on both OpenVPN tunnels).

@viragomann:

Since the IP packets come from another network which the destination host has no route for, it sends responses to the default route (gateway).
As said, you either need a route at site A or do NAT at VPN server.

I see 3 ways to resolve:

Add a NAT rule to VPN server which translates the VPN packets source address to its LAN address.
The disadvantage of this is that any access to the destination host seams to come from the router and you are not able to determine the real source address. If that doesn't matter for your purposes, this will be the easiest solution for you.
To add the NAT rule go to Firewall > NAT > Outbound, if the router is just for VPN as you said, you can select "Manual Outbound NAT rule generation" and hit save. Otherwise select "Hybrid rule gen".
Add a new rule by clicking "+" or "Add":
Interface: LAN
Source: Network and enter the sites B LAN network
Leave the rest at its defaults, enter a description and save the rule.

Now source addresses in packets coming from the other site are translated to pfSense LAN address which is in the same subnet as your LAN host, so responses are sent back to pfSense which directs it over VPN.

That is the best option for me  :) I've tried it out and thanks to your detailed guide I got it to work! I'm so happy. Thank you very much! Finally the clients from Site B can access the shares from Site A  ;D

What do you get in the OpenVPN logs at the time?

Solved

Yeah I failed to mention I watch my plex server from my phone via just clicking vpn, and then opening up my plex app.. Sure and the hell not going to open up my plex server to the public internet so I can watch something when I want on the road.

Click click on my phone and there you go watching video/music just like I was on my actual lan..

I have 1 thing forwarded, that is ntp which I serve to the public as a member of ntp pool.. Anything else you want on my network you have to vpn to get too..

You cannot put 10.0.0.0/8 on an interface and use 10.100.5.1/24 to give to OpenVPN clients. Those subnets overlap.

If you, for example, assign the IP address 10.23.56.34/8 to a host on em2 and it has traffic for 10.100.5.1 it is going to think it's on the same subnet and not send the traffic back to the firewall to be forwarded to the OpenVPN client.

To tag traffic on a pfSense interface, you must first create a VLAN on the interface Interfaces > (assign), VLANs tab, then assign the interface to VLAN XXX on em2 in Interfaces > (assign). Then connect em2 to a switch port or device that expects traffic tagged on VLAN XXX.

Make sure the client is getting DNS servers it can reach over the VPN. If the client is still attempting to use ISP-specific DNS servers they would fail when run through the tunnel

As mentioned above, the contractors should only have access to a single host. So you have to put a firewall rule at OpenVPN interface to permit only this one destination from the contractors VPN tunnel.
If this rule is right in place there will be no access possible to the pfSense GUI.

thanks i'll give that a go :-)

based on my log. everything seem fine.  :'(

log.JPG
log.JPG_thumb

your design oversight steps on network that is owned by tmobile

NetRange:      172.32.0.0 - 172.63.255.255
CIDR:          172.32.0.0/11
Organization:  T-Mobile USA, Inc. (TMOBI)

This is really bad idea to use public space that is not owned by you internally.

Thank you.

I have logs at default and recommended levels.

Being in different timezones is not a problem..  But having the wrong time while your in a timezone sure going to have a problem ;)

Why you should always sync off ntp ;)  Which set your time correct for the timezone your in..

But you still have a really OLD client, why would you not updated that… But maybe its because your running on a linux distro that last update was what 2011?