Much like cmb already mentioned, why wouldn't you just define your routes on the server side?

"is pretty much standard for things like bank inter branch vpn's, hospitals, data-centers etc."

No No its not… We have a fairly large hospital as one of our customers that I support.  No they do not have any sort of TPM storing the vpn keys be it the remote users coming in, nor to any of the vpn connections between their branches and the datacenter or between each other.

We also have multiple DCs across the country and the globe, I can tell you that no there is not any TPM storing any of the server keys.  And to be honest I am not aware of any customer even doing it for their remote users, etc..

Thanks! work like a charm I did the NAT solution but will maybe to the other one later on.

Anyone?

:(

If you don't know what captive portal is, then you probably don't have it enabled. But check Services>Captive Portal. That would intercept web requests. If that's not enabled, what output do you get on the FreeBSD machine for "host pkg.freebsd.org"?

While sure that would be possible, I see that service also provides webdav via ssl, wouldn't that be an easier solution?  And faster?  SMB performance over wan with latency is normally horrific..

Omaigad.. Thank You Very Much. I understand a bit now. ;D ;D ;D

The NTP service will not relate to this issue.

Let's go to troubleshooting. Take a packet capture (Diagnostic menu > Packet Capture). At server and client select LAN interface and at Protocol ICMP and hit start below. Then start the ping.
If you see nothing at on site, select OpenVPN interface and repeat it.
Post the output.

I understand that it will get blown away and that manually editing it was the wrong thing to do but I was missing something in the GUI that meant I couldn't get it to work. This, and software upgrades are the only changes I've made in the last year and as I've now got a copy of the working files, after the next upgrade, if things do break, I can put them back.

I tried putting a chained cert in the CA cert and it didn't work, does the order of the certificates in the file matter? It may also be that the restart didn't work correctly or it needed a reboot after the change to make things work.

I'm not blaming pfSense here, I'm sure it was probably something I messed up in replacing the certificate. If I get chance I'll try again with a chained cert as the CA and update with the results.

You'd have to mess with base64. Could you send me a copy of the certificate file? No need for the key portion, and the cert on its own isn't usable for anything.

@cmb:

With it bound to 443, do you have your GUI bound to something other than 443? That might be one reason.

I'm guessing though it's the issue where OpenVPN writes out the wrong PID in its PID file. What's in your /var/etc/openvpn/serverX.pid file and what is the actual PID of OpenVPN instance that's running? where serverX probably == server1, but could be some other number depending on how many you have and have had in the past.

I switched the webgui port to 1234 before I created the OpenVPN service. It works fine now since I rebooted it and was quickly able to get back an IP from DHCP.

It's weird how it got into that state… The openvpn daemon was definitely running (even though it was reported stopped) and I was able to vpn in from the internet once I got an IP.

The pid file explanation makes sense. I'll try it again in a few days so I can get it in that state again and report back. Thanks for your insight.

You essentially have two options:

Configure a client specific override for that one user and each future user with the same situation

Configure a 2nd OpenVPN server… one full tunnel and one split tunnel.  Then just export the split tunnel package when needed

From a management overhead standpoint, I think option#2 makes more sense.  This is also the solution that I've implemented.

Very rarely desirable to do that when the firewall's a client is why it's sat there forever with no movement. It's not hard to add to ovpn-linkup if you want to do so.

just run a speedtest though it with iperf

So your going to have multiple machines on gce?  An they are going to use this vpn machine as their gateway to your network?  Can you setup the GCE networking that way for their instances?

I want something like this https://forum.pfsense.org/index.php?topic=66796.0 but there is no answer there too

Viscosity is great, we recommend it all the time. The only downside is the cost. If you're OK with the cost it's an excellent bit of software and works on both Mac and Windows without any problems we're aware of.

Glad you got it figured out.

Don't be stranger to the forums (even it's only to eavesdrop) a lot to be learned around here.  ;)

The other issue you may run into:

You may need to tell SQL to allow database connections from the OpenVPN subnet.

I take it access to other devices/applications across the OpenVPN works, it's just a problem with SQL?