I'm not certain about road warrior mode, other than being able to access my PfSense while one the road…so yes that is configured as a seperate OpenVPN server.

Just for completeness, I'd like to report that it seems that setting tun-mtu 1387 is the highest I can go before failure.

Cheers,
Mark.

Oh

It might be relevent that I run pfsense as a VM on ESXi on both sites.

If you have a web interface at the DVR which uses TLS, I see no need to access it over VPN.

If you want to set up OpenVPN on pfSense, a guidance can be found in the pfSense docs: https://doc.pfsense.org/index.php/OpenVPN

DDWRT is ok, it can just be a pain in routing traffic correctly across site to site VPNs. It seems to always want to NAT things in that context.

I didn't notice the DDWRT routing table. That looks correct as well. The iptables rule should allow pings through.

Run a constant ping from the pfSense LAN to the DDWRT LAN. Go to Diag>Packet Capture, pick the OpenVPN interface, and start the capture. Let it run for a handful of seconds and stop it. If you see the pings leaving there, that'll confirm the issue's on the DDWRT side.

The only thing that'd prevent traffic from LAN getting routed across in that config is if you have a gateway specified on your LAN firewall rule(s), that'll force traffic to that gateway.

Thanks Mike for your info as well.

My god, you're right! I assigned the same subnet to the guest network and the VPN! I will check that again, thank you very much.

So everyone with a Comodo-issued certificate will be allowed to use your OpenVPN? There are multiple posts about this, mostly pointing out how horrible the idea is.

Set up a 2nd tunnel bound to your 2nd ISP interface.

Put your two VPN interfaces into a Gateway group with each set as Tier 1

Use a policy route on your LAN interface firewall rules pointed to the VPN gateway group.

Oh, now it's clear for me. Thanks for explanation.

Quote from: pajo99 on 2015-12-02, 01:47:48

try to remove checkbox from Block Private Networks in WAN inerface and see if it works

What?

Exactly, Block Private Networks has nothing to do with this issue, as johnpoz already pointed out, the OP is incorrectly trying to use a USER Certificate for an OpenVPN SERVER.

Thanks for updating your progress.

If you update the title of your first post to include [SOLVED], it makes it easier to find the fixed issues.

Welcome to pfSense  :)

Can we try to solve this with a simplified version of your setup?

I would suggest  that we pick 3 sites:
The "main" OpenVPN server - Site1
First VPN client - Site2
Next VPN client - Site3

For each Site we need:

Site 1 LAN Subnet ????
Site 1 OpenVPN Tunnel Subnet ???
Site 2 LAN Subnet ????
Site 2 OpenVPN Tunnel Subnet ???
Site 3 LAN Subnet ????
Site 3 OpenVPN Tunnel Subnet ???

Can you post the OpenVPN server config screens for Site1 and the client config screens for Site 2 and Site 3?

Probably same root cause as https://redmine.pfsense.org/issues/4587

I'll be looking at that after we replace apinger in 2.3.