@jimp:

That's entirely up to the Windows box and what it allows with Anonymous binds vs binds with a service account.  You might be able to find some other info on the net about that unrelated to pfSense (since it's a general Windows LDAP issue, not a pfSense issue)

I agree this has to do with my own server configuration and nothing to do with pfsense LDAP implementation.

Thank you for your responses.

check fw rules on their respective LAN-tabs

That would mean it's OpenVPN itself leaving it in the table – pfSense doesn't manage the routes for OpenVPN, they are handled directly by OpenVPN. You might post about it on their forum or bug tracker. They may want to see your OpenVPN config before and after the change, and a copy of the routing table before and after the change. The OpenVPN config would be in /var/etc/openvpn/, routing table can be copied from the output of "netstat -rn"

You can run as many OpenVPN servers with different configuration as you wish.

"After I finished the Wizard, my OpenVPN server had been assigned the user cert"

Again dude the Wizard does NOT do that, can not do that!!  So if you did that that is on you not the wizard.. Not sure how that could ever happen other than just pure stupidity??

If english is not your native language ""Invalid purpose"" might be a bit confusing, but if you actually speak english how is that not clear??

thanks

now I wll test

@johnpoz:

"nslookup from the client says it's using 127.0.1.1 as server."

Your clients said they were using loopback address as their dns?  Where they running any sort of dns server that forwarded.. That makes no sense at all..

This is from a linux client.  I have to specify nslookup someIP dnsIP and it works.

My windows clients are now working correctly!

Unfortunately LDAP schemas vary widely so it would be tough to pull something like that off. Not sure I like the idea of fetching a client's private keys via LDAP either, but as long as LDAP is using SSL itself it may not be too bad. The problem then becomes finding a way to query the LDAP server in such a way that it can get a list of all users with certs/keys available. Gets ugly fast…

Hi Guys , i have a similar issue like this but with a dual WAN on the client side.

Client just work with the default gateway ( WAN or WAN2 ), but if I do a test with just the WAN2 , connection do not work.  I do a openvpn resync or just click no the submit button on the openvpn config and connection works in a couple of seconds.  fast!

can you please provide some help.

Yes, the VPN server can provide DNS server for the remote client.

Follow this instructions

https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server

Keep me posted if anything goes wrong

It worked, after I restarted the pfsense box.

Thank you :-)

Why are you omitting that value when the documentation recommends it be set for increased security?

The  optional  direction parameter enables the use of 4 distinct
              keys (HMAC-send, cipher-encrypt, HMAC-receive,  cipher-decrypt),
              so that each data flow direction has a different set of HMAC and
              cipher keys.  This has a number of desirable security properties
              including  eliminating  certain  kinds of DoS and message replay
              attacks.

When the direction parameter is omitted, 2 keys are  used  bidi-
              rectionally,  one  for HMAC and the other for encryption/decryp-
              tion.

You're just hobbling the feature by omitting the direction. Seems it would be much simpler to add the direction on the server side like it wants.

Not that I'm aware of. RADIUS or LDAP would work, if it's AD, LDAP should work out of the box, and RADIUS can be done via NPS if needed.

The fields on that page must not be set to support international characters. Using them in a CN is probably not a good idea anyhow.

So this public computer, does it allow you to install openvpn client?  Or are you talking abut using ipsec or l2tp or pptp?

Also adjust your Windows box's firewall to allow pings from outside their subnets.

I thought it would let me go to the other page to change the DHCP range. Those two options should be on the same page!

We were all new once, right?  ::)

Fixed it. So now my network is 192.168.100.0/24. And everything works. I think.  :P

Thanks everyone for the help so far.

Thanks, this work, thanks for you help