That was the issue, I assumed that pfSense would automatically generate a certificate for the OpenVPN server if it was the certificate authority. Thank you!

pfSense is not the default gateway in LAN?

Do you push routes to your connected client with the pfsese server?
Also, do you advertise your tunnel subnet so machines in the LAN can access it?

@cmb:

That's what I was wondering, whether it was a client or server you were binding to the VIP.

I'm guessing you probably don't have a firewall rule on WAN allowing traffic to the destination VIP and port for the non-working instance.

Here is the config from the Cisco Router.

ip nat inside source static 10.20.1.102 98…..... route-map PFSENSE-AWS

ip access-list extended TWC-ACL
deny  ip host 10.20.1.102 host 10.20.1.254
deny  ip host 10.20.1.102 172.32.0.0 0.0.255.255
deny  ip host 10.20.1.102 172.31.0.0 0.0.255.255
permit ip host 10.20.1.102 any

ip access-list extended AWSEXCEPTION
deny  ip host 10.20.1.101 10.20.0.0 0.0.255.255
deny  ip host 10.20.1.102 10.20.0.0 0.0.255.255
deny  ip host 10.20.1.102 172.31.0.0 0.0.255.255
deny  ip host 10.20.1.102 172.32.0.0 0.0.255.255
deny  ip host 10.20.1.101 172.31.0.0 0.0.255.255
deny  ip host 10.20.1.101 172.32.0.0 0.0.255.255
permit ip host 10.20.1.102 any
permit ip host 10.20.1.101 any

route-map TWC permit 10
match ip address TWC-ACL
set ip next-hop 98.....

route-map PFSENSE-AWS permit 10
match ip address AWSEXCEPTION

10.20.1.101 is the LAN Interface that is working - which has the same exact config on the Router. There is no firewall running between Router and PFSense Box.

On the PFSENSE box, I have put in allow all traffic rules to try and get it working.

You may need to install one or more intermediate CAs so that your firewall can follow a chain all the way back to a trusted root CA.  You can verify this by checking /etc/ssl/cert.pem, which contains the list of CA root certificates that are trusted by your device.  If the issuer on your certificate isn't in that file, then you'll need to install intermediate CA certificate(s).

For example, we use RapidSSL certificates here.  Since RapidSSL isn't a trusted root CA, we have to install their intermediate CA certificate, which bridges back to GeoTrust, which is a trusted root CA.  (Screen shots attached.)


You can do this with the Rules section under the firewall settings, setup an Alias list for all the steam servers *.steam.com, then under the LAN rules, source LAN net, dest ALIAS NAME, all ports, then under advanced sections pick the OPT(OpenVPN) as the gateway.

There doesn't seem to be an option to just restore the certificates, but then as the machine name has changed I don't the certificates from our live system would work anyway.

Since my first post I had a brain wave, create a new openVPN server through the wizard and that seems to have done the trick. Just need to test the VPNs work now.

Cheers
Dean

Thanks for the answer. Meanwhile I found the following on in the OpenVPN manual which describes the address assignment pretty well:

“Specify an IPv6 address pool for dynamic assignment to clients. The pool starts at ipv6addr and increments by +1 for every new client (linear mode).”

I believe that the linear mode is the only option for address assignment using a tun interface, and only tun is supported by my iOS devices. I’m going to request a feature like "Simulate IPv6 Privacy Extension" from OpenVPN, but I don’t see an straight forward solution for that.

Thanks,  you were right,  the provider's server will not reply to a ping.  I fixed it by monitoring another IP address only accessible via the VPN.  Thanks

I've managed to setup a few DD-WRT to pfSense OpenVPN links over the years and the experience has definitely improved.
My earliest attempts (still working after 8+ years!) with Linksys routers involved scripting and other kludges to survive a reboot.

My latest was with a pair of ASUS N66RT's allowing access to the owners office server(s) from two remote locations.
The latest DD-WRT made it feasible to implement the whole thing through the GUI - no scripts required.

That said, it's always an experience to find the most reliable firmware version to match the device you've got.
I've tended to go for units with more Flash/RAM to avoid the feature "squeeze" of smaller units.

All in all the setups have been very reliable.
I would still rather find a small box to run pfSense, but where that doesn't work DD-WRT keeps things at least reasonably sane…..

@doktornotor:

Have you noticed the "Disable this client" checkbox?

I have noticed it. I could also shutdown my PIA interface but I was looking for more of a solution that leaves the service/interface enabled but just doesn't start on boot. Worst case I'll just use the disable client option as you pointed out.

I already linked what you nee to do above so that everyone can talk to everyone.

Attached the photos. Two more that I couldn't get on the previous post.

PFSensePing-1.png
PFSensePing-1.png_thumb
pingtest.PNG
pingtest.PNG_thumb
firewall2.PNG
firewall2.PNG_thumb
firewall3.PNG
firewall3.PNG_thumb
firewall4.PNG
firewall4.PNG_thumb
firewall5.PNG
firewall5.PNG_thumb

Most likely this is the firewall on the destination machine. Have you tried turning Windows Firewall off?

https://doc.pfsense.org/index.php/Bypassing_Policy_Routing

Thanks for your suggestions. I now understand the problem. It turns out that the main location where I have been attempting to use the OpenVPN client is a network behind a NAT firewall that blocks the default OpenVPN port (1194). I am able connect as a client from other public locations. I am going to try reconfiguring pfSense to serve OpenVPN on an alternate port. Hopefully, that will solve the problem.