@Gertjan Well, in my case, we have sites to sites OpenVPN links. Each site is a "vpn client" and there is an openvpn server in the middle. Each sites have their own data server(s) and other equipments. Users on each sites can access servers on other sites. I believe NAT wouldn't work well in this case. But, now, I think I understand your idea, it's when the client site only have "clients" users, then I understand your NAT suggestion. Thanks again Phil

@andrzejls thank you! I never used this before. I did it, but now that’s weird, my vpn is setting up, but it does works when I locate my IP. I’m going to reset my openVPN setup and doing it again.

found the issue, I had copied to wan rule and selected wan2 but forgot to change the destination from Wan Address to WAN2 Address. All working now. Thx all.

@viragomann said in VPN Configuration Issue: Accessing Site B from User Authentication VPN in OpenVPN: The pfSense GUI provides the "Local Network/s" field for this. So this box should look like this in your setup: 192.168.10.0/24,192.168.20.0/24 This pushes the routes for both LANs to the clients. However, you need also site B let to know how to route the clients tunnel pool. This is done by adding the access server tunnel network 10.0.8.0/24 to the "Remote Networks". If you push the routes from the server you can also add it the the "Local Network" in the site-to-site config at A. Reply Quote 0 @viragomann Success! Thank you so much!

Thank you very much for your guidance. I now have OpenVPN to the LAN working fine. Now I'm trying to figure out the next problem. I have Used Port 4 on the Netgate 2100 to assign a VLAN with a completely different IP of 10.1.10.1/24. The VPN server does include 10.1.10.1/24. I added a rule to that interface (for now) as any to any, but the OpenVPN cannot get to a web server at 10.1.10.200. Assistance will be GREATLY appreciated. Leon

@cezar_a your welcome

@swaldren peer to peer doesn't route all traffic out the vpn.. It just allows each side to talk to the other sides network - if you allow it and setup the routing correctly.. Remote access is for road warrior connections - where you don't care to get to the remote network the clients on, just the client.. Via whatever IP you hand it out of your "tunnel" network.

@DominikHoffmann said in Update to 23.09 broke OpenVPN server: I know it is the 23.09 update that broke my OpenVPN server. Tip of the day : put back the RSS dashboard widget : [image: 1699663795648-2a413d79-8581-4e18-9300-c7923b1f5d53-image.png] its full with info that you need to know. Even if you don't know it yet

@walternet said in OpenVPN Client Issue with VPN.S (VPNSecure.me) after upgrading 2.6 -> 2.7: I found my issue : compression param was misconfigured ! :-) I was able to find thanks to @johnpoz config share ! you're right ; however, if your compression param is not OK, there's no traffic in the OpenVPN tunnel ... and no byte sent / received in Status / openVPN menu ... Symptoms are the same as routing issue ... which was my interrogation ... Have a nice end of day ! W.

@viragomann Thanks Virago, the error is because a DNS problem, we fix it.

@viragomann Okay, but in the firewall I am blocking communication from the LAN to the VLAN, but the LAN still communicates with the other side of the tunnel. Configuring my IPs: LAN Main firewall: 10.1.1.1/24 VLAN: 172.24.0.0/24 LAN client firewall: 10.0.0.1/24 IPv4 Tunnel Network: 192.168.210.0/30

@jimp Awesome, thank you for the reassurance. We'll keep working on moving our users over but can at least take advantage of the bug fixes/etc in 23.09

I finally found the culprit. The clients that I was expecting to connect to the OpenVPN server were configured under OpenVPN > Clients. Hence the server tried to connect to itself. In combination with push "redirect-gateway autolocal def1";, that seems to have broken the routing on the pfSense. The solution was to delete the clients from OpenVPN > Clients.

@cmkrs Thanks for the great start. A few items I had to add and validate to make it all work. I was not able to publish my findings and step-by-step process - Akismit flagged it as SPAM - under this forum. So, I published it to my web site at this link: https://d-b-s.com/documents Credits: This is a compilation of several articles on the WEB, but it started here with this article as it had the most information. Thanks.

SOLVED @viragomann Thanks for the ideas that got me to solve the entire thing. I started with 2.6 using Peer to Peer (Shared Keys) on the site to site peer clients. I converted all the client sites fine with SSL/TLS but the key piece was Client Specific Overrides on the various servers I was connecting to needed. I did not need this before 2.7 to get everything working. My various servers were 2.6 and my firewall peer clients that connected to those 2.6 is a new 2.7. It now works. I had 4 Server 2.6 I was connecting to using a new 2.7 Client firewall. As long as you have the certs correctly set up which I did not have a problem with, you should be good. The key change or use for me was the CSO per @viragomann. CSO on the OpenVPN Server fixed the routing by populating the necessary routing / gateway configurations for my peer client connections for each corresponding sites. Steps on OpenVPN Server pfSense firewall 1 - Create CA on Peer to Peer Server (export CA cert) 2 - Create Server Cert on Peer Server 3 - Create Client Cert for EACH Peer to Peer Client (export cert and key) 4 - Create OpenVPN Server setup selecting SSL/TLS on Peer to Peer and add the IPv4 Tunnel Network, IPv4 Local network(s), and IPv4 Remote network(s) 5 - Create Client Specific Overides for EACH peer client firewall connecting to this server 6 - Name Common Name same as the corresponding cert for the specific peer client, and fill in IPv4 Tunnel Network, IPv4 Local Network/s, IPv4 Remote Network/s Steps on OpenVPN Peer Client pfSense firewall 1 - Import the CA (from step 1 server section above) and the corresponding peer Client cert and key (from step 3 server section above) 2 - Go to VPN / OpenVPN / Clients tab and begin adding your peer client for each Open VPN Server you need to connect to (maybe you are just connecting to one) 3 - Peer to Peer (SSL/TLS) 4 - Choose the proper port if you have several peer client setting up 5 - Select your imported CA in Peer Certificate Authority (from Step 1 in Server section) and the imported corresponding Client Certificate (from Step 3 above in Server section) 6 - Fill IPv4 Tunnel Network, IPv4 Remote network(s) Firewall / Rules / OpenVPN 1 - Add Pass for ANY protocol on IPV4 and ANY/ANY Source / Destination to verify flow and then you can filter more if need to later ** You may need to restart the services for OpenVPNServer and OpenVPN Peer Client firewalls....connections should be made if the proper Network and Subnets were created.