There is no way to make "per-user" rules using the GUI alone. It is possible to do if the users and rules come via RADIUS, though.

Giving each client a unique certificate/login and override with a unique IP is best, and the only way to make that work in the GUI.

I needed to login to the VPN and ping a 172.17 host for the tunnel to be established.

thanks a lot guys. i appreciate your help and info.  ;)

I did a complete reinstall and started fresh.  I read a thread around the forums regarding the Traffic Shaper, and i think i might have went in there and tried it out which broke things in the background.  After a fresh install and some minor setup hiccups it seems that i'm up and running with OpenVPN routed to the one client that i want!!

Thanks for all the help!

Edit: I believe i found the culprit as well to the issues that i was having this entire time.  Squid…after i installed it again it ended up breaking the VPN connection.  Had to put in a bypass proxy setting in there and all is well again!

I'm assuming this is an OpenVPN client config on pfSense?

Have you tried comparing the working script against the pfSense rewrites that fail?

If there are a few necessary lines removed when pfSense does its write, you should be able to add them to the advanced section of the client config.  If it's something more there may be other ways, post back with more details.

I restarted CARP on Master and Slave and now it works.

Bad form in posting back to my old posts, but just to let you know, that I've finally fixed it.

Phil, I dug around regarding your suggestion and found this:

https://forum.pfsense.org/index.php?topic=76015.0

All working as intended!

I've not restarted any of my client VPN connections, or rebooted, but I'm sure that if the client comes up with same interface (ovpnc1) then I consider myself a happy chap.

Only 1 year in the making… wow.

If it is site-to-site, then, in the Remote Network/s box at both client and server end, list all the remote networks reachable across the VPN link. (i.e. the list will be "opposite" on client to server)

If it is road warrior server, then put all the networks reachable through the server into the Local Network/s box - this will tell the clients what they can reach across their link to the server.

In all cases put rules on OpenVPN to allow traffic from the clients to the various networks. Put rules on the server-end LAN etc to allow traffic from the server network/s to the clients (if you want traffic to be initiated in that direction also)

A few things… first, this clearly is not a PFsense box... you should probably post in the forum of whatever distro you're using or openvpn.net, but will attempt to help anyway.

1.  Provide a network map, so we know more about your network and what you're trying to access.

2.  Is this in a lab?  Because it appears as though you are trying to connect to the VPN from the same LAN the server is on... but we'll know more when you provide the network map.

3.  When you say "I can access the tunnel but I cannot access internet.", can you truly not access the internet or just unable to resolve domain names?  Because those are two separate issues.

Ramotalana, when you setup the tunnel it will only route traffic that you tell it to route… and it will only allow the traffic that your firewall rules tell it to allow...  i.e. only traffic destined for the tunnel will be routed over the tunnel.  Internet traffic along with everything else will follow the routing table on both ends.

How can we even begin to help troubleshoot?  There are no details.  Provide a network map, post your config, post your firewall rules.

Yes - If you have multiple VPNs you can give them different sets of firewall rules.  Thats just for one.

No luck.

It turns out snort was being triggered and blocking my second site.  I simply disabled the offending rule, unblocked my IP and all seems well.  What's strange is that it didn't fail until significant data started being transferred through the tunnel.  That was very confusing.  I noticed that my client connection wasn't found in the server firewall log and after verifying with packet capture that the client was indeed sending, it dawned on me that something was eating the request.  Too many hours lost due to my own foolishness.

Found on snort alerts tab (I copied this after disabling the rule):

11/27/14
09:27:06 1 UDP Potential Corporate Privacy Violation <clientwanip>Icon Reverse Resolve with DNS  Add this alert to the Suppress List and track by_src IP 13467 <serverwanip>Icon Reverse Resolve with DNS  Add this alert to the Suppress List and track by_dst IP 1195 1:2003320
Add this alert to the Suppress List  Rule is forced to a disabled state. Click to remove the force-disable action from this rule. ET P2P Edonkey Search Results

Beware snort users.</serverwanip></clientwanip>

Check out this site and the articles, they all address the concern of chaining vpn tunnels: https://www.ivpn.net/privacy-guides/advanced-privacy-and-anonymity-part-8

The simplest way to do it is with pfsense running in multiple VMs (you create multiple ESXI or VMware workstation VMs and chain them up).

I hope this helps..

Thank you very much for pointing to OSPF direction. Quagga behaves wierd a bit, exactly as written in this thread.  I had to add tunnel adresses manually, as advised here , and it worked for me. Everything runs fine for two weeks already, client reconnects properly. Restaring server side of OVPN tunnel does not crash client side anymore. The issue is solved.

It looks to me like server1.conf is your site-to-site and server2.conf is your remote access.

It also looks like your diagram should have 172.16.9.0/24 as your remote access network.  Is that true?

If all that is the case, you have routes from pfSense for:

route 192.168.2.0 255.255.255.0
route 172.16.4.0 255.255.255.0

…in both configs.  Those routes should only be in your site-to-site.

If you want your remote access clients to access all LANs at all sites, you need to push them routes for everything, meaning 172.16.1.0/24, 172.16.2.0/24, 172.16.4.0/24, 192.168.2.0/24.

And you need to push routes to all foreign networks to each site.  For instance, Satellite office 2 needs to be pushed routes for the following:

172.16.1.0/24
172.16.2.0/24
172.16.4.0/24
172.16.9.0/24

(Note you could just push a route to 172.16.0.0/16 instead.  Or even /20 in that particular case.)

some additional assumptions, this scans the /var/etc/openvpn-csc file for custom client overrides.  It is expecting both an ifconfig and an iroute directive in these files to work.  You need both, the first pushes a "static" IP to the client so you can reference an iroute behind that interface.

On the VPN firewall, make 3 rules

pass to 10.10.10.150/32
block 10.10.10.0/24
pass from any to any