Hi,

I think you need to add option 66 to your home DHCP Server. So when your IP Phone boot he can find the PBX IP / hostname via option 66.

Regards

Phil,

Thanks for the reply. I found something in the meantime that worked. I was able to SFTP in using root for the username, and just copy the 2 files to /etc I needed to get OpenVPN working again.

If you use the HMA software what speed can you achieve ?
I am interested in this myself as I will be upgrading to fibre soon and I use HMA myself.

You might want to look at this.

https://forum.pfsense.org/index.php?topic=32429.0

Could look at implementing this myself soon.

Ricky

Thanks for replying Phil.
You where right about the Failover being the problem.
I raised a support ticket and Jim advised adding the following rule before the failover.

I also changed my Tunnel network to /30 on advice.

Ricky

@KOM:

You're using the 2.1 release?

Yes I am.
Here's just a screenshot before I edit the settings (Please note that I can connect, but my traffic doesn't get routed to my LAN and thus I can't browse the web)
And a screenshot after I edit it without changing anything.
And the screenshots of the actual script, which works when I enter it manually…

before.png
before.png_thumb
after.png
after.png_thumb

That's a good point.  I left that out.  I am setting up DDNS as well.  =)

You need your LAN rules the other way around. Rules are matched from the top down, first match wins, so all your traffic will be matched by the "Default allow LAN to any rule". None of it will get to "LAN thru ExpressVPN" - put "LAN thru ExpressVPN" above "Default allow LAN to any rule".
On WAN and EXPRESSVPN rule tabs you should not need any pass rules - unless you have a public server or similar, you do not want to allow incoming connections from the big wide internet. Traffic initiated from you (on LAN) is passed by your LAN rules and pfSense recognizes and passes the data flowing back in the reverse direction for that.

The private LAN that the client happens to be on needs to have a different subnet from the remote LANs it needs to reach. Because the client does need to talk locally to at least its default gateway to actually send the encrypted OpenVPN packets through real networks from itself to the server on pfSense.
Yes, change your LAN to some more obscure private subnet.

Did you get this working?
With what you describe, this sort of road warrior config "just works". "Default allow LAN to any rule" is fine.
If you have any policy-routing rules on LAN that push traffic into a particular gateway then that can interfere with the ordinary routing back to the OpenVPN client.
Do packet captures on OpenVPN and LAN to see where packets actually get to.

Hi kallii.

I am not sure I fully understand what you are asking me to do…

But it sounds like you are saying to setup a route FROM the VPN interface to the server...

So, example would be...

Site A:
    External IP: 60.50.40.30 & 60.50.40.31 & 60.50.40.32 (Have 3 External IP Addresses)
    Internal IP: 10.40.163.XXX
    Tunnel Network: 192.168.2.0

Site B:
    External IP: 80.70.60.40
    Internal IP: 10.40.162.XXX
    Tunnel Network: 192.168.2.0

Then I would create a forward from 162.168.2.XX to 10.40.162.XXX right? But, lets say I want 2 servers on the VPN Client side...
    If you go to http://60.50.40.30 I want it to point to 10.40.162.10
    If you go to http://60.50.40.31 I want it to point to 10.40.162.11

Is this possible?

Thanks!

I was looking for instructions for TorGuard OpenVPN and ended up here. Here's a link to TorGuard's own setup guide that I found after further searching. Hope people find this helpful  :)

http://torguard.net/blog/how-to-setup-pfsense-with-torguard-openvpn/

This has worked for me after brief testing. Guide is relatively easy to follow. They don't specify IPv4 or IPv6, so I just did the configuration for IPv4 and ignored IPv6 completely.

Yeah this is what I was saying earlier its hit and miss with VPN support + pfsense…. seems one has to figure out the settings. Strangely its not that much settings its the other pfsense configuration which I found tricky...

The easy option is of course to join black vpn or a provider that supports pfsense support in general.

Thanks, Phil.  I had a working config and then added a DMZ and was surprised that my VPN users couldn't get to it.  Your reply clued me in that I forgot to update the IP4 Local Networks to add the DMZ subnet.

if "some" pc's are not working and others in the same subnet are working, then the ones that don't work, probably have a wrong gateway set in their config or have a local firewall

Oh.  Sorry.  Client-Specific overrides only work for SSL/TLS connections, not shared key, at least as far as I can tell.  I've never worked much with shared key on openvpn since I went to openvpn to get away from shared key.

No, putting them on the same private network won't help unless you bridge, which is even more complicated..

Forget everything I said and add the routes to the remotes as specified above.

If you're in learning mode, you might consider ditching shared key and generating some certificates.