Yo, I did a test with 2.1-RELEASE  (amd64) and Windows Server 2012(Not R2) set up as AD,DNS and NAP. I followed the instructions on this site:

https://doc.pfsense.org/index.php/OpenVPN_with_RADIUS_via_Active_Directory

I followed all the topics in the guide up to "Change the cryptoapicert SUBJ " I did not do this step or any step following it(if you dont cound connecting the client to the server). I used my own names and IP adresses etc and I ignored any setting that was new for version 2.1.

I shared a folder on my Windows Server 2012 and was able to access it with my testaccount from a Windows 7 Enterprise 64-bit using the exported OpenVPN client.

Do you know if radius still only support unencrypted(PAP) communication with the NAP server? Using Captive Portal and NAP you can select at least MS-CHAPv2. I know this isnt entierly secure ether but hey, better than nothing I think.

Im new to using OpenVPN and I tried this in a virtual test environment. Im gonna play around with the settings to see what happens and see if Im able to do this without having to manually create certs for each user in pfsense. Anyway, hope this  helps and let me know of your progress!  :)

/erik

I stopped using netbios over TCP - I realized its just not needed for me, but my VPNs support it and WINs supports it for the one subnet I wanted to use it for.  For it to work on one subnet and not multiple subnet, you don't need to do all that much.  Just Set up SAMBA on a system somethere in the LAN on a static IP, set it to be master, set WINs option to yes, set OS level high, like 35 or higher.  It should sync up with everything on the network without any fuss.  I also set mine to not require passwords because passwords on shares can be a pain.

Probably the biggest obstacle I see to really simple VPN is that not all OSs honour "push" from openvpn.  When they don't, you need to enter the command on the client side rather than "pushing" to client from the server.  PITA.

So apparently for what I needed I was able to install the avahi package and set it up using both the remote site search domain and the local search domain and now everything shows up with bonjour!

Anyone know how to pass on the NetBIOS stuff through the tunnel to the other end?  For example I don't see windows boxes on my mac from the client network… I only the bonjour devices like the macs and printers...

Thanks anyone in advance!

Matt

Need to change all those 192.168.1.0 / 24 LAN subnets to something not on 192.168.1.x  and make them all different from each other.

like site A  192.168.52.0

site B  192.168.53.0

site C 192.168.54.0

Thats to start.

Then do the same thing with the VPN tunnels - Make each different:

10.0.6.0  10.0.7.0  10.0.8.0 would be OK

Then do whatever else phil.davis says.

In the client configurat that is located on your MAC (its just a file that probably ends with .ovpn) there is a bunch of commands.

Try adding:

route 192.168.1.0 255.255.255.0

incase for some reason its not getting pushed from pfsense.

But you really really need to change your LAN IP ASAP to something off…  like 192.168.39.1/24 and your Openvpn IPs also to something off like 10.x.x.0/24 (the Xs would be a random number between 10 and 200)

Right now its way to probable that you will have IP conflicts because 192.168.1.x is way too common.

This is what I get for not reading.

https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

Interface Selection
Be sure that your rules are on the proper interface. Imagine yourself sitting inside of your pfSense box. Sure, it's a little crowded in there, but this might help. Imagine packets flying at you from the different networks that your pfSense box ties together. You will place the rules on the interface they hit you from. If a packet is going from the LAN to the pfSense box, then out to the Internet, the rules still go on the LAN. If a packet is coming from the Internet, to the pfSense box, the rule goes on the WAN interface.

thanks for your help

There was another guy on another thread having same issue, so I posted your thread there.

I have been having this issue too, plus some more. For some reason, other than the first user, I am unable to get any other user that I have created certificates for to connect to the pfsense OpenVPN server. Is there a well detailed link that someone can provide me with that I may reference to? After hours of reading MANY outdated post and finding nothing helpful. I found and used a youtube video that wasn't really much informative about creating multiple users and creating certs so the other users may connect to the OpenVPN server. I am not new to OpenVPN, i just don't recall having this problem with previous setups. When creating a certificate for the other users, I am unsure of the method I am suppose to use. I believe it should be "Create an internal Certificate". Under internal Certificate i see, "Certificate authority" with the name of the previous  CA's name that i created for the first user that can connect from anywhere. Am i suppose to create a new CA and certificate for every user i want to connect? Shouldn't I be able to use that same one, Certificate authority?

Also for Certificate type I am selecting "User Certificate"…that should be correct, right? My options were User Certificate, Server Certificate, and Certificate authority.

Thanks in advance for anyone willing to shed some light on what I may be doing wrong. I am willing to create a more up-to-date how-to once I figure out what is going on.

Use the IP address of the computer that has the web interface - e.g. if the server-en computer is 10.11.1.42 then in the browser go to:
\10.11.1.42
If you want to access by name, then add the computer name and IP address to DNS Forwarder, Host Overrides at the home end. Then yyou can use the name in the browser and DNS will find it.

For other readers:

push "route 10.2.0.0 255.255.0.0"

That is actually trying to tell siteB that the OpenVPN link is a route to 10.2.0.0/16 - but siteB actually has the local LAN 10.2.0.0/16. SiteB will be smart enough to effective ignore that, and talk directly to its local LAN. The  line should be able to be deleted.

route 10.2.0.0 255.255.0.0

This route put in the advanced box on the server side is OK. But it should already work like this by putting 10.2.0.0/16 inn the "Remote Networks: box. I can't say why the advanced box entry was really needed.

iroute 10.2.0.0 255.255.0.0

Client-specific overrides: This is a good thing, and specifically tells the server which connecting client has the 10.2.0.0/16 network at the client end. IMHO this is the thing that really makes it work.

SUCCESS !!

thank you thermo !
worked perfectly . . . all i had to do was move the firewall rule to the top and everything just fell into place.

thanks again for taking the time.

That was it!  Thank you!  Didn't even notice it was set to Peer-to-Peer…  Switched to Remote Access (SSL/TLS) and it worked!

:)

@darkcrucible:

It might also be the outbound NAT. Do you use automatic outbound nat or manual?

If it's manual then you'll need to add a rule for the other network to go through NAT.

If it's automatic then you might need to switch to manual. Not too sure since I've never really used automatic.

Aha! Thank you so much for that suggestions! I just enabled manual outbound NAT on the remote server (the one I would like to route all of my youtube traffic through, and added a rule to pass all traffic from 192.168.1.0/24). Thank you!

Solved my own issue with a little accidental help from marvosa

In the client file on ubuntu, near bottom placed:

route 10.0.0.0 255.255.255.0  (substituted my LAN Subnet)

I haven't ever seen a good fix for this anywhere, but this is so simple.  Why didn't I do earlier (pfsense needs a facepalm icon) :-[

keywords added for web searches:

ubuntu linux mint pfsense openvpn can't access LAN TUN client

Assuming you've setup the HQ as the server and the Satellite as the client, you need to add a route(s) to the HQ config to define the client subnet(s)

ie:
route 10.0.0.0 255.255.255.0
route 10.0.1.0 255.255.255.0
      …..
etc.  Need to be added to the server config.

The 'push "route....' lines on the server side send the appropriate routes for the client to understand the server's subnets.

You don't need any 'push "route...' lines on the client side.

If you post a screenshot of your server and client configs, you may get more specific help on your setup

I thought this was going to be more difficult.  Turned out I had my SIP client settings field populated with the wrong authorization number, that would do it.  It also required the SIP client "force address" setting match the PfSense LanGW IP given the OpenVpn tunnel via Wan.

Happy days…

https://forum.openwrt.org/viewtopic.php?id=33678

Its not pfsense but it is seeming to sort of be what you want to know.