@joeseph hey,
You do not need to set each client' s network configuration.
If you set (on your switch) ports 2 and 3 to belong to vlan 10, that should be enough.

So configure all your vlans in pfsense, put them on your switch. Clients are put on your untagged switch access ports. Then use a trunk connection between pfsense and switch, here all vlans are tagged except vlan 1 (default).

Do not use vlan 1 as a prodductive vlan, it only carries neccessary packets for your network infrastructure but should not carry any productive data.

Port 1 (to pfsense as trunk) : vlan 1 untagged, others tagged
Port 2 (to client 1): vlan 10 untagged
Port 3 (to client in let's say vlan 30): vlan 30 untagged
Etc.

Evidently, ProtonVPN is shuffling IP addresses and lagging behind on updating their documentation. I used a server with a different IP address in that same state and the system immediately connected with no issues. Odd that the connection worked right up until I restarted it - maybe they were supporting extant connections on that address but not accepting new ones...?

Appears to be working fine now.

I will recommend Ivacy VPN. Its not heavy on the pocket plus provide great services in term of speed and unblocking the content.

@mgbolts

Whenever you edit anything related to (VPN) policy routing, do not forget to do a Status > Filter reload.
Or Diagnostics > States and reset all states (this will even disconnect you from the GUI)

@atomitech
Yes, correct. The client has to be bound to the gateway failover group.

@chuck1968 OpenVPN is OpenVPN. Doesn't need pfSense.
Just make sure settings are the same on both ends. Best to post pics so someone else can see because I'm sure you went through them already.

@thedharma Can you show pics of the outbound NAT?

You would just use the guest network as source and wan address as NAT address and all else as ANY.

My Solution

Install Shellcmd package Package Manager --> Available Packages --> Install The shellcmd utility is used to manage commands on system startup. Add a boot command to disable the OpenVPN services Find your 'OpenVPN ID' and whether it is a client or server from VPN --> OpenVPN --> (Servers|Clients) --> edit Services --> Shellcmd --> Add Command pfSsh.php playback svc stop openvpn server 1 or pfSsh.php playback svc stop openvpn client 3 ShellcmdType: shellcmd Description: Disable my OpenVPN on boot Repeat for each OpenVPN service you want to disable

@michmoor
Yes, exactly.
But you can control his access by firewall rule anyway.
If you allow the client only to access certain machines on your network and block the rest, the client will fail access the internet if he overrides the pushed routes.
Hence I think, he will change his routing again.

It is a known issue of some Linux NetworkManager versions to ignore pushed routes.

@germz1986
The VPN server pushes the default route to you, hence all upstream traffic goes to it.
To avoid this check "Don't pull routes" in the client settings.

Add all the IP you want to direct out to the VPN server to an alias. Then use it as source in a Policy Routing rule.
Ensure to put this rule to the top of the interface rule set.

Consider that with this rule there is no internal access allowed from the concerned IPs. Assuming that this is desired, create a second alias and add all RFC 1918 networks to it. Use this alias in the above rule as destination together with "invert." checked.
So this rule is applied to any other destinations, but private networks.

Anyone have any suggestions?

@viragomann

Thanks
this did the trick

@jimp
thank you Jim, I'm running into the same problem with some older VPN clients/certs.

@nogbadthebad

the version I have is 2.6.0. maybe that would enplane why its not working when I try to follow tutorials cause there all out dated. I really appreciate you trying to help me... have a good holiday buddy...

@dotdash excellent thx. I'll try that.

@rcoleman-netgate no external 'Monitor IP' address works on the OpenVPN gateways. I can ping from a client PC on the network to external address with no issue once the connection is up.

(System --> Routing --> Gateways)
The monitor address is populated with the 'Gateway/Virtual Address' for this OpenVPN connection so it looks good to me. 😄

@0ziris

This is what I get on 22.05 ( from bottom to top ) :

5c42778f-d346-4d78-b8a5-fa5d29b7aa79-image.png

The last 3 lines are the stop sequence.

This is shown when the process starts :

OpenVPN 2.6_git amd64-portbld-freebsd12.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] [DCO] built on Jun 4 2022

At that moment, 37441 was my OpenVPN PID.

@tact12
You have to provide the DNS server in the OpenVPN settings to get it pushed to the clients.

And since your client might be in another domain as the server they have to use the FQDN to access it. E.g. MYSERVER01.remote.domain