I managed to get it all working
using a combination of Client specific overrides and natting on the router

I switched the OpenVPN server from TAP to TUN, set the IPv4 Tunnel Network to a different subnet and everything works now.

@viragomann Yeah I'm aware of all that. OpenVPN gives the pfsense VPN IP as DNS server. It works with anything public. It doesn't work with anything that should resolve to LAN IP. Doesn't work with FQDN. From the LAN side same DNS server does resolve FQDN. The remote machine is using the same domain as pfsense and what the LAN machines get via DHCP. But again I tested FQDN so even if the remote machine didn't know the domain it should get the correct response from the DNS server.

I get what NAT does. I don't see why I'm having to use it. pfsense sees both the LAN and VPN networks as it's own literally everywhere I look. Usually with pf you are fighting to keep traffic from being able to go between different networks.

@bp81

It all depends also on what are the workstations are doing through the tunnels! As an example, you have 20 tunnels
and heavy load on (through) them and this is like 50
tunnels and more with only some small traffic through them.

No one of us is able to answer this question without knowing what traffic and how much traffic is running through that tunnels.

@peterlinux
If there is only a single client connected to the server, the CSO is not necessary in fact. But in this case you have to use a /30 tunnel network and set the "remote networks" on both site, server and client.

@johnpoz said in 64bit client download gets blocked by browsers:

I really don't see what netgate can do here

I agree. But the user expects something to be fixed and there wasn't a redmine ever created for the issue -- so how are we supposed to fix it?

It's likely the browser's security permissions probably from a handed-down OS-level policy.

But the point stands -- you can't expect someone to know something is broken if you've never told them it was broken.

@jtmem I currently don't have access to that system anymore, so I can't tell 100% right now.

I think it worked with another syntax, I look it up in a backup xml right now.

Try

push "dhcp-option DOMAIN your.domain.tld";

and not the option "DOMAIN-SEARCH".

Let me know if it works for you.

@jake Hi! I don't have access at the moment, but I was able to work with TAC late Friday and we tracked the problem down to a known bug (https://redmine.pfsense.org/issues/13358). That didn't come up in all my searching beforehand, of course. We have a simple workaround of disabling DCO. I could have sworn I tried that, but I tried so many things over a couple of weeks it was easy to lose track. Thanks for the note!
David

Remote server is 10.210.0.6 I have changed nothing on that end
Only thing changed on my end was IP of Local LAN port from 172.17.2.1 to 172.17.2.3

@jimp thanks a lot, this is exactly my case. Cheers!

@the-other thankyou, i will try it is useful for 2fa too

@viragomann, I went off snooping in each of the menus to see what I could see when comparing the differences between the different configs, and you are absolutely correct. The Outbound NAT rule of Network 2 (LAN in this case) gets deleted when the gateway is deleted and never recreated.

8dcaf108-3cb2-4bf6-a46c-d05aaebec2fb-image.png.

In this case, the VPN is a requirement of the lab environment. I agree that an upstream VPN would be best, but this is impossible with the current infrastructure setup. However, I might delete the NAT rules and add static routes to the VM (as there are only a few) in any case.

I appreciate the response - it answers my question nicely.

You have to make sure that the server and clients are all using reneg-sec 0

https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/configure-custom.html#renegotiation-time

i want to use openvpn for p2p bgp tunnel. so use p2p mode.

this is remote ubuntu openvpn config:

mode p2p local 188.156.188.65 port 51756 proto udp4 dev-type tun dev usvpn link-mtu 1500 ecdh-curve ED448 tls-server remote-cert-tls client ca ca.crt cert server.crt key server.key float dh none auth SHA3-256 tls-crypt ta.key ifconfig 10.18.3.1 10.18.3.2 ifconfig-ipv6 2a0c:2406:513:b::2/124 2a0c:2406:513:b::3 auth-nocache keepalive 30 120 pull-filter ignore peer-id ping-timer-rem cipher AES-256-GCM user nobody group nogroup persist-key persist-tun status openvpn-status.log log openvpn.log verb 3 max-clients 100 mute 20 tls-version-min 1.3

Changing the protocol drop down in Endpoint Configuration enables the interface selection.
This solved my problem.
OpenVPN is running on both WAN Ports.