@mrjoli021 To push the routes to the remote users, add the local network they should be able to access to the "IPvX Local network/s". AND also configure the firewall rules on the OpenVPN tab to allow them only to access what you want. If you have an allow any to any rule edit it and set the source to the access servers tunnel network and the destination as desired. Assuming you have an assigned an interface to the site-2-site, where you have a proper rule for that communication.

Here is the OpenVPN list of environment variables.

I guess this is a unique issue. I'm not shocked. :)

@leao-adilson said in Information about OpenVPN and pfSense: The thing is that I can't connect to the VPN from within said LAN See it like this : From every railway station in the US you can take a train to New York (the city), Central station. A train could take you directly, or you need to take several trains one after another, but you will get their. I guess we say there is a correspondence. Now, imagine this situation : you are at central Station, New York (the city). You approach the help disk, and ask this question : How do I get to New York central station ? Please film this, as the scene will be epic. When you connect yourself into your LAN, using Wifi or cable, your device becomes member of that network, and can contact all the other devices on the same LAN. And it even gets better : without the need of pfSense. You could remove the cable from your pfSense **. Example : when I'm @work, I can use an app in my phone to watch the 16 video cameras. The device, a DVR, has 192.168.1.10, which is the IPv4 of our DVR. My pHone will have another 192.168.1.x IP. When I'm @home, or where ever else on planet earth, I have to activate my VPN-to-Work app first. This will build a connection to our @work pfSense. Then I launch my Camera App, and it connects just fine to our DVR "like as I was @work". The VPN secures the connection. No need to switch IP addresses, or activate NAT rules on pfSense. Keep in mind : When I'm @work, I can connect to the company's LAN using APs that give me access to that LAN - our 192.168.1.0/24 When I VPN into work, I connect via 192.168.3.0/24, the VPN tunnel network. But a firewall rule on the OpenVPN interface permits me to connects to other 'LAN' 192.168.1.0/24 so I can access the DVR. ** that is, you probably still need pfSense to deal with the DHCP part of the connection.

@gertjan honestly i still used 1194

@gertjan @jimp thank you, applied the patch, should work now

@viragomann Oh that Thanks again for your help. When setting up a new OpenVPN server, its also says "The interface where OpenVPN will listen for incoming connections (typically WAN.)" and we have had that on WAN and its always worked that way. We don't have a VIP for the router/pfsense and can't assign one to it now anymore. Also, i edited the client ip to match what OpenVPN logs says its bound to and its still this TL error.. it's driving me nuts at this point.

Hi @pippin I will give that a try and see if it helps. Thanks Gary

@m0l50n Glad that you found the culprit at last. Yes, you can define the firewall rules on any interface on the route. It's okay to restrict the traffic on the OpenVPN interface and allow only specific destinations at A and at the main office. However, from the security point of the main office, it may be desirable to restrict the access on its incoming VPN interface additionally for sure. But if you have full control over both sites and you can say that site A is save as well, that's not really necessary.

It appears I just had to add the DNS Default Domain under Advanced Client Settings in the VPN settings. That just tacks my default LAN domain to the end of DNS lookups on the VPN client, et voila, NetBIOS or base PC names (without the domain appended) are converted to FQDN behind-the-scenes the same as happens locally and all is well.

Found these scripts here: https://github.com/mdcurtis/pfsense-python a bit old, but I will test pfsense-updateCRL.py asap

@tkronic said in Firewall (as itself) defaults to VPN gateway not WAN gateway. Where do I change that?: @talaverde Was this ever resolved? I am facing the same issue. In case anyone is wondering, I enabled "Don't pull routes" in the VPN client config and now things work as expected. Not sure why this is necessary as my old config was working for years without that option selected.

@viktor_g thank you for the quick response. Very much appreciated.

@johnpoz OH yeah totally agree on this one Had a couple of IT managers only want to allow static ipv4 from their homeOffice users and forced them to pay the upgrade (and that's floppy expensive here where I live) for that static IP and we are Not talking about gov contractors Was a hard piece of work to finally talk some sense into Multi factor Auth on openVPN was the key for success Np

Thank you very much, will check this out here in a few. Thanks for the help!

And even if they work today, noone guarantees they will tomorrow. If you have the necessary upload at home, vpn to home@home country is the better option.