@guillaume14
Ensure all related states are flushed.

If the no-nat rule still isn't applied, there might something wrong in its settings, so that it doesn't match.
Ensure that the protocol and the destination port are correct if stated.

@rajukarthik its just the normal openvpn community edition.

[2.7.2-RELEASE][admin@test.mydomain.tld]/root: openvpn --version OpenVPN 2.6.8 amd64-portbld-freebsd14.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] [DCO] library versions: OpenSSL 3.0.12 24 Oct 2023, LZO 2.10

Yeah it is a bit dated, sure that will update when 2.8 drops.. but its not the access server version.

As to soc2 - As to the just community edition, prob not - since really the user of said edition can pretty much do anything they want with the config, were with the AS and Cloud versions of their server being more strictly controlled in what can be configured.

Those 2 versions are not free, so sure they can get certification of meeting specific standards, etc. But I doubt they would run through such trouble with audits of controls, etc. for something the user might easy override even a config change.

If you really want to make sure its soc2 compliant - I would run either of those on something other than pfsense. I have not heard of anything about being able to run say the as version on pfsense.

I run an as version on one of my vpses - you can run it for free for max of 2 concurrent connections. Which for me is plenty for my use case.

@bozo-bogd

We tried setting reneg-sec on both sides to 0 but it caused the client to constant want the MFA prompt satisfied. The pings settings are already set to 0

Details from Azure. We have a CA policy that requires MFA when authenticating to the EntraID account. The Entra RADIUS VPN app is installed on our RADIUS box to interject the MFA prompt when authenticating to our local AD with the OpenVPN client. The MFA app has a limited config, with caching and renegotiation settings not being options.

@McMurphy hahah - yeah minor detail ;) hehehe

@DSTMalo Thank you so much! Happy new year.

@Gertjan perfect thank you. Still shows as applied and has the revert option so i'll keep it applied

Perfect. Thank you

@viragomann It works!

I remove the client static IP configuration from the server setup and ping works from both sides.

It was quite difficult but the reason why I didn't read the documentation about s2s OpenVPN connection. Thank you!

@ctarbet

I configured the OpenVPN with OpenLdap. I had some issues regarding to setup but I found the solution:

Start configuring A connection from scratch (SystemUser -> ManagerAuthentication -> Servers) - don't copy the connection!

Screenshot from 2025-01-17 09-53-21.png
Screenshot from 2025-01-17 09-56-57.png

QUERY: &(objectClass=groupOfNames)(cn=vpn)(member=*)

LDAP tree structure:
Screenshot from 2025-01-17 09-59-59.png

Please take a look at the screen. This is an example of configuration, but maybe it'll help you. Good luck!

@Gertjan You helped me find the problem, on the other VPN server, I had selected to give the client the domain name and swapped my DNS entries. All good now. Appreciate your help, your the man!

@Dharmender-Bankal said in Can ping my entire network but can not access any server:

what could be the issues?

When you're on site, and if your server has a keyboard and screen : connect to it.
I'll bet it has a firewall ^^
And I bet again : your server, as per security rules, only accepts connection coming from the local network it's connected to. And from no where else. Right ?

Change (adapt) the server's firewall rule(s), and you'll be good.
I suggest : don't open up 'from everybody' (which includes the entire Internet !), start by adding the tunnel network you are using when connected to your VPN.

@Conger1892 said in ERR_TUNNEL_CONNECTION_FAILED:

I can access the firewall and other servers via the IP address

So .... fire up a text editor and open the 'ovpn' file you've imported into your OpenVPN client app, and replace the host name that it is using, for the current WAN IP you use to connect the OpenVPN to the OpenVPN.
Import this edited file.
Use it ... and now it connects !?

I presume that the somewhat vague error shown "ERR_TUNNEL_CONNECTION_FAILED." measn that the tunnel couldn't create, because the IP (the host name it was using) didn't point anymore to your WAN IP (pfSEnse work) but to 'some one else'.
So, by now you get it : the host name you were using in the OpenVPN client app config wasn't 'actual' anymore.
So, its the "DynDNS" WAN IP updater process that stopped doing its thing.

That would leave lines with errors in the (system, I guess ?) logs.

I can access the firewall and other servers via the IP address

Also : this means you have a VPN access, and you can access your pfSense directly using it's WAN IP ?
Great that you could use that solution.
A pure catastrophe from a point of security ...

, but no longer via DNS resolution.

What you wrote there, for me, is the origin of your your issue.
Who or what makes that the host name, after resolving, point to your WAN IP ?
You would say : My dyndns supplier.
Then me : And who informs your dyndns that an (your WAN) IP change happened ?
You would say : my pfSense.
Then me : Who learned this trick you your pfSense, who set it up ?
You : Me !
I would say : Great, I'm talking to the right person then. Did you start a renewal manually of your DynDNS, and checked what happened ? The DynDNS host name changed ? or not ?
If you want details - the ones that will bring you to the source of the issue, check this one :
0d68dbcd-d58f-493e-aa46-7f04adb96e0a-image.png
and renew again.

Btw : my phrases are based upon what your words told me.
I could be totally wrong of course, so please add more details.