@techtester-m

Sorry you had to wait five years for the answer, but here it is.

Yes, you can do this. But, how you accomplish it depends upon how your devices are configured to get their DNS.

If you set-up PfSense to route all traffic from a particular device on a particular IP over the VPN, and that device attempts to get its DNS from a public DNS resolver, then the DNS requests, like all traffic from that particular device, will already go out over the VPN.

So, for example, if you configure Pfsense to send all traffic from 192.168.1.15 to a VPN, and 192.168.1.15 is configured to get DNS from 8.8.8.8, then when 192.168.1.15 attempts to query 8.8.8.8 for DNS, that traffic (like all traffic from 192.168.1.15) will go out on the VPN.

But, if you configured 192.168.1.15 via DHCP and you told it to get DNS from YOUR ROUTER (192.168.1.1), and your router responds to DNS queries, then that traffic will NOT go out on the VPN. It will go to your Pfsense router, which will then obtain its DNS information however it normally gets it. If you configure your router to get secure DNS, the request will be encrypted, but it won't go out the VPN. If you get it from unencrypted DNS servers on port 53, the traffic won't be encrypted.

There is a way to accomplish this, however, and that is by using a Port Forwarding rule. You would set-up a rule that automatically forwards any requests to port 53 from 192.168.1.15 to use a specific DNS server on the internet (such as 8.8.8.8). That would prevent 192.168.1.15 from using the router for DNS, but would instead send the query out on the internet. Here's how:

Firewall -> NAT -> Port Forward
Interface: LAN
Protocol: TCP/UDP
Source: Address or Alias: 192.168.1.15
Destination Port Range: DNS / DNS
Redirect Target IP: 8.8.8.8
Redirect Target Port: DNS
Filter Rule Association: Add associated filter rule
Description: Force DNS to VPN
Firewall -> Rules -> LAN

Edit the rule "NAT Force DNS to VPN"
Show Advanced
Gateway: (Select your VPN Gateway Here)

The "add associated filter rule" and editing that rule to refer to the gateway won't be necessary if you already have a LAN rule redirecting all internet traffic from 192.168.1.15 to the VPN, but there could be circumstances where you'd need it (such as if you configured it so that only TCP traffic from 192.168.1.15 to the VPN).

Also, you can replace 192.168.1.15 and 8.8.8.8 with Aliases to make it easier to set-up rules affecting multiple clients if you like.

Ah, nice!

Yup I've been there. 😉 I usually enter devices as a static mapping even they are using statically configured IPs. That way they still resolve and you can't accidentally reuse the IP.

@Antibiotic I just wanted to follow up on this one. I found out the problem was that I had not changed the gateway for the firewall rule, which is listed in the advanced settings. After changing the gw, voila. Darn stupid mundane details...i swear.....

Anyway, thank you for helping....

I'll answer myself :

So my understanding of why route was not add was because the tunnel was not able to completly connect, and this make sense (still a guess though...)
After upgrading client to 24.11 the tunnel succeed to connect to the server (wich is still in 22.05)

Finally im not really sure what was the root, because i had many pfsense in 22.05 with SSL/TLS tunnel working fine so my guess is, it was a mix of slow link and version, and was not related to my conf.

hope this will help others

@viragomann Hi , thanks but it was not a issue with Pfsense but rather I had not configured my vlans on my cisco switch properly.

@Bambos
When stating an alternative hostname, pfSense generates a SAN certificate. There is no reasonable case for me to do this with a user certificate, however.

The CSO check verifies only one value, either the common name of the client certificate or the username, not both. As mentioned, which one to use can be set in the server settings.

@ElaineNav

I answer my self it could be usefull for others:

After few try, i change the role of pfsense and set the server on the slower side, now the tunnel is stable. :)

@rajukarthik said in Openvpn on mac is not working:

Would prefer OpenVPN connect. Any suggestions?

Yes. Download and install it ?!
Not hard to find. Type OpenVPN connect MacOS - it's the first link.

For clarity, I reset the client pfsense box to factory defaults.

@chpalmer That got me fixed up, thanks.

Hi to all

so, little RECAP

SITE A:
Operator Router-> SWITCH -> ESXi with PFsense
Public IP -> Internal Lan 192.168.1.0/24 -> PFSENSE wan 192.168.1.240 with GTW 192.168.1.1 and virtual Interface ovpn peer2peer

SITE B:
Operator Router-> Mikrotik -> Internal LAN
Public IP -> wan 192.168.8.1 - LAN 192.168.88.1 -> Internal Lan 192.168.88.1/24

Peer to Peer tunnel 10.10.11.0/28 ( site A 10.10.11.1 / site B 10.10.11.2)
Connection OK between site
ping - other service from B to A -> OK
ping - other service from A to B -> KO

PFSENSE CONFIG:
29216526-883e-4dcf-be61-40e878d39ca4-image.png
7512a6dc-e92b-4e3e-b89e-7c34e5d06f27-image.png
6c54caac-b910-4b03-ad33-d67d0fddbc9f-image.png
e4dd2f8a-3d7c-423c-bb16-400bbe6aae84-image.png
0d34858e-90ff-4c9a-80c5-82a955a1864f-image.png
a38cbe88-9c96-4f29-9d8d-863c109cc347-image.png

With and Without CSO tested, but nothing change.

NAT
925d14c9-775d-4135-99b7-05c7910ba1a2-image.png

Rules
b0188b3d-c32f-4b06-96c4-c3e98b48c821-image.png

2e40e12b-3fc8-441c-8e79-1dcf651b606d-image.png

ROUTING
69cb7bb0-c088-4e88-a8c3-619c3f95dce1-image.png
bbda0e24-58d8-484c-b538-dc7b43ad78ae-image.png

SITE B: MIKROTIK

5d692e75-0ebe-4a90-a297-6944770da4e3-image.png
7bb9e00c-ba65-4c21-9bc2-48d1c9d75a53-image.png

Sorry for all the photos, but, it's to understand how the 2 devices were configured.
Any help is welcome, I don't know what else to check or other configurations to try.
Esxi has no rules on the internal switch.

**thank you so much for all the advice already writed, and have a nice new week.

ANDDD sorry for my English XD.**

REGARDS

@peterzy thank you for your reply.

In my case all the Mikrotik client devices are in the rural area, so maybe I can make the current VPN to work using UDP (this is the current config) and once I get access to the device I can change the config to TCP. If the device could get connected for a couple of hours for me that's enough.
In this regards, could you please share the details about changing the PING settings so maybe I can get them connected temporaly.

Thank you!

@PlanetToysUtah
Is the CSO applied??
Please show the log.