File server cannot be access via Pfsense OpenVPN

NethServer release 7.9.2009 (final)
Module: File Server, AD

Good day,

I am currently having problems connecting to Nethserver file server while connected to Pfsense OpenVPN. I can access all the other devices connected to the network via the VPN, expect the Nethserver samba shares. I have also added the VPN subnet inside the trusted network and it does not work. The rules in the Pfsense does allow open vpn to access all the networks. The IP tunnel network for the vpn is and the internal network is The Nethserver is on its own server and has a red and green network on it. All users can access their shares while on the internal network but it does not work when the pfsense vpn is enabled on their pc. Not sure what I am missing. The end goal is to have remote users to connect to their shares using Pfsense VPN. Any assistance will be greatly appreciated.


And Welcome to the NethServer community.

I do know PFSense, although I only use OPNsense, however: PFSense does NOT make VPNs, they use either IPsec, OpenVPN or Wireguard… There is no such thing as a “PFsense VPN”…

Are you talking about a site2site or a RoadWarrior VPN (I’m thinking a road warrior…)?

You also provide no information where to where, where are the users using VPN? (LAN or WAN?)…

What client are you using for VPN?

Too many questions…

Maybe start by providing some basic concrete infos about your network setup…

AFAIK, NethServers OpenVPN Implemantation via GUI does not support several “LANs” to be reached… OpenVPN can do it, but needs tweaking…

My 2 cents

Apologies, I am currently using the OpenVPN from Pfsense (No IPsec at the moment), and I am using my pc to connect to the lan network from my house using OpenVPN community edition. The Lan network is and the Nethserver green is on 192.1680.3/24 I am able to ping the entire network but not the Nethserver. This is the config file from the Pfsense OpenVPN.

dev tun
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
data-ciphers-fallback AES-256-CBC
auth SHA256
resolv-retry infinite
remote 1194 tcp4
remote-cert-tls server



setenv CLIENT_CERT 0
key-direction 1

2048 bit OpenVPN static key

-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----

I don’t quite understand this.

Later on you talk about using the OpenVPN Client on your PC - that makes sense…

So what I did was I use the OpenVPN wizard from Pfsense to create the server and after I use the OpenVPN client on my pc to connect to the network. Not sure if that clears it up.

Are we taliking about a PFsense doing OpenVPN - or is a NethServer doing this?

I don’t understand why a PFSense OpenVPN Wizard is needed to connect a Windows RoadWarrior to your NethServer?

I don’t think using the PFsense Wizard (It knows nothing about NethServer!) makes any sense here…

I think that’s your issue (Problem).

NethServers VPNs are created in the Cockpit GUI…
And does export client configs (Use .ovpn file!) from there…

Hi, The setup is as follows,

From ISP modem I have a Pfsene firewall that controls the network. Inside the network i have a nethserver that is the DC that controls the shares and users for the entire network and servers. I am using the Pfsense OpenVPN to remotely connect to the shares.

That explains a lot, why not right from the beginning?

On your PFsense, you need to set the NethServer (It’s AD…!) as your DNS Server for the OpenVPN connection. Also set the domain (AD) as default domain…
Without that, the Samba (Kerberos) part of authentification will faill and you can’t access your shares…
To be on the safe side, you can use the NethServer and AD IPs as the two DNS servers.
Have an entry in NethServers DNS pointing to itself, and a seperate entry for your AD!

Hope that helps.

My 2 cents

Apologies once again, My DC name is and in the Pfsense I have the domain name configured in it. To note I am not able to reach the Nethserver on the Pfsense OpenVPN

Can you ping the Nethservers IP via VPN?
Is the webpage / cockpit available?
Does SSH access via VPN work?
Only Samba unavailable?

Clients must use NethServers DNS, not PFsenes…

I am not able to reach any of those using Nethserver IP The DC IP is, do I need to use the as the DNS or the DC IP

What does your NethServer use as Gateway? The PFsense?

Do you have an entry pointing to the OpenVPN network including the gateway (PFsense) needed to reach it?

You can use both as DNS, both should respond to DNS queries…

Do you have Fail2ban installed?
Are you blocked?

ping should be accessible without any auth if you’re not blocked. Same goes for the web-page.

a think route is needed to vpnnetwork .70.x at nethsrv and gw (sense)propably trust network


Yes I am using the Fail2Ban and I have checked that the IP is not blocked. To note nethserver has its own red network and pfsense is not controlling the NAT for it. The Pfsense IP is and both pfsense and nethserver is using the ISP gateway which is


I think you’re right, but I can’t find setting a static route in Cockpit (Like it works if the older Server-Manager is installed.).

My 2 cents


That’s why this is not working. If your PFsense does your OpenVPN, your Nethserver must use that as gateway!

You could provide such critical information right from the beginning.
My mind reading capabilities are rather rudimentry, and long distance and foreign languages don’t makes things easier (Joke !!!)

Easiest would be to set up your OpenVPN on NethServer, using it’s own RED WAN connection. You do need a route on your PFsense pointing to the OpenVPN network ( if I’m correct) and using the NethServers LAN IP as Gateway.
Remove the entire OpenVPN setting from your PFsense!

My 2 cents

I have tested the OpenVPN RoadWarrior on the Nethserver and it works fine, but i cannot reach to the other servers on the networks. The idea was to have one OpenVPN to be able to reach the entire networks along with its servers. Also i am working on creating different VLANs on the pfsense for each department. I do not know if i will be able to reach the Nethserver shares from the VLANs, being that they are not on the same gateway.