Any VPN will have an overhead.  I can't find any product called "Simple VPN" it's hard to say much more than PPTP and IPsec should have slightly lower overhead than anything using SSL.

Perhaps your current system shipped with driver integrity checking disabled. Google for it, there are ways to turn it off.

VPN would add overhead to VOIP calls, it wouldn't help call quality, it may hurt it. The only advantage might be that it would look like a different protocol to your ISP's equipment and may be bypassing some QoS in places. It depends on what kind of filtering is being done by your ISP, but they could detect and block VPN traffic if they have powerful enough equipment to run protocol analysis on every connection that passes through their network.

Our staff are able to access windows shares over a bridged (tun) openvpn connection just fine. I looked into a bridged network, but it seemed to be too much of a headache to make it work on pfsense.

The addresses are assigned out of the /30, not exactly what you specify. This should mean that… 172.16.0.0/30 - Client .2 -> Server .1 172.16.0.4/30 - Client .6 -> Server .5 172.16.0.8/30 - Client .10 -> Server .9 172.16.0.12/30 - Client .14 -> Server .13 172.16.0.16/30 - Client .18 -> Server .17 172.16.0.20/30 - Client .22 -> Server .21 Try putting in .8/30 and see if your results are any different.

Success!! After updating to the latest revision, and redoing all the certs and the OpenVPN Server; I am now presented with a package installer link. I am now having an issue with my VPN connection timing out when I connect to it using my phone, but that is a story for another time and another forum post. Thank you jimp for your help, and all the hard work you and the pfSense group does.  I definitely owe you one.  :D

You can assign tun0 as an interface under Interfaces > (assign), though check the doc wiki for OpenVPN filtering on some more specific instructions.

How did you generate and issue the keys before?  You run the revoke steps there.  If you don't still have that device, and the master CA key, then you have to re-issue all certificates, including the CA and server keys.  You should also take steps to ensure that you can revoke keys in future.

Hello, ssooooo, I bought the VPN1411 and it did … nothing. At least not to the OpenVPN througput, using any Engine my OpenBSD offered (cryptodev too). I will test a little more, but I guess now it's an Atom I have to go for. What a shame. Greets

Excellent. Thanks again.

Client and server config files?

Question: It seems as if I need to have OpenVPN in bridged mode to get my setup running. I followed this article (http://doc.pfsense.org/index.php/OpenVPN_Bridging) but again -> trapped. In my OpenVPN custom options I added this: dev tap0; float; server-bridge 192.168.0.1 255.255.255.0 192.168.0.160 192.168.0.199 Unfortunately this does not work, I get this error message: openvpn[4446]: Options error: –server and --server-bridge cannot be used together Are there any other ways to get this up and running? I read sth. about the ashahi package. Could this be my solution? Regards, Alexander

No specific settings for ubuntu, it should all just work as long as you have the settings match the server (proper keys, protocol, port, compression, cipher, etc)

Mine is for multiple sites so I am using PKI because it is much easier to manage after the initial setup of generating keys. I see you tried PKI but in your latest config you are back to Shared Key. If you want to try PKI again I could try to help by comparing my config against yours but otherwise the configs are a little different already and I don't know where the problem could be.

You can also setup CSC entries for the CNs of the certificates being used to connect, force them to a specific IP addressed, and then firewall those addresses as normal. An alias containing all of the members of a given group would be helpful. As shadowadepts said though, two separate instances would work as well. You might even want to make sure they use separate CAs if you do not use any other form of auth (e.g. TLS+Local User Auth)

@jimp: Sorry I missed the IPsec bit first. You'd have to add the OpenVPN client subnet as an additional subnet in the IPsec config (or expand the subnet definition to include it) on both sides. If it's pfSense at both sites you'd be better off making a shared key site-to-site tunnel instead of IPsec. Routing is much easier that way. I never could get this to work so my setup is exactly like this one. The site-to-site tunnel never connected with OpenVPN, never opened a route to the remote site and no traffic moved site-to-site. My current setup uses an IPSec tunnel for site-to-site while my users use OpenVPN clients to connect to the internal network. As a workaround, I have OpenVPN servers in both locations and a user picks which site they wish to connect. I posted my problem here quite a while ago and never got an answer so I gave up and decided to wait for version 2. I will try adding the OpenVPN subnet to my IPSec config as you have suggested.

Hi, I found a solution to correct my problem but it is a bit strange ! To connect to OpenVpn using the address 80.xx.xx.3, I have added a port forward NAT: 80.xx.xx.3:1194 -> 127.0.0.1:1194 What do you think about this solution ? Could security problems happen ? Thx

Check out this post. Haven't had the time to test it out but it looks promising. It seems to have the thing that was missing on 1.2.3. http://forum.pfsense.org/index.php/topic,24435.0.html //Dan Lundqvist