@Derelict: I would be surprised if you saw a difference in speed with AES-NI in use or not with OpenVPN. There is a lot of overhead already there that has nothing to do with crypto operations. If anything you might see less CPU utilization to accomplish the same speeds but that is more difficult to measure. I would expect a measurable but not dramatic speedup moving to GCM and changing from aes256 to aes128. It's worth doing, but won't fundamentally change the performance characteristics of a machine.

You are the best Derelict! Thank you so much.  It seems to be working, but I'll do some full testing tomorrow. I added a rule so that traffic going to my LAN net doesn't use the WAN interface.  I put that at the top.  Then, I followed it with the rule for traffic going any to route out the WAN interface.  Now, I can ping my internal LAN devices as well as pinging external sites.

Anybody please help ? I just want to loadbalance between P2P and Internet but Internet traffic I want to encrypt so I am using open vpn? Any other suggestion please help. Thanks

So you have a pre-shared key site-to-site server, here is only the remote networks option available.

@NasKar: If I change the gateway on the Plex2 rule from WAN to default I can't get out to the internet. Not sure why default doesn't work but it still works with the gateway as WAN. I've mentioned that behaviour and the solution alreade twice. here: https://forum.pfsense.org/index.php?topic=132341.msg733209#msg733209 and here: https://forum.pfsense.org/index.php?topic=132341.msg732814#msg732814 So what are the troubles with that? If your vpn client connection is up, the packets go out this connection, when there's no gateway specified in the appropriate rule. So you also need to add an outbound NAT rule for this traffic (on the vpn clients interface!). How to do, I've described here: https://forum.pfsense.org/index.php?topic=132341.msg733440#msg733440

@viragomann: There's no need for advanced options to pushing routes. This is done by "Local Networks" option. The idea to put a route  in server advance config comes from this guide. It makes the difference, without that route I cannot access internal subnet with the user who has client specific overrides. The client configuration was ok since the beginning, a route print from windows command line shows it knows how to reach 192.168.1.0/24, the IPv4 Local network of the client specific override. Don't know how to check the routes on firewall: it can reach 192.168.5.0/28, the Ipv4 tunnel network configured with OpenVpn server, but I suspect it has no route to 192.168.6.0/28, Ipv4 tunnel network of the client specific override. Adding that route manually traffic flows as expected.

The pfSense Book is now available for just $24.70! vvv

Thanks, but it seems it's "generate, then package" approach, e.g. same file. Anyway, the main purpose of this post was to understand if it was a pfSense issue or not. Believe the answer is "yes". One possible explanation for the different behavior over time is "fix and re-introduce" has happened. Appreciate the link from the bug database and the guidance provided.

I tried other TCP ports and same results….I see the firewall passing the traffic UDP is working as it should...same server config..just different protocols. Can anyone just confirm they have 2.3.4 routing traffic using OpenVPN TCP? (this is a clean install just done...no upgrade from older versions) Need to make sure before the rest of my hair falls out..  :) thx

Not sure why images are not showing but if you right click and open in new page the links seem to be fine.

did you get tgis to work? im doing it slightly different. got A <ipsec>B <openvpn pki="">C and trying to access A from C. Added the P2 on A and B and pushed the routes on C and still can't get this to work. If you do let me know. Thanks</openvpn></ipsec>

The "bridge fix" package has not been necessary in many, many years. The changes added by the patch are included in any current version (or even somewhat older versions).

@Derelict: Something like this? https://www.infotechwerx.com/blog/Creating-pfSense-Connection-VPNBook This looks very interesting. I have some reading to do. Thx.

This is now working. Looks like it needed a reboot after I'd created the interface. Now to try and work out how to rotate the servers..