@mark1210: unable to ping the server. The OpenVPN server? From where? Have you added proper firewall rules to the OpenVPN rule tab?

@PGalati: I was able to solve this scenario and soon hope to create a how-to to help others that specifically use pfsense and Tomato.  This link pushed me in the right direction: https://doc.pfsense.org/index.php/Why_won't_OpenVPN_push_routes Click on this link to get some additional info about the correct way to configure the openvpn server on pfsense: https://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_%28SSL%29 To the point, once I changed the pfsense openvpn server mode from Remote Access (SSL+User Auth) to Peer to Peer (SSL/TLS), made the appropriate adjustments on the Tomato side, I started getting ping responses from clients from the server side.  Our Cisco voip phones work both ways now too. Finally! Hi , i'm trying to do the same thing. can you please tell me what your tomato side config is? have you enabled TLS Authentication? did you enable Extra HMAC authorization (tls-auth)? i'm getting TLS Error: incoming packet authentication failed from [AF_INET]

If the interface you are pinging on the server isn't its primary interface, ensure the server has a valid route for return traffic on the interface that you are pinging. Examin "route print" on the server to see where traffic from your OpenVPN subnet will end up.

So, configure an implicit deny firewall rule and only allow what you want.

With Derelict on this - I can see zero reasons why your vpn used by your clients would need to use public CA certs..  The only time public certs need to be used is when you would have uses accessing it that need to trust the CA that you do not control their devices used to access and can not add your CA to their trust list.

HINT: Don't forget to reload / restart your OpenVPN server, after chancing CCD / User specific config.

I was able to fix my mOTP issue using pfsense 2.2.6, however I was able to replicate this issue of yours. Is it possible to upgrade freeradius2 version on a pfsense 2.2.6? Current version is freeradius2 1.6.19.

@Derelict: Then your dyndns isn't bring properly updated. Thanks,Derelict, it was something with the freeDns client update, I changed service to DuckDNS and now everything working smoothly.

Nothing obvious jumps out at me unfortunately. Any time I've had an OpenVPN tunnel blocking in one direction but not the other it's been a firewall rule issue on one of the two pfSense boxes or a firewall in one of the endpoint devices (you're not hitting a Windows firewall issue?) The only other thing different I see from my typical setups is the use of PSK, I typically use PKI. Perhaps you could try to rebuild the link with defined certificates for the server and client? Might be worth a shot to try something different instead of banging your head against the same thing expecting different results (been there…...)

Off course you may change the name of the interface. You have  also to add appropriate firewall rule to the new VPN servers interface. Maybe you just want an allow anything to any rule.

thanks bookmarked  :) really clear and useful guides

you mean for every user i must create Server Certificate  . i'm sorry i'm new to this You don't need a "Server Certificate" for every user, you need a ….. "User" certificate for every user. The general use of these SSL certificates needs: a Certificate of Authority (CA) usually created on the OpenVPN Server a Server Certificate created using the CA in 1) a User Certificate (NOT another Server Certificate) created using the CA in 1) Repeat 3 for as many users as you need. If you go into the Certificate Manager in pfSense you should be able to see all these pieces and verify that the OpenVPN Server cerificate is type "Server=YES" and the User certificate is type "Server=NO". As marvosa suggested, if this gets messed up from your various attempts it may be simpler to start clean and work through the steps. It really shouldn't be too tough to setup.

this is exactly what I am working on right now. I have it even working more or less, but as I am new to developing with php and also with pfsense, I am not sure how to implement it the correct way to be sure, that with the next official release it won't get overwritten. My user portal page which I made now is kompletely based on the export-module (due the lack of php and pfsense development knowledge, i'd probably broke more than I invented). Sadly I did not understand 100% yet how the access model for the files works in pfsense. Users can login with android, and due to the right mime type, the openvpn connect app will directly open the file after it was downloaded. (No anoying "Import from SD card" anymore) The user portal is done in a cloned version of the vpn-openvpn-export.php. Sadly, in order to make the download button in the users profile working, I have to allow access to the regular export page too. May be someone can give me some hint, how I can get this in production with a good feeling? many thanks in advance [image: pf_userexp.png] [image: pf_userexp.png_thumb]

I found the same problem in one of the posts here in the forum. However it had not been solved: https://forum.pfsense.org/index.php?topic=40672.0

Thanks!  I will wait for 2.4 then…

I fixed this, I upgraded my server to an Intel Xeon E31270 and moved from VMware to bare metal which gave me more constant throughput via openVPN, but the thing that really helped was setting the MTU and MSS in the openvpn client manual options and on the openvpn WAN interfaces as this needed to be lower for my OpenVPN connection.

Have you tried  Diagnostics -> Command Prompt ls -la /var/etc/openvpn chmod 0600 /var/etc/openvpn/client1.up

Viragomann, thank you very much for your help to Shaddoh and I.  Ended up fixing it by deleting the server and client setup and doing it step by step according to this article – https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site.  Previously we'd been trying to make it work based on the steps in this article -- https://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_(SSL).  I'm sure either ought to work, and I know for sure that I've gotten a 4-site setup doing the steps in the PKI/SSL article, but I don't have access to that setup to do testing, and I think the way we ended up doing it ought to work plenty well enough for what we're trying to do right now. Thanks again, we appreciate the help stepping through the debugging process.

Is it possible to upload the configuration setting that worked for you  ?