I have both tap and tun servers. I used tap until I found out tun could do most of the same things if configured properly. My tap guide was similar to the one you linked to. If you can get to the lan (for example in file explorer \my_file_server) then you should be able to get to the router. Try 192.168.1.1 from a browser window. I have two tun servers. 1 is for private browsing only over public wifi. It uses a auto logon file for convenience. The 2nd uses 2 passwords and a different user id. In both cases, the certs must match the user id.  The user id is not obvious because I renamed files in the config directory. The idea for the 2nd one is that the lan should be harder to get to just in case. tap is more full service but tun does the job and is easier to set up. the lan oriented tun server config is the same except for a couple of settings on the main server page. I used the wizard because it provides all the detail work automatically. Edit: the tap guide I used. It worked. https://hardforum.com/threads/pfsense-2-0-1-openvpn-configuration-guide.1663797/ for tun: Uncheck redirect gateway Enter the local network into the box recheck redirect gateway (this allows you to access the lan and route through the home network) check enable netbios over tcp/ip For node type I have p - I'm not quite sure what it does but things worked better with this setting. I also added dns servers and checked force dns cache update accessing lan resources differs a little too. With tap it's \my_file_server in file explorer. With tun it's \192.168.1.156 for example. At least for me. one big difference is that tap will not work with android without the google play app which allows it. The cost is about $10. It works great. remote desktop over the local lan works perfectly with both tap and tun.

there are plenty of people running pfsense on xen.. If recall there might be some issues with offloading checksums?  Pretty sure there is a sticky on pfsense on xen.,

I was having the same difficulties trying to get pfSense working with NordVPN; the NordVPN guide is not that helpful! After a lot of searching i found a video on you tube by a guy called VMNerd.  This guy has produced an outstanding tutorial (based on the PIA VPN service) that helped me setup my system perfectly; you just need to download the certificates and get the DNS Server IPs from the NordVPN website: https://www.youtube.com/watch?v=ybcc-OBi7kQ

It uses the auth username as the common name for overrides. The usernames are case sensitive, so make sure the user is typing it in all lower case or that you have an override set matching the case of the username.

@Derelict: Just set the local and remote networks. Let pfSense do all the route / route push config. Thanks I found those options when I chose SSL/TLS instead of SSL/TLS+Remote Auth.

@someuser123: you can just change your setting by using, AES-256-CBC SHA-256 on port 1197 using PIA Strong Certificate https://www.privateinternetaccess.com/openvpn/openvpn-strong.zip Got it! Thanks!

Good to note for future reference about UDP. In either case, I ended up updating pFsense to latest build and OpenVPN started to connect as normal. I guess I have seen odder things after a move…

That worked perfectly.  Thanks so much!

Although not using pfSense for this test but I can confirm that a second client coming from same public IP is unable to connect. On client side the log shows: Tue Dec 20 17:20:27 2016 MANAGEMENT: >STATE:1482250827,WAIT,,,,,, Tue Dec 20 17:22:32 2016 Restart pause, 5 second(s) On server side no connection attempts show up in log. Clients have their own ceritificates/commonname, no duplicate-cn.

Are you on a current snapshot? There was a bug fixed several days ago that was preventing a CA from being imported without a key. It's fixed now, but you have to update to get the fix.

thanks for this. it looked like it was all working - but, when disabled the VPN, it also took down my normal lan, not just the host i want to stop being able to access the net if the vpn is down. it's like it was marking all packets but it was only set for the one rule (the top one in the first post - below the default). I also tried the alternative method at the bottom and added back the block rule.. any ideas?

The server can't tell that. It's up to the client. And if you need to see that on the client, there isn't a way to query it. You'll have to increase its log verboseness level so it logs the options it uses.

The status, as shown, is the status output directly given from OpenVPN. We do not correlate that with internal info in any way. We could try, but it wouldn't necessarily be a proper match. It's safer to just show what OpenVPN gives in these cases.

The config is correct. I noticed that other logs are not writed since some days ago. For example work: General Firewall IPSec Not work: Gateways DNS Resolver Open VPN NTP

Hi altiris, I had the same problem. The key-direction 1 in the .ovpn file should be before the <tls-auth>section and not after. I think it is a bug in the auto-generated file. key-direction 1 <tls-auth># 2048 bit OpenVPN static key –---BEGIN OpenVPN Static key V1----- ...</tls-auth></tls-auth>