Thanks for Pinpin quick reply. I will try that out. Thank you very much.

So, A<->B is SSL and A<->C is shared key, you're running two separate instances of OpenVPN on A? While there's nothing inherently wrong with that (I run many instances of servers and clients on my boxes) is there any reason not to consolidate the connections into a single server on "A"? If you've already "bit the bullet" and setup an SSL instance, I would suggest making both your connections SSL. Even if you need two separate instances, it'd be worth making both SSL IMHO. While getting the routing options to work with Shared Key is possible, I've always found the options more limiting compared to SSL. Pretty much fill in the network lists you need on the Server side, add the CSO's and you're up and running. The other plus would be we don't have to debug two types of connection (that's just me being greedy  ;D  )

I was just monitoring my firewall after a power outage and found this issue. I removed the simple traffic-shaper I recently put in place for VoIP and the CPU usage fell to sensible numbers. I tried putting the shaper back (CBQ) with the wizard but the openvpn usage went back to 100%, so it is not fixed 2.3.1-RELEASE-p5 (amd64)

what application is that is that has to broadcast?  What is the latency between these sites?  I doubt such a crappy application that needs to broadcast is going to work over any sort of latency. So these sites are using the same ip scheme?  Ie you have say 192.168.0/24 on both sides?  Even if you connect them at layer 2, your layer 3 has to be the same. As to your dhcp - the whole point of dhcp relay is to allow for your dhcp servers to be on different layer 2 networks. Here is a thread from 2014 wanting site to site tap - he got it working and there is instructions in there https://forum.pfsense.org/index.php?topic=84419.0

The others could be whatever you want on them..  Be it based on the specific user your creating the cert for, or you site and location.  Email for example could be the users, the admin..  etc..

Sorry, that is the one I was talking about.  I'm not at home so I was going off of my phone configuration as I can't look at my system at the moment. Thanks for the answer.

switch is probably missing a default gateway, or has the wrong default gateway, or the default is on a diff subnet so it's replying back the wrong way.

Unless I've misunderstood your original request, no, you don't need anything like that. This is assuming you're talking about having remote access OpenVPN clients connect to both your WANs and use Multi-WAN for their Internet-bound traffic coming across the VPN: a: Make sure clients can connect to both WANs: 1. Set the Interface for the VPN to Localhost 2. Add port forwards to both WANs to forward your OpenVPN port for this server to localhost (127.0.0.1) on the same port b: Use gateway groups on OpenVPN rules: 1. Firewall > Rules, OpenVPN tab 2. Add a rule at the top of the list to match from a source of this server's tunnel network, destination is your local LAN, without a gateway set 3. Add a rule just under the previous rule to match from a source of this server's tunnel network, destination is "any", using your existing gateway group.

Not surprising - many (most/almost all ????) Windows/share issues across OpenVPN are Windows issues not OpenVPN issues. Dare I say that should be the title for a sticky note (or at least a line in the Wiki)…..........

I finally had some time to do some more exhaustive testing and you were right.  For some reason, the default flag in my Android VPN client was not routing all traffic over the VPN.  The route to the LAN was as expected (through pfsense) and the route to the WAN was over the cell network.  Once I set the flag to force everything over the VPN, the behavior (and routes) are the same. So in the end, I really just needed to lower the MTU to get a reliable connection.  I'm just happy it's working  :)

I finally got a chance to replace my working PFsense box at the main branch. Now I have it and a test box both v2.3 with openVPN. I exported a client from the test box and installed it on my PC which already had the client exported from the production box. I installed the testbox client which was very quick and evidently only installed the certificate. When I start OpenVPN manager (v. 0.0.3.6) from the desktop icon an icon appears in the area next to the clock (lower right in Windows 10-can't remember the name) then right click I get these options top to bottom: status, Pfsense-udp-1194-admin's name-config, then the same thing except with service on the end. Either of these options connects to the same box. How do I get it so I can choose which box to connect to? Thanks for any help!

Thanks! You are right, that tutorial is wrong. Now it works perfectly!!

In the client export utility select "Other" at "Host Name Resolution" and enter your domain name at "Host Name" below, then export the client config.

Hello, I follow the step, everything is clear and working thank you verry much!! I have just problem, the intra client communication is possible? Client 192.168.2.1 –---> communication ok with Server 192.168.1.1 Client 192.168.3.1 -----> communication ok with Server 192.168.1.1 Client 192.168.2.1 -----> communication not ok with client 192.168.3.1 Thank you

To direct the traffic for a particular website to the client you need a route for this site at OpenVPN server. This can be set up by "client specific overrides". Add an override, select the server an enter the clients certs common name, enter a tunnel network that should be used for this client (within the servers vpn tunnel network). At "Local Networks" fill in your server sites LANs (it's necessary that at least the source IP of the host which want to access sites via this VPN is entered here to get the route pushed to the client) and other IPs or networks that the client should reach over vpn as you did in the server setting and at "Remote Networks" enter the addresses or networks you want to reach via the client from server side. Set the other options to your fits. Off cause the access has to be allowed by the clients firewall rules as well as at server side and the clients router must do masquerading also for the servers sites source network.

@heper: thats exactly what that checkbox is supposed to do….. Do not create rules when gateway is down By default, when a rule has a gateway specified and this gateway is down, the rule is created omitting the gateway. This option overrides that behavior by omitting the entire rule instead. you just need to make sure that there is no rule above&below it that allows the traffic out a different way Thanks it did work, just wondering if I have multilans what do I need to do to make them work?