In general it should be possible to recreate the current Win-based OpenVPN server so that it performs the same way in pfSense. A critical piece of the transfer will be extracting the certificates used in the Windows setup and transferring them to pfSense. The other pieces of the puzzle should be fairly straightforward. Now having said all that, there isn't a simple "import" function that will do this. If you can describe your setup in more detail - a simple network diagram and description of what your trying to accomplish - would really help us help you. Who setup the original Windows installation?

Yes, if the port forwarding works correctly and the traffic is permitted the VPN connection will work well. I've had a similar setup for a time.

Thanks everyone for your help.  I have solved the problem. The reason it wasnt working is becuase i was putting a /30 network in the tunnel network, but using a /24 in the local network.  As soon as i changed this, it came up in openvpn status. Thank you everyone so much for your help.  Its communities that make products extra good, and this is one hell of a product!

Try to change over VPN servers interface to the specific VIP. If that works and you need it listening on more than this one resolve that with NAT port forwarding.

I just went into the cert manager and created a test CA and then a cert off that CA and no issues.  So yeah without some exact details of that your doing no way look into this. Please post a screenshot of your settings used to create your CA, and then the error your seeing [image: testcaandcert.png] [image: testcaandcert.png_thumb]

If you have a gold subscription, there is a Hangout video a did a couple months back walking through a basic HA setup, and there is also info in the book.

And… is the Windows firewall disabled there?

VM is OK. No IPsec problems with a VM. Start a new thread in the IPsec section for that with details for help with that.

Good work.  It really is amazing isnt it :)

I did make 2 open vpn servers on different ports and have each client connect to the separate one. I don't know if that is how it's supposed to be. The pfsense forums were down when I configured this the other day. Client 2 vpn config IPv4 Tunnel Network 192.168.22.0/24 IPv4 Remote Network 192.168.1.0/24,10.10.1.0/24 Client 1 vpn config IPv4 Tunnel Network 192.168.21.0/24 IPv4 Remote Network 192.168.1.0/24,10.10.2.0/24 Server vpn config client 1: IPv4 Tunnel Network 192.168.21.0/24 IPv4 Local Network/s 192.168.1.0/24 IPv4 Remote Network/s 10.10.1.0/24,10.10.2.0/24 client 2: IPv4 Tunnel Network 192.168.21.0/24 IPv4 Local Network/s 192.168.1.0/24 IPv4 Remote Network/s 10.10.2.0/24,10.10.1.0/24

The hub can't see the same subnet twice. To avoid the conflict, the remote sites have to do NAT. No way around it.

Update: Okay, I got this far that firewall rules added to the default OpenVPN interface work (i.e. drop all traffic from client 10.1.0.1 on Site B firewall), but if I add the same rule to the ovpnc1 (VPN) interface nothing happens. What is the purpose of adding ovpnc1 if firewall rules applied to it don't work?

If you want the VPN to be connected to LAN you must do both. Selecting LAN for the bridge in OpenVPN does not create a bridge, it only tells it where your LAN network is. You must create the LAN/OpenVPN bridge yourself separate from that setting.

Can you give any notes on this setup, did you need to create static routes on the remote ipsec routers to point to the openvpn subnet?

Sorry folks, it was a firewall rules. On the client side I had to put allow ALL rules into the OpenVPN firewall tab section. It was already done at the server by virtue of being the server and whatever guide I read. Thanks for the advice.

Everything is now working, thank you very much divsys and heper for all the pointers. For those looking for a similar setup, here's what I needed to do. I needed to assign the OpenVPN client connection sto an interface, ex: OPT1 and set the Interface Type to none [image: index.php?action=dlattach;topic=97625.0;attach=65260] Under Firewall: Rules -> OPT1 tab, add the appropriate. ex: pass all traffic [image: index.php?action=dlattach;topic=97625.0;attach=65262] Under Firewall: NAT -> Outbound tab, select the interface used for the OpenVPN connection (ex: OPT1) and add the destination network (ex: 10.8.0.0/24) [image: index.php?action=dlattach;topic=97625.0;attach=65264] [image: nat_rule.PNG_thumb] [image: nat_rule.PNG] [image: firewall_rule.PNG_thumb] [image: firewall_rule.PNG] [image: assign_interface.PNG_thumb] [image: assign_interface.PNG]