@tontoOz: Could someone please clarify or advise how the name of the server can be used instead of the IP address in the above example? Completely unrelated to this thread but Server host or address in the OpenVPN client config takes a hostname or IP address.

Very likely it will be just fine. Another way of looking at it: what's the CPU load on your I7 Win client? Not exactly an apples-apples comparison, but I'd be surprised if you see an appreciable CPU load @90Mbit/s. The main thing that would slow down pfSense would be the introduction of a resource hungry package like Snort/Suricata. With a reasonable amount of memory (1GB would be a start) and the CPU you mentioned, that system should be entirely adequate  for VPN across 100Mbit cable. You might want to check with your VPN provider if they have any particular configuration issues w/pfSense (or perhaps search the other pfSense boards).

Teddy - Cheers, I will check the Bios! If connected, I'm just going to assume it's working! Jimp - I have also had confirmation from my VPN provider that support will be added immediately post 2.4 release.

dude I have NO freaking idea what your doing wrong, since you have provided NOTHING in the way of information… What does the log say on both the server and the client when your saying it doesn't log in?

thank you so much I realized that bit defender what blocking the connection to the adapter I edited the adapter as trusted Thank you so much pretty new to openvpn [image: Clipboarder.2015.12.26-005.png] [image: Clipboarder.2015.12.26-005.png_thumb] [image: Clipboarder.2015.12.26-006.png] [image: Clipboarder.2015.12.26-006.png_thumb]

Found it!! With the current (2014-06-11) state of VirtIO network drivers in FreeBSD, it is necessary to check the Disable hardware checksum offload box under System > Advanced on the Networking tab and to manually reboot pfSense after saving the setting,

Figured it out.  My Local IPv4 network was being listed as the gateway address and not the scope. I changed the last part of the ip from .1 to .0.

Thank you I just ended up using ELK to keep all the logs then filter it to find the user and external IP of the OpenVPN Thank you again ;)

So would the following be a good secure way to issue new certs with minimal disruption? Create another Certificate Authority. Ensure the values are correct for my needs and today's standards. <– I need to research guidance on this. Issue Certs for my clients. Deploy them one at a time when we have the machine in for maintenance. Then using the CRL turn off that old cert and eventually remove the entire list of Certs and old CA.

I'm trying to setup 100K predefined users with certification, I created script to add them all. On what hardware you are trying this to realize? once the script reached to 9K users, openvpn become very slow. And writing a script that adds even and only adding 5000 users per run should not work? Any idea how to figure out what is the root cause for it ? The CPU is to lame The RAM size is to low The storage is to slow or small Why not using an external OpenVPN Server? We use CentOS 6.6 and SoftEtherVPN Server on it. Intel E3-1286v3 / 32 GB ECC RAM / Samsung840 Pro 512 GB SDD Comtech AHA600 VPN acceleration card (AES-CBC) Comtech AHA PCIe372 compresison card (on each side)

Hello, the client must be pingable otherwise you will be missing rules to permit that. If you get no respond form hosts behind the client while your rules allow the access, check this two points: Does the default route at the host you try to reach point to VPN client? If it doesn't you need a route at the host to direct the traffic to the VPN client or you activate NAT for VPN traffic at the client. Ensure that the hosts software firewall allow access. E.g. Windows firewall drops packets from unknown private networks.

Plot thickens: For some reason it seems to tls-verify successfully, but only for the first connection after making a change (which reloads the server config I'm guessing), subsequent connections fail as above: openvpn[56619]: x.x.x.x:59134 VERIFY SCRIPT OK: depth=1, C=xx, ST=xx, L=xxxxx, O=xxxxx, CN=vpn.example.com, emailAddress=xxxxx

After looking at it for several hours, its the little things you miss. Cheers! As to the net30 crap, I wasn't getting routes pushed, so I'll fix that up now, not that it's causing too many dramas, but you are right, I doubt I need it. Thanks again.

@Derelict: https://doc.pfsense.org/index.php/What_is_policy_routing And, in particular: https://doc.pfsense.org/index.php/Bypassing_Policy_Routing I had made an attempt at this previously and failed, following the instructions I used an alias to include 192.168.0.0/16, 172.16.0.0/12 and 10.0.0.0/8 this is now working perfectly. Thanks Derelict! Would you be able to use this method to solve this, https://forum.pfsense.org/index.php?topic=104090.0, problem?

Hi, thanks for suggestions. Tested and introduced. Regards JMat

So I got this working finally. Turns out, for my DNS servers, I needed to put my DHCP server there. This allowed the DNS to get resolved. Thanks for your help folks.