Thank you guys !!! Of course simple thing :) All my clients (servers, desktops) have different gateway because I'm buiding pfsense host next to my main UTM. Of course when I changed gateways IP address I can get now that server. And of course pinging is not working in some servers because host interprets vpn client as they coming from privat network. Some firewall rules must be changed. Thanks again.

I can't wait for OpenSSL to go away. Software should never implement its own rng and should always get rng from the OS. That being said, I trust Intel's RNG more than OpenSSL's crazy fall through logic that can sometimes source "random" data directly from your raw secret keys. Or at least it has in the recent past.

@Derelict: Don't see any such thing ever.  Are you sure it's not lovely comcast doing shenanigans with a long-established session? I suspect this is the most likely scenario. It hasn't happened in a while now at least.

That all depends on your config, routing and full tunnel vs split tunnel.  We are all just speculating without looking at the config and your routing tables.

kejianshi: Thanks alot for your tips! I have solved the problem! Now I'm running the VPN Server using UDP on a high port (51750), and disabled the option to redirect all the traffic through the gateway. And I have also changed the topology(of the VPN tunnel) from subnet30 to /24. Now I can connect using Android Phone, Android Tablet and Windows PC and acess all resources from the destination network, even if all the devices are using the same shared internet connection. Thank you! :)

You know what.  I think a lot of people get strange errors at that point.  Not really an error but OpenVPN trying to do something that's already been done or something.

Thank you sirs! Confirmed -win6 variants work perfectly without changes required to win8 services options as mentioned in many early release tutorials. Cheers

When using a more powerful machine as VPN client I'M able to saturate the 100mbit link. Sftp to pfsense over openvpn maxes out at 20 mbit Any thoughts? Edit: the link between both sites has a pretty low latency btw (+- 10 ms)

As a practical matter, I would also change that LAN 192.168.1.0/24 in the middle to some other more obscure private address space. That will help avoid problems for your Road Warriors when they are sitting in their local cafe and the cafe WiFi hotspot is also 192.168.1.0/24

I guess you are using policy-routing rules on your LAN, to direct traffic to WAN1 and WAN2 according to your failover and load-balancing needs. In that case, you need to have a rule on LAN that matches source LANnet, destination OpenVPN tunnel subnet (10.0.8.0/24), gateway none. That will allow the traffic returning from LAN to the OpenVPN client to be passed normally to the routing table, which knows how to route it to across the OpenVPN tunnel to the client. Without that, the traffic can be forced out WAN1 or WAN2 by a policy-routing rule, and of course never reaches the OpenVPN client.

I am currently having the same issue - with 2.2 and tap. I used a HE tunnelbroker to get IPv6 on a server in the datacenter. The server is connected to another pfSense installation at home. I allocated a /48, and split it into /64s. One of the /64s was to be used for the home network, and the other /64 was to be used for the rest of the clients on the OpenVPN network. Whenever any IPv6 address is added to the TAP interface, the entire interface instantly wipes itself out, removing both IPv4 and IPv4 addresses. As a result, it makes OpenVPN unusable.

Anyway, this is resolved. I needed "route 192.168.25.0 255.255.255.0 10.9.0.2 (ip address of the ovpn interface where the subnet is located" Yes, the routing issue was fairly evident once you posted the configs.

So this does not morph into a vps thread, please start a new post to discuss vps'. Thanks

you need to select this option on the VPN server " when authenticating users, enforce a match between the common name of the client certificate and the username given at login." the user A will only be able to log with his certificate

@rand4505: Stop using PSK, use 2048bit+ RSA/DSA keys, with group 14 or higher DH, PFS. See: http://cdn.media.ccc.de/congress/2014/h264-sd/31c3-6258-en-Reconstructing_narratives_sd.mp4 Thank you for the video !

Hi, thanks for the quick reply. I tried this setting without effect (in fact, the box WAS checked, so I unchecked it. From the description, state killing takes place, when it is unchecked). In my understanding, it only does something, if a gateway fails. So it would kill the "normal" states of connections on my WAN gateway. However, the states of connections through my VPN are not affected and still stay in place…

Hey, Check this thread: https://forum.pfsense.org/index.php/topic,56565.msg364122.html however, IMHO always, get an Alix box or use OpenVPN AS Hyper-V VM (2 free users), or (don't know your Hyper-V edition), use a Linux VM with openvpn server. Best regards Kostas