Jingles, I think adding two servers will allow the client to use the second one if the first one isn't working. Dmitriy, I am reviewing their client config file they don't specify a digest algorithm. The provide the following: client dev tun proto udp remote [REPLACE WITH SERVER NAME] 1194 resolv-retry infinite nobind persist-key persist-tun ns-cert-type server cipher bf-cbc comp-lzo verb 3 mute 20 ca ca.crt mssfix 1300 key CN1.key cert CN2.crt #tls-auth ta.key 1 Since I am using pfSense. I don't need to specify the path for the files since pFSense allows me to put the certs in the certificate authority and load the tls key in the GUI.  Right? I changed the verbosity to 4 and got this: Jan 20 18:19:21 openvpn[84390]: real_hash_size = 256 Jan 20 18:19:21 openvpn[84390]: virtual_hash_size = 256 Jan 20 18:19:21 openvpn[84390]: client_connect_script = '[UNDEF]' Jan 20 18:19:21 openvpn[84390]: learn_address_script = '[UNDEF]' Jan 20 18:19:21 openvpn[84390]: client_disconnect_script = '[UNDEF]' Jan 20 18:19:21 openvpn[84390]: client_config_dir = '[UNDEF]' Jan 20 18:19:21 openvpn[84390]: ccd_exclusive = DISABLED Jan 20 18:19:21 openvpn[84390]: tmp_dir = '/tmp' Jan 20 18:19:21 openvpn[84390]: push_ifconfig_defined = DISABLED Jan 20 18:19:21 openvpn[84390]: push_ifconfig_local = 0.0.0.0 Jan 20 18:19:21 openvpn[84390]: push_ifconfig_remote_netmask = 0.0.0.0 Jan 20 18:19:21 openvpn[84390]: push_ifconfig_ipv6_defined = DISABLED Jan 20 18:19:21 openvpn[84390]: push_ifconfig_ipv6_local = ::/0 Jan 20 18:19:21 openvpn[84390]: push_ifconfig_ipv6_remote = :: Jan 20 18:19:21 openvpn[84390]: enable_c2c = DISABLED Jan 20 18:19:21 openvpn[84390]: duplicate_cn = DISABLED Jan 20 18:19:21 openvpn[84390]: cf_max = 0 Jan 20 18:19:21 openvpn[84390]: cf_per = 0 Jan 20 18:19:21 openvpn[84390]: max_clients = 1024 Jan 20 18:19:21 openvpn[84390]: max_routes_per_client = 256 Jan 20 18:19:21 openvpn[84390]: auth_user_pass_verify_script = '[UNDEF]' Jan 20 18:19:21 openvpn[84390]: auth_user_pass_verify_script_via_file = DISABLED Jan 20 18:19:21 openvpn[84390]: port_share_host = '[UNDEF]' Jan 20 18:19:21 openvpn[84390]: port_share_port = 0 Jan 20 18:19:21 openvpn[84390]: client = ENABLED Jan 20 18:19:21 openvpn[84390]: pull = ENABLED Jan 20 18:19:21 openvpn[84390]: auth_user_pass_file = '[UNDEF]' Jan 20 18:19:21 openvpn[84390]: OpenVPN 2.3.3 amd64-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 15 2014 Jan 20 18:19:21 openvpn[84390]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock Jan 20 18:19:21 openvpn[84390]: WARNING: using –pull/--client and --ifconfig together is probably not what you want Jan 20 18:19:21 openvpn[84390]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts Jan 20 18:19:21 openvpn[84390]: Control Channel Authentication: using '/var/etc/openvpn/client1.tls-auth' as a OpenVPN static key file Jan 20 18:19:21 openvpn[84390]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Jan 20 18:19:21 openvpn[84390]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Jan 20 18:19:21 openvpn[84390]: LZO compression initialized Jan 20 18:19:21 openvpn[84390]: Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ] Jan 20 18:19:21 openvpn[84390]: Socket Buffers: R=[42080->65536] S=[57344->65536] Jan 20 18:19:21 openvpn[84390]: Data Channel MTU parms [ L:1542 D:1300 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Jan 20 18:19:21 openvpn[84390]: Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client' Jan 20 18:19:21 openvpn[84390]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server' Jan 20 18:19:21 openvpn[84390]: Local Options hash (VER=V4): '504e774e' Jan 20 18:19:21 openvpn[84390]: Expected Remote Options hash (VER=V4): '14168603' Jan 20 18:19:21 openvpn[84425]: UDPv4 link local (bound): [AF_INET]XXX.XXX.1.222 Jan 20 18:19:21 openvpn[84425]: UDPv4 link remote: [AF_INET]XXX.XXX.111.111:1194 Jan 20 18:19:21 openvpn[84425]: TLS: Initial packet from [AF_INET]XXX.XXX.111.111:1194, sid=2dbd86cf 06dd0388 Jan 20 18:19:21 openvpn[84425]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]XXX.XXX.111.111:1194 Jan 20 18:19:23 openvpn[84425]: TLS: Initial packet from [AF_INET]XXX.XXX.111.111:1194, sid=2dbd86cf 06dd0388 Jan 20 18:19:23 openvpn[84425]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]XXX.XXX.111.111:1194 Jan 20 18:19:27 openvpn[84425]: TLS: Initial packet from [AF_INET]XXX.XXX.111.111:1194, sid=2dbd86cf 06dd0388 Jan 20 18:19:27 openvpn[84425]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]XXX.XXX.111.111:1194 The only places I think may be wrong are the bolded. Thanks for any help. Also, when posting what info should I take out or clean. Just the IP addresses?

Thanks, But How?

Thanks mate, sorted it.

The only rule I have is the auto generated one, Allow all from all. I am not using squid as a proxy. However you asking the question made me start thinking in a different direction. I have a content filter in between pfsense and my network. I bet something is happening there. That would explain why it's just http/https. Thanks. If I figure it out I'll update.

So I am at company X, and my company has servers lets call them serverA.companyX.com for example How does 10.0.8.1 as your home DNS know about serverA.companyX.com when it is only resolvable by computers on the companyX network - its is not open to the public NET..  For example the Active Directory servers. While you can hand out multiple dns to your pfsense clients, just because you have multiple dns, depending on what the dns returns when asked for serverA.companyX.com its just going to stop..  And if I ask say the companyX dns for something at home pfsense.localdomain.net - it sure and the hell does not know.. The best solution to this sort of problem is say run bind on your box..  Point to it for dns.. And in it have forwarder for localdomain.net to ask your dns on your home network, and everything else go to your corp dns. That way you can resolve both your company stuff and your home stuff when you have a vpn connection.  It does not have to be bind, could be dnsmasq, tinydns, unbound, anything that can make the call..

@Derelict: I think most of what you need is here: https://forum.pfsense.org/index.php?topic=46984.0 I don't think you need the fix package any more.  That post is a couple years old.  I don't see it listed in available packages. Thanks !! I will try the guide!

Derp.  Thank you.  I don't know how I missed that option during the setup wizard, but I did.  I edited the server entry under OpenVPN for my LDAP server, changed it to Remote Access (SSL/TLS + User Auth), and the client export wizard now shows a client build for the certificate I cut for my test user.  Now I jsut need to install it someplace and verfiy it's all working :D  Thanks a ton!

you need to add the network so the traffic can return Absolutely, you need a return route for the road warrior tunnel network on PFsense02, so the return traffic gets routed down the tunnel….but if you notice, the road warrior tunnel network is 10.0.7.0/24 not 10.123.45.0/24. I'm guessing he was working on multiple documents and posted the wrong subnet by mistake because 10.123.45.0/24 is no where in his diagram. Someone please point it out if it's right in front of my face and I'm missing it, but going strictly off the diagram... I don't see any reason for routing 10.123.45.0/24 down the tunnel.

After some testing, I have installed a new VM acting as a vpn server with pfsense 2.2 beta. pfsense 2.2 has openvpn version 2.3.6 and openssl 1.0.1i by default, therefore it utilizes finally AES-NI feature, which reduces the cpu load by 45% in average, meanwhile I keep the 15mbyte/sec download bandwidth over vpn.

Nope.

While the restricted to IP address would pretty much lock it down..  That sort of thing is really hard to do if this going to be a road warrior sort of connection.  If its for you to connect to your house from work that is another thing. You should never share connection creds or certs, so yeah - if you have multiple users they should all have their own details. +user auth would protect against if the certs and configuration were lost. Yup good thing. Kind of given you would want auth the TLS - that is default I am pretty sure.. Auto gen is fine - unless you already had some keys you wanted to use from before, that sort of thing. 2048bit should be more than enough, but feel free to use 4096 if helps you sleep at night ;) I personally just use BF-CBC 128 bit, it going to be a rare thing that someone would grab your packets and break the encryption..  I don't work for the dod, its my connection from road or at work to the home network.  Want some that is least cpu overhead.  If you have some hardware that can help with the encryption than use the alg that is best suited for that..  Other than I don't think it going to matter all that much.  Again if AES 256 helps you sleep then sure use that. As what your doing with your CA.. Not sure what your asking.. You create a CA in pfsense, you then gen user certs using that CA.  Are you wanting to use some CA outside pfsense and have it gen your user certs?

my fault thx for the help

i thoguht about that at the beginning but since im using nat for both 80 and 443 for my development box i cant test the OpenVPN on it. i turned the SIP ALG back on , but for some reason it is still working. honestly , im clueless, as long as it works, im an happy man.

Will IPsec let you do this?  

Yes, the computer stays in the ordinary LAN with the others - it just has a fixed known IP that makes it easy to match in a rule. create a rule for this special computer IP before the others LAN computers rules Yes If yes, what do you mean by "!LANnet". Is it a special net I have to create? If yes, where in the menus? I mean, in the rule destination select LANnet from the dropdown list, and check the "not" checkbox. You do not want traffic from "special LAN IP" that is going to the pfSense LAN itself to be forced out WAN_GW And "gateway WAN_GW"? Should I create a Gateway somewhere in the menus? In the advanced section of rule definition there is a "Gateway" row - open that up and pick WAN_GW. That will force the matching traffic out WAN.

Thanks jump. Yep, that seems to be it.  I am running an ATOM Dual-Core 1.66GHz D510 CPU, and it can only muster about 7-8MB/sec with compression on the OpenVPN tunnel.  I can easily hit 10-11MB/sec using my Mac laptop (Quad-core i7). Appreciate the reply.