Thank You. Some how i changed my user cert to the server cert. Now Working

Your central CA could be your AD, one of your pfsense firewalls, some public or any other CA you want to use. Central CA for all certs you sign is a good idea, be it user certs for openvpn, AD, internal websites, etc. more than likely this should end up being the one you use for AD.. most likely the MS built in one. The only certs you really need from public, are ones that will be used by public with machines that you do not control and can not trust your own internal CA.  If you have a website that is accessed via public, then you need to use a public CA that users browsers auto trust.  If the site or vpn is only access by your machines, or users that you can give the CA cert to trust.  Then internal works great, centralizing that makes for easier management and control. While using the CAs on pfsense does make it easy, the interface is pretty clean.  But if your going to manage lots and lots of certs it might get a bit hectic.. If it was me, I would most likely leverage the AD CA, since you pretty much use that for all your machine certs as they join your domain anyway.  Might as well just leverage it for all your internal use certs.

Update: The problem only occurs when the OpenVPN servers are listening on the WAN CARP VIP. If I set them to listen on an internal CARP VIP all servers and daemons start smoothly. I've tested it with 2 other CARP VIPs a couple of times, no failure. The WAN interfaces of the 2 pfSense boxes are connected to the WAN switch, which is also connected to the ISPs modem, no other devices there. CARP works without an issue. So what could be wrong with the WAN CARP VIP? Now I let the servers listen at an internal VIP on OPT2 on both, master and backup, and I forward the OpenVPN ports from WAN VIP to it. Now there is no fault at start up.

No not PFM.. simple networking..  Again without you posting what you did, its impossible to know what you had missed..  Maybe the guide font was too small and you were missing half of the steps? Glad you got it sorted, but how are you retired tech and don't know how to ask a support question and post what you did?  What pages to post - how about the pages you edited via the guide? Good luck with your router and vpn that you believe if PFM… that is not a good sign of success when you don't understand how the tech your using and managing works.. Its ok if the users think its PFM, but the person with the hand on the controls needs to have a little more understanding than I clicked on some shit and now its working..

Yup, that did it. I went ahead and added a static route to both PFSense boxes, forcing their destination network through the appropriate GW. At least right now, My office can ping and hit endpoints on the clients side. I cannot yet ping my office from the clients side. That may be due to a pending reboot though. For whatever reason, that seems redundant to me. But I guess you're saying that if the PFSense box is behind another router, then that sort of thing needs to happen? Otherwise if both boxes were up against the public IP/modem, that static routing would not need to occur? Thanks again for a nudge in the right direction. Now to clean up my mess, and work on DNS passing through. -Chrisso

Dropping connections every minute usually means you are connecting from two different clients and have not configured the server to accept connections from multiple clients with the same credentials.

Bingo. That's what I needed. I had configured it from a tablet in trying to troubleshoot and must have set it to SSL/TLS + UserAuth, switching it back brought back the client export list. Thanks,

One more thing to mention - if you assign your VPN clients IPs from subnet which is different from your LAN - you will need a separate NAT rule to allow this traffic to leave your pfSense box.

In the future there is no need to hide or try and obfuscate your local address space (rfc1918) ie 192.168/16, 10/8, 172.16/12 We all use the same addresses, it does not route on the internet.  If I tell you I use 192.168.9.0/24 and my machines address is 192.168.9.100 and my vpn clients use 10.0.8/24 as their tunnel.  It doesn't give away anything at all that could be used to find you or know who you are, etc. etc. To me hiding it does 2 things, it make it harder to understand so can help, and 2nd thing is it makes me think the person posting is not the bright bulp in the pack when it comes to networking.. Should prob talk to them like they are 3 going on 4 years old and had a hard time in preschool with learning their colors ;) heheheeh  You know the kid sitting in the corner drooling eating glue..

Yes its called policy based routing.. Your going to want to make sure you don't pull routes from vpn client connection on pfsense.  And then just create firewall rules to send what traffic or devices you want to send down the pfsense client vpn connection.

I've solved. In common name i use the username from active directory and advanced config with ifconfig-push. It work with or without user certificate.

I manual start  freeradius  but  openvpn+motp not login so i use this method agin click services->freeradius->users and find not login user click "edit this item" do not change any thing and click "save" then login again , motp is login OK so  the freeradius motp  has bug

Thank you for your reply, and for providing me with a recommendation. Sorry if my post was a little confusing at first. Originally I thought of this but wasn't completely sure as I have felt that even on a network of the same private ip of my local home network; tunneling thru the vpn still worked for me. I wanted to see if there was something else to try as changing my local home network would require me to edit all my static IP I've created  :'(

Yeah its funny how some of these auditors don't actually understand what they are auditing ;)  Ok MFA is a requirement, we are using MFA already.. How many factors you want ;) Should we have the uses submit a DNA sample everytime they auth? ROFL  They you would have 3, cert they have, password they know and their dna something they are.. Glad you got it sorted.. Your users would of prob had a fit with many a help desk call having t add the OTP auth along with their password, etc.

Thanks Viragomann I appreciate it this concludes my 2 week search for the masquarade or outbound NAT as u call it in pfsense. When I did that and logged to mikrotik from my iphone the ip was that of pfsense therefore I can see all 10.0 networks on the miktrotik. Thanks again I hope I can help others who experience issues in this transition from PPTP to Openvpn.I had no idea that the interface address meant the pfsense IP so I was putting my ip as a /32 subnet and didnt work.Also I used source nat openvpn interface instead of LAN so it was 2 mistakes I did. Now all that remains is to fix the 2 broken packages that remain on the menus after the upgrade and make me nuts!!!!nut and BandwidthD that return 404 error. Yes I know I should have uninstalled them before the upgrade but who reads the fine print right?Especially in Greece! [image: openvpnNAT.PNG] [image: openvpnNAT.PNG_thumb]

I would gently suggest you try this setup using PKI. My experience has been SSL/TLS gives you a more robust and flexible setup, especially if you need to expand later on. You can probably keep your existing server-client setups, just create a new CA on the server and use that to create individual certificates for: OpenVPN server - type Server Each client - type User You can enable auto-TLS on the server and use that key for an extra layer of security. The clients will need a copy of the CA cert (not the private key part) and their respective certificates (created in 2)  ). It sounds a little daunting, but once you have one done the rest will fall in line pretty simply. If you post back, we can hep along the way.

Perfect - you fixed the PBX issue for me!  Zoiper works well! Only two other issues for me seem to be related to external web traffic. If I am browsing facebook or reddit it works fine on:  Wifi or cell service.  If I log into the VPN, the web isnt loading anymore. It seems like I am good for internal things on my network (for the most part) Root Explorer on Android is having a hard time browsing SMB folders on my freenas box over VPN but works fine on wifi.