I just checked this morning at the cpu usage and as written about above, the two OpenVPN instances are using loads of cpu time. See screesnhot. Any ideas on this? [image: cpu_usage.png] [image: cpu_usage.png_thumb]

Any idea? Should I change to gre over ipsec?

@divsys: Yah, the full screen shot has a few other sections (like Topology for one) that might affect things. The other things to try are a full reboot of the server box or (if that's too onerous) search for the running server process and explicitly kill it. Worth it just to make sure you're on a level playing field as far as previous attempts go. You can up the server's verbosity so you should be able to see if the CSO is getting applied when the client connects. Similarly the client logs may show what's trying to apply if you up the logging level. Are the clients just typical Win, android, iPhone, or something else? Attached SS's of the Server and CSO's.  When I get home later I can troubleshoot further.  And yes the client I'm testing with is android phone. [image: Server.jpg] [image: Server.jpg_thumb] [image: CSO.jpg] [image: CSO.jpg_thumb]

@Derelict: Is something not working? No, I just want to understand the settings before I implement them. I've had to Restore-To-Default once because of the major update to Snort, and me not understanding settings.

The openvpn wizard does not create a port forward, it does create a rule on your wan for the port you use for that vpn instance. How would a port forward to your pfsense lan IP allow for scanning of your "machines"  even if you did create the forward..

Heeeeeelp :'(

Can I add a question? If I want to set up multiple client sites, do I need separate server entries on the server firewall? Thanks,

"SSL3_GET_CLIENT_CERTIFICATE:**no certificate returned[b/]" Seems kind of heard to validate if there is no cert presented.**

I assume NAT is not possible, because I run in transparent mode/bridged?

The original issue here is fixed in 2.3.1, the config upgrade will now appropriately set your topology to stay the same as it was previously. 2.3.1 also has the latest OpenVPN 2.3.11, though I don't see anything between 2.3.10 and 2.3.11 that'd be relevant. https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23

@divsys: The two issues that immediately come to mind: The ports you use on pfSense for the two different OpenVPN servers must be different and have the appropriate Firewall rules enabled. You can use both 1194 and 11394 for the two different servers, but you must have firewall rules for both. The certificate you used for the 2nd OpenVPN server should be different than the 1st (you say that it was - good), but the CA used for that certificate must be the same as the CA used for the Client's certificate.  In addition, the Client's certificate should be of Type "User" NOT "Server". Your log error message indicated that something was trying to connect (that's good) but failed to handled key negotiation (not so good). Hi divsys, Thanks for your help :-) It isn't the first proposition because i created 2 rules on Wan interface  (1 for 1194 in UDP and 1 for 11394 in UDP too..) and i add a rule to allow any traffic in OpenVPN interface. The certificate for the 2nd OpenVPN server it's an other certificat than the 1st. I created a CA different from the 1st and from this new CA, i created an internal certificate type "Server". I use this internal certificat in the openServer at option "Server certificat". But if the certificat isn't good, how is it possible that the openVPN works when i try from INSIDE of the infrastrcture ? Oo' when i look my openVPN client config, i see the IP Wan from my pfsense. And when i try openVPN with my internet connection shared by my mobile phone to my laptop, it doesn't work  :'( My purpose it's to use OpenVPN with just  login/password+OTP without any client certificat. EDIT: the problem has been solved. a little problem with virtual IP…  ::)

It was a switching problem at the server side lan  :o

That link is to openvpn access server, not the community edition that is installed to pfsense. If they are authing to your AD, why don't you just lock out the AD account.  I think that is your typical AD out of the box setup, so many failed and locked.

This is still not working

huh??  Why do you want a host specific route?  So what is your vpn tunnel network?  For example mine is 10.0.8.0/24, so yes pfsense has a route to that network via the openvpn interface. So client connects and gets an IP in the 10.0.8.0/24 network - so pfsense yes knows how to get to it down the tunnel.  Why would you want/need a host specific route?

I think the best solution is to switch VPN provider. I am Plex Pass member, pfSense user and AirVPN user. Those 3 work pretty well together. AirVPN allows you to setup port forwardings (up to 20) so you basically apply the same concepts you set on routers.

SOLVED!!!! Really thanks you!!!

See attachments, I have two internal networks: 192.168.5.0/24 and 192.168.6.0/24 nginx webserver used in portshare it's 192.168.6.2 [image: OpenVpn1.png] [image: OpenVpn1.png_thumb] [image: OpenVpn2.png] [image: OpenVpn2.png_thumb] [image: OpenVpn3.png] [image: OpenVpn3.png_thumb]

It didn't help, same problems. If the same user tries to connect via different user, e.g. my user - it's a success, every time in first attempt. However, yes, with his account/mobile OTP - problem. It's definitely not his PC, as he's able to log in with different accounts from the office and it's also not VPN client problem. Only difference is where OTP is generate, either his mobile or ours. EDIT: We've found the problem. Starting with point that he can connect as described above, we knew it's mobile-related problem. It seems like somehow his time on phone was ahead in time and once I increased OTP Lifetime from 3 to 6 on freeradius settings he was able to log in always in first try. Thanks for all the help!