I forgot to say, that it works now with the config from Tutorial 2. This is the tutorial from pfsense  ;) https://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_(SSL)

ok … thanks for the info. I also thought about the fact that pfSense is not my default gateway. Because its currently "only" a test, I do not want to modify anything on the current LIVE environment. At the moment, only a Broadband connection with about 6MBit is dirrectly attached to pfSense. Our main broadband connection at the moment with 50 MBit will stay also in future as our main, but then also directly attached to pfSense. Plan is to have the 6Mbit as Fallback. With this planned environment, pfSense will become the default gateway ... ;-) Regards Torsten

I run udp 1194 and tcp 443..  443 is going to be open if they allow internet access ;)  While it also allows you to bounce the vpn connection off a proxy if they are doing that too. It might not be the place blocks udp 1194 on purpose, they might just be allowing the known ports for typical internet access.  So maybe they only allow dns, http/https, etc.. Try your udp connection, if doesn't work then just fall back to tcp over 443.

My toughts exactly - Clean sheets with backup. Cheers mate.

Just for the records: after rebooting the box the VPN works now. Thanks all for their help!

Sure, ctrl-click the auth servers on the server config and it will try them in the order it shows in the list.

I have the same issue with the VPN. And same config. Can you recommend the VPN provider?

You must have missed the direction on that page that tells you to create the file. From their page: Execute the following: echo "username" > /etc/openvpn-passwd.txt; echo "password" >> /etc/openvpn-passwd.txt Though on pfSense 2.2.x you don't need to do that or use their "auth-user-pass /etc/openvpn-password.txt;" line in advanced options. If you fill in the username/password boxes in the pfSense GUI, omit both of those things: don't make that /etc/openvpn-passwd.txt file and remove that auth-user-pass line from advanced options.

Use the viscosity client if you don't want to run as admin on windows.  https://www.sparklabs.com/viscosity/ Its not free..

Haha, no big complaints. Just that their pipe is huge and SMB performance is just so small comparatively. In any case, BranchCache is out simply because we're not looking to put in servers out there (not yet anyway) and we're running Win7 Pro (not enterprise or ultimate unfortunately.) Looks like Riverbed or the eventual Win10 upgrade will help us. No worries there as they still remote in generally but it would just be nice if they had a bit more available bandwidth in that area for when they're working locally. Thanks for all the help mate- glad to see we're about where we can be, all things considered.

Hey everyone, just in case it helps someone in the future ; I found the solution, which was in a detail I forgot to tell about ; it's a vmware installation. My set-up was OK, the TAP VPN was up, and it was forwarding L2 trafic, however the vmware host simply discards any packat with a mac "not from the guest", which makes it impossible to have something like an ARP-proxy (or Layer2 vpn) on a vmware guest Solution is to allow "promiscuous" on the vswitch (altough I don't need promisc mode at all, I just need less paranoid enforcement of the MAC filtering) I tried disabling the other MAC-related option, but it did not work. Only works when allowing "promisc". Hopefully this helps someone someday

Did you ever get this working?  This is incredibly similar to something I'm looking to do and have not had much luck with it.

I'll bring up the topic again because it really should be done and not just for this reason. Thanks again for your time on this.  Much appreciated.

Much like cmb already mentioned, why wouldn't you just define your routes on the server side?

"is pretty much standard for things like bank inter branch vpn's, hospitals, data-centers etc." No No its not… We have a fairly large hospital as one of our customers that I support.  No they do not have any sort of TPM storing the vpn keys be it the remote users coming in, nor to any of the vpn connections between their branches and the datacenter or between each other. We also have multiple DCs across the country and the globe, I can tell you that no there is not any TPM storing any of the server keys.  And to be honest I am not aware of any customer even doing it for their remote users, etc..

Thanks! work like a charm I did the NAT solution but will maybe to the other one later on.

Anyone? :(

If you don't know what captive portal is, then you probably don't have it enabled. But check Services>Captive Portal. That would intercept web requests. If that's not enabled, what output do you get on the FreeBSD machine for "host pkg.freebsd.org"?