Kb8wfh, A couple of things that helped me(and continue to help me) are: making sure to look in your firewall logs to see what is being blocked attached are my rules I have on my wifi interface, they are fairly hardened, I sense you are trying to do the same. It might not work for you…FYI - your LAN rules basically allow everything, rule 1 isn't doing anything that rule 2 would do. Try to understand my rules vs just copying them. when writing a rule, go into "Advanced settings" and you can pick a "gateway" i.e. Either WAN or PIA. I use this vs changing my default gateway get to know "easy rules" that can be turned on in your firewall log, it will add what was being blocked, you can modify these easy rules but it helped me understand the flow of data. Make sure to possibly change the order of the rule in your interface if necessary. make an alias for your Apple tv and WAN only devices (notice in my rules I have SEVLAN as a source, these are aliases I set up after setting up fixed dhcp leases), make rules allowing access using the alias as the "source", in advanced setting for those rules use the WAN. Dig into your log(NAT or Firewall), I suspect you'll see what's going on.... (As mentioned by someone else, your dashboard is showing your PIA as offline, dig into your gateway settings for PIA and look for the field for "monitoring IP",  use googles 8.8.8.8 as the monitoring IP...I had that issue as well and was fixed with adding a google monitoring ip) [image: IMG_0042.PNG] [image: IMG_0042.PNG_thumb]

Thank you for your answer, I managed to get it fixed by using the IP address of the VLAN on the authenticator in the active directory.

On the client at Remote I assigned the new ovpnc1 port to an interface and enabled it. This created a gateway for the connection. Then on the client at Firewall > Rules > LAN I created a new rule at the top to catch all IPv4 traffic (any protocol, any source, any destination, any port) and route it through the gateway created by the VPN interface. This is completely unnecessary and only serves to introduce policy routing into your environment, causing other effects and complexity that are fine if you understand them, but you do not (yet). I would delete any assigned interfaces to OpenVPN servers/clients, put the pass any any any rules on the OpenVPN tabs, and stop/start OpenVPN on both sides. Another thing that I see is networks are not 10.0.0.1/24 or 10.0.3.1/24. They are 10.0.0.0/24 or 10.0.3.0/24. It looks like the proper routes are being added by OpenVPN but when I look at it I tweak a little. Work one hop at a time. For instance, from host 10.0.0.X can you ping the pfsense interface address on the other side? Presuming 10.0.3.1. If you can, all the routing is in place. After that, can 10.0.0.X ping something on the 10.0.3.0/24 LAN? Be sure the target of the pings:     Has pfSense set as its default gateway     Will actually respond to pings     Does not have some local firewall (think windows firewall) preventing it from accepting traffic from foreign subnets Then do the reverse: Work one hop at a time. For instance, from host 10.0.3.X can you ping the pfsense interface address on the other side? Presuming 10.0.0.1. If you can, all the routing is in place. After that, can 10.0.3.X ping something on the 10.0.0.0/24 LAN? Be sure the target of the pings:     Has pfSense set as its default gateway     Will actually respond to pings     Does not have some local firewall (think windows firewall) preventing it from accepting traffic from foreign subnets ETA: Since it is shared-key the tunnel network will be treated as a /30 anyway….

I had some issues getting this to work, don't forget to add lines for auth, cipher, etc. for you OpenVPN configuration.  Perhaps those are obvious, but it wasn't to me. "Auth": "SHA256", "CompLZO": "adaptive", "Cipher": "AES-256-CBC", Lastly, the template is great, but I used the HTML ONC generator (https://github.com/CharlesErickT/oncgenerator/blob/master/index.html) to help me.

Okay, so presumably the office router is missing the route to 192.168.2.0/24. You may also do well with NAT. That's only results to translating the source address to the clients vpn address, so you're not able to determine the really origin device at office site. If you don't like this behavior you have to set the routes at the server. Have you already set the CSO on the office pfSense with 192.168.2.0/24 in the remote networks field? If that is done, establish a vpn connection from home and check the routes on the office router.

Hi First of all - Thanks for your Post and your Information. I made some more Tests with your Hint "FastIO" and Buffer Settings then i get over 82Mbit on a 100Mbit Connection and over 280Mbit on a 1Gbs Connection - so thats not bad. I also figured out that IPSEC is a little Bit Faster (site 2 site with Pfsense - same hardware same Wan same NET) - i did some tests and on the 1GBps WAN Connection i get with ipsec arround 380Mbps. But i can live with the Speed of openvpn and it s more easy to configure and forward… I have a additional Question:  Can i do "Routing" between different Subnets on different Openvpn Site2Site Connections ? So for example: Client Network1:  192,168,10,1/24 Client Network2:  192,168,11,1/24 Client Network3:  192,168,12,1/24 All This Networks have its own pfsense and all are connected to a Server Pfsense - Network: 192.168.100.0/24 All is done with Site2Site so: every Device in every Client Network (1-3) can ping each device on the Server Network Also each device on the Server Network can ping each Device on each Client Network But i also want that each Device of Client Network1 can reach each device of Client Network3. Is there a way to  configure pfsense (ovpnclient and ovpnserver) that the server route the request from Client Network1 to Client Network3 and in the other direction ? Or do i have to make a extra VPN Connection betwen this 2 Networks ?

Ah - so like the info a bleach that says do not drink this ;) that wording is already on the wiki doc btw https://doc.pfsense.org/index.php/OpenVPN_Client_Export_Package "If the list is empty, there are likely no users and/or certificates that exist which use the same Certificate Authority as this VPN server. " If you click the little ? mark top right corner of the export package page it takes you there.

You can use up/down scripts: Add to custom server options: script-security 3 system; client-connect /usr/local/sbin/up.sh; client-disconnect /usr/local/sbin/down.sh; up.sh: #!/bin/sh /full/path/to/your/console/email/app down.sh: #!/bin/sh /full/path/to/your/console/email/app mailx example: echo "Client $common_name connected to $HOSTNAME" | mailx -r "your@mail.com" -s "Client $common_name connected to $HOSTNAME from $trusted_ip" -S smtp="your.smtp.com:25" -S smtp-auth=login -S smtp-auth-user="usr@smtp.com" -S smtp-auth-password="password" touser@mail.com > /dev/null OpenVPN vars that you can use: $common_name $HOSTNAME $ifconfig_local $ifconfig_pool_remote_ip $untrusted_ip $trusted_ip $dev

Easy, go to Interfaces Tab, select the Interface you need to spoof, and type in the desired MAC in the "MAC Address" field. Also see this article, you may need to use shellcmd (it's a package you install) to run the interface in promiscuous mode (you should not need to do this with an intel NIC, but it may be necessary with a Realtek or other cheapo NIC): https://doc.pfsense.org/index.php/Interface_Settings#MAC_Spoofing Here's a thread on the topic: https://forum.pfsense.org/index.php?topic=106819.0

In the packet capture you can see the echo request leaving the Client LAN interface addressed to 192.168.0.201 and nothing coming back. The problem is somewhere outside of pfSense. Yes, pfSense has to be the gateway for the target device or you need to add a route on that host for the far side of the VPN tunnel with a gateway that is pfSense or the replies will be sent to the wrong place. Alternately you can place an outbound NAT rule on the client LAN interface so traffic sourced from the remote VPN network is NATted to the interface address there. Then replies will be same-subnet so the route will not be necessary.

Services watchdog will not do anything if the OpenVPN process continues to run. If the OpenVPN connection continues to run and the internal (to OpenVPN) keepalive pings continue to respond, but the OpenVPN provider stops passing actual traffic, I can't think of a built-in way to restart that tunnel. You might consider getting another VPN provider - or trying another site on that one. It looks broken.

After posting that screenshot I noticed that in all my fiddling around I was missing a NAT rule. Seems to be working now, whatsmyip.net is getting a different address to my WAN address. Thanks

Maybe it's why nobody can understand what you intend to achieve. What does in mean "how to configure an OpenVPN Client on only OPT1 interface"?. Only devices connected to OPT1 should use the vpn? There are thousands of tutorials about setting up a vpn client in the web, text as well as YT. That should be straight forward.

Here are various iperf/speedtest results… Summaries in bold.: -Inside VPN (TCP): iperf: 1.48 Mbits/sec http://i.imgur.com/v1CHGZM.png -Inside VPN (UDP): iperf: 1.45 Mbits/sec http://i.imgur.com/aJ2DF1O.png -Client to Outside Internet: iperf: 3.72 Mbits/sec http://i.imgur.com/MwlC8wX.png -Client to Outside Internet (Speedtest.net): Speedtest: 86.61/86.92 Mbps http://i.imgur.com/qDqOlel.png -Inside server network to Outside Internet: iperf: 23.3 Mbits/sec http://i.imgur.com/4v1YOyI.png -Inside server network to Outside internet (speedtest.net): Speedtest: 56.43/63.89 Mbps http://i.imgur.com/RRF2oKv.png So looks like the VPN is running at the speed allowed by my client ISP minus 60% overhead. What's more interesting is the Server ISP (50/50 Verizon FiOS) is showing only 20Mbits/s. Not sure what to make of that information, considering speedtest shows 50Mbps. Not sure if this conclusion is correct, but it looks to be traffic shaping by the client-side ISP. I'm going to fiddle around to try and reduce the overhead required. Need to better understand the impact of MTU Set up servers inside the client side network to better assess internal throughput. Experiment more with 128bit encryption

Are you trying to reach the client end point device or a network behind the client? For accessing the client device you will need to open up its firewall. If you want to access a network behind the client you will need vpn routes in addition. Is it a SSL/TLS openvpn or a shared key?

Does that mean, you're running a vpn access server + a vpn client for site-to-site connection to A on site B server?