@marvosa: Post the IP range for each segment as well as your OpenVPN config (server1.conf). First of all, thank you for the reply marvosa, appreciate the help, here's the IP ranges for each interface: APPSERVER- 192.168.97.1/24 (Static IPv4 and DHCP enabled). MGT - 10.0.0.90/24 (Static IPv4, this connection is setup as LAN, meaning this is the IP address I use to connect to my pfSense machine). And the other two (NETGEAR and DLINK) are setup as PPPoE WAN connections, meaning they're getting their IP address from my ISP. Also, here's the OpenVPN server1.conf file: dev ovpns1 verb 1 dev-type tun tun-ipv6 dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-256-CBC auth SHA1 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown client-connect /usr/local/sbin/openvpn.attributes.sh client-disconnect /usr/local/sbin/openvpn.attributes.sh local 93.173.17.8 tls-server server 10.0.1.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc username-as-common-name auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' false server1" via-env tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'opvtest+UCA' 1" lport 1194 management /var/etc/openvpn/server1.sock unix max-clients 10 push "route 10.0.0.0 255.255.255.0" ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key dh /etc/dh-parameters.2048 tls-auth /var/etc/openvpn/server1.tls-auth 0 comp-lzo adaptive persist-remote-ip float topology subnet

Currently there is no way to accomplish that. But the good news is that if you are saving the auth locally, just get rid of the auth, it does you no good. TLS Key + Certs alone is fine if you are making the auth a non-factor by saving it anyhow.

Thank you doktornotor! I'll check this out!

I managed to find out the problem: In the configuration file of the OpenVPN server located in /var/etc/openvpn/server1.conf: client-connect /usr/local/sbin/openvpn.attributes.sh client-disconnect /usr/local/sbin/openvpn.attributes.sh The first line is responsible of adding attributes to the connecting clients, one of these attributes is the Radius attribute "Frame-IP-Address". These scripts get overridden if the client-connect and client-disconnect were added to the advanced configuration of OpenVPN. So to solve the problem, I deleted the "connect-client" entry from the advanced configuration and modified /usr/local/sbin/openvpn.attributes.sh with the necessary lines to execute (the lines I had in my old client-connect script).

@2chemlud: I don't even get what is not working in your setup… No wonder, with terminology like "see internet traffic on client". Why should some OpenVPN client "see internet traffic"?

Same Problem here OpenVPN Server log: openvpn[]: 91.xx.xx.xx:1194 TLS: Initial packet from [AF_INET]91.xx.xx.xx:1194, sid=81e8d10a openvpn[]: 91.xx.xx.xx:1194 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) openvpn[]: 91.xx.xx.xx:1194 TLS Error: TLS handshake failed openvpn[]: 91.xx.xx.xx:1194 SIGUSR1[soft,tls-error] received, client-instance restarting

Try the Securepoint OpenVPN client software, instead of using the OpenVPN Windows client.

@cmb: OP bought support and I ended up working through this issue with him. Turned out the problem was a Windows server involved in routing was blocking the traffic. CMB you rock brother! Thank you for the help and yes it was a damned Windows server that was blocking the RTP traffic from ports 10k-20k. Once i created a rule on the windows server it opened it all up and everything is rocking. Thanks again!

Well as stated if your not redirecting your gateway and just handing out the routes to your networks then browser wouldn't use the vpn connection for IPs not behind the vpn.  Also if your browser is using a proxy could cause you the problem as well.

Have a look at the log from the client. 2015-06-18 15:54:03 EVENT: CONNECTION_TIMEOUT [ERR] 2015-06-18 15:54:03 EVENT: DISCONNECTED 2015-06-18 15:54:03 Raw stats on disconnect: BYTES_IN : 13432 BYTES_OUT : 50104 PACKETS_IN : 76 PACKETS_OUT : 105 KEEPALIVE_TIMEOUT : 1 CONNECTION_TIMEOUT : 1 N_RECONNECT : 1 2015-06-18 15:54:03 Performance stats on disconnect: CPU usage (microseconds): 446501 Network bytes per CPU second: 142297 Tunnel bytes per CPU second: 0 2015-06-18 15:54:03 EVENT: DISCONNECT_PENDING 2015-06-18 15:54:03 –--- OpenVPN Stop -----

It must already be running but somehow disconnected from the management socket. If you look in the output from "ps uxawww" it is probably showing up there still. If you manually kill the process and then restart it from the GUI it should work.

Sorry for the hijack.  After more reading through other threads in the CARP section, I think I will try a downgrade to something like 2.2 on each box.

Never gives one much confidence when things "just start working", but I hate to argue with success! That said, I've had a few scenarios while debugging OpenVpn issues that required a "hard restart" of the OpenVPN server (find and kill the process or reboot the box). If learned over the years to be a little more diligent with checking the OpenVPN changes I make to ensure they actually get applied when I think they do. Glad you got it up and running.

I'm not expert enough on VM setups to pinpoint the issue with your setup. Perhaps someone else will chime in or try in the VM section: https://forum.pfsense.org/index.php?board=37.0

aes-ni is supported but,currently, the advantage is minimal afaik. the problem is that openvpn 2.3.X doesn't support aes-gcm (https://community.openvpn.net/openvpn/ticket/301) once openvpn 2.4 gets released, this should be included and then we might be able to get the same speed increase like we have seen with IPSEC

thanks for the hint. I don't find anything regarding advanced setting for logging. Would that be the advanced textbox on the openvpn settings page? (vpn_openvpn_server.php?act=edit&id=0) That is empty. I checked the conf in /var/etc and there is: [2.2.2-RELEASE][admin@pfSense.localdomain]/root: grep verb /var/etc/openvpn/server1.conf verb 3 perhaps I overlook something? (still pfsense noob)

The PFSense wizard just rocked. The PFSense router could handle multiple connections if needed, easily. Definitely, I run many routers with 3-6 Server/Client connections each (Site2Site and RoadWarrior). My main router is currently hosting 6 Servers and 35+ client connections. The hardware is only a 64bit AMD Athlon dual core 4800 w/ 3GB RAM It typically runs at ~ 15% RAM and 12% CPU. Not much bandwidth requirement 50/5, but still a very capable setup.