RDP over UDP works even on W7, the RDP 8.0/8.1 updates have been available for quite some time. https://support.microsoft.com/en-us/kb/2592687 https://support.microsoft.com/en-us/kb/2830477

First, thank you for your quick response. I use Linux (10.157.30.147) on one end which is on the LAN of pfSense Firewall and Windows (10.0.10.35) on the other end behind OpenVPN server. No firewall enabled on either of the boxes. I did tcpdump on pfSense and also on the Linux machine. On the Linux machine I receive the echo request and it also generates the echo reply. Please see below. [root@ip-10-157-30-147 ~]# tcpdump -i eth0 -p icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 18:18:27.936003 IP 10.0.10.35 > 10.157.30.147: ICMP echo request, id 1, seq 2906, length 40 18:18:27.936055 IP 10.157.30.147 > 10.0.10.35: ICMP echo reply, id 1, seq 2906, length 40 18:18:32.928501 IP 10.0.10.35 > 10.157.30.147: ICMP echo request, id 1, seq 2907, length 40 18:18:32.928553 IP 10.157.30.147 > 10.0.10.35: ICMP echo reply, id 1, seq 2907, length 40 This means the ping (echo request) is traversing the tunnel and hits the Linux box, the Linux box responds as well. Let's take a look at pfSense now. The echo reply from Linux box is getting on the LAN interface of the pfSense firewall (xc1). Please see below output. [2.2.4-RELEASE][root@pfSense.localdomain]/root: tcpdump -i xn1 -p icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on xn1, link-type EN10MB (Ethernet), capture size 65535 bytes 18:22:58.711404 IP 10.0.10.35 > 10.157.30.147: ICMP echo request, id 1, seq 2961, length 40 18:22:58.711956 IP 10.157.30.147 > 10.0.10.35: ICMP echo reply, id 1, seq 2961, length 40 18:23:03.719116 IP 10.0.10.35 > 10.157.30.147: ICMP echo request, id 1, seq 2962, length 40 18:23:03.719689 IP 10.157.30.147 > 10.0.10.35: ICMP echo reply, id 1, seq 2962, length 40 However, the traffic does not go over the Tunnel interface (ovpnc1) interface or WAN interface (xn0) after the LAN interface (xn1)i checked tcpdump on both while running continuous ping and nothing is showing up. To make it more complicated and proof that routing works properly, when I initiate the ping form the Linux box towards Windows. It works flawlessly I can also see tcpdump on the LAN and Tunnel interfaces of pfSense. Please check below. (pfSense - LAN interface) [2.2.4-RELEASE][root@pfSense.localdomain]/root: tcpdump -i xn1 -p icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on xn1, link-type EN10MB (Ethernet), capture size 65535 bytes 18:33:56.021258 IP 10.157.30.147 > 10.0.10.35: ICMP echo request, id 10512, seq 22, length 64 18:33:56.106887 IP 10.0.10.35 > 10.157.30.147: ICMP echo reply, id 10512, seq 22, length 64 18:33:57.022572 IP 10.157.30.147 > 10.0.10.35: ICMP echo request, id 10512, seq 23, length 64 18:33:57.108684 IP 10.0.10.35 > 10.157.30.147: ICMP echo reply, id 10512, seq 23, length 64 (pfSense - Tunnel interface) [2.2.4-RELEASE][root@pfSense.localdomain]/root: tcpdump -i ovpnc1 -p icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ovpnc1, link-type NULL (BSD loopback), capture size 65535 bytes 18:36:47.092394 IP 10.157.30.147 > 10.0.10.35: ICMP echo request, id 14864, seq 4, length 64 18:36:47.240297 IP 10.0.10.35 > 10.157.30.147: ICMP echo reply, id 14864, seq 4, length 64 18:36:48.093977 IP 10.157.30.147 > 10.0.10.35: ICMP echo request, id 14864, seq 5, length 64 18:36:48.261499 IP 10.0.10.35 > 10.157.30.147: ICMP echo reply, id 14864, seq 5, length 64 All firewall rules for OpenVPN are any any.

Any advise ?

You need a Client Specific Overide entry in the OpenVPN serve that specifies which external subnets are routed for each client. In your case there's (currently) only one. In CSC make a new entry and specify: Common name                - Enter the EXACT CN name used for the Client's certificate Description                      - Free form description for you Tunnel network              - OpenVPN Tunnel subnet specified in the Server (10.0.8.0/24 in your case ?) IPv4 Remote Network/s  - Client's subnet that you want routed through this connection (192.168.1.0/24 in your case ?) Save and restart both the Server and the Client, you should be good to go.

huh?  Install the openvpn export package and create your users and just export the config file for whatever device they will be using to connect, even export the openvpn client all in one exe to give the user.

Yeah i have a gateway of 192.168.50.254 and 192.168.1.1 and clients are forced at these. Mat

@doktornotor: @viandham: The problem was the binding account. For some reason, it accepts "<accountname>" on server, but needed to be "accountname@domain.tld" on this one. When I entered that, it worked. No idea why./accountname@domain.tld</accountname> Hmmm… In AD environment, it must be either DOMAINNAME\Username or Username@DOMAINNAME. "For some reason" it could have never worked unless used properly. Thats not true under all circumstances, I would argue.. I just rechecked, and I have 4 LDAP backends setup in my Servers-tab on the "working server", and all of them work. In fact, I'm connected via one of them right now. And neither of them have any domain specified in the binding credentials. All backends are AD. The domain is, however, specified in the search scope, Base DN. But that's probably not used until the binding is complete, and the actual user is authenticated. If there is only one domain configured (no multi-domain forrests etc), maybe it assumes that domain? At least these are working for me, and have been for years :)

Figured it out. I needed to add a static route to my router so the VPN packets would reach the pfsense machine rather then bounce harmlessly off the gateway.

Sounds reasonable. I am only using the pfSense hosted CA for the VPN.

Thanks Chris, i'll do some more testing and let you know if i find something else. A last question. Should the AVPair imported rules be seen in the firewall configuration panel or somewhere else? Thanks Pablo

I have posted a thread but no answers as of yet. just saw this and thought maybe this is the issue im having

Post screenshots of all related GUI pages. Are you sure the tunnel is working?

Awesome! Is /etc/dh-parameters.* unique per pfsense installation or is it the same for all installations?

Did a clean reinstall and seems to be fixed. I think topic can be closed

I think I found the answer here: https://openvpn.net/index.php/open-source/documentation/security-overview.html One notable security improvement that OpenVPN provides over vanilla TLS is that it gives the user the opportunity to use a pre-shared passphrase (or static key) in conjunction with the –tls-auth directive to generate an HMAC key to authenticate the packets that are themselves part of the TLS handshake sequence. This protects against buffer overflows in the OpenSSL TLS implementation, because an attacker cannot even initiate a TLS handshake without being able to generate packets with the currect HMAC signature.

Anyone? :(

My car suddenly won't go… help please!!!  ::) Dude, post some logs and configuration, or try a crystal ball.

I just noticed 2 new lines in SysLog (OpenVPN) Nov 11 21:26:33 openvpn[22448]: Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1131750 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings Nov 11 22:15:56 openvpn[22448]: Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #85096 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings above these 2 lines, everything is still the same as in the image above this post. Anything i should worry about? Thanks