@jimp: Are you running those commands from the ssh shell, or from Diagnostics > Command? They should be run from the shell (ssh or console) thank you, i've logged in using SSH. @johnpoz: You do understand that is just the little export wizard thing, its is not openvpn.  When you say openvpn is missing from your settings that seems more involved than the export wizard package having issues. exactly, i mean the openvpn was already installed, after the update my exisiting client just stops working. so tried to export it again but it gone. and can't reinstall it

Since that port is on the remote side, not local, it does not conflict. That's like asking if you can access two different web servers at the same time since they both use port 80. :-) In your OpenVPN client settings, don't set your local port to 1194, only the remote port.

I've configured an oubound NAT to nat my LAN clients accessing 172.21.0.0/16 to the OpenVPN connection IP, and it fixes my problem.

hi again… I found these : 1st question: while in my setting, user authentication is done with an external software which communicates with openvpn via PAM, I was wondering if I can setup an openvpn server without having to define user backend. found out that creating an openvpn server with the "+" icon (not using the wizard) I can define "Server mode: Remote Access (SSL/TLS)" and not be forced to define an backend authentication scheme. So adding in the client conf the directive "auth-user-pass" the client asks me for credentials and those are pushed in the PAM… it works fine till now 2nd question: in the above setting (with user backend defined…), in server.conf lines "user nobody" and "group nobody" are commented (when I uncomment them user authentication fails). Isn't there a security problem ? with the above modifications, the users connect's as a local pfsense user (haven' t try more than one simultaneous connections). Uncommenting "user nobody" and "group nobody" directives in server.conf (via command line tool) and restarting the server, the user login fails with: openvpn[48542]: TCP connection established with [AF_INET]x.x.x.x:1499 openvpn[48542]: x.x.x.x:1499 WARNING: Failed running command (--tls-verify script): could not execute external program openvpn[48542]: x.x.x.x:1499 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned openvpn[48542]: x.x.x.x:1499 TLS Error: TLS object -> incoming plaintext read error openvpn[48542]: x.x.x.x:1499 TLS Error: TLS handshake failed openvpn[48542]: x.x.x.x:1499 Fatal TLS error (check_tls_errors_co), restarting though I haven't changed anything in the setup… any suggestions on this error, or any advice on the use of "user nobody", "group nobody" directives ? regards

I have one openVPN (transnational, Europe) between 16/8Mbit DSL and 100/100 MBit fibre where the maximum I get is 200-300 kBit (no joke, most time around 56 kbit, reminds me of some times very long ago ;-) ). Very frustrating latencies, apparently the NSA has only limited capacity on that route :-D

@cmb: Yes, it's best to leave the servers running always. That brings me a problem, when i'm connected throuh openvpn i can't access pfsense2, i guess it's because pfsense2 also has an openvpn interface with the same IP address, correct? Any away to workaround this behaviour?

ok, I had to give it a try again and accidentally  I found where my mistake was…  :-[ I just ported the stack from linux to pfsense, without having in mind possible incompatibilities in pam control flags. So "[success=1 default=ignore]" is not acceptable in pfsense and that caused my errors… I should close this... thanx anyway

yeah, sorry misread … need to stop responding to things before having a couple of gallons of coffee ;) @divsys: @heper: your "tunnel network" is the same as one of your "remote networks" this is most likely the cause of this error. either change the tunnel network, or remove the remote-network. Er, I think you misread.  The OP has tunnel network: OpenVPN IP: 10.1.0.0/24 While the remote nets are: LAN1 = 10.0.0.0/24 LAN2 = 10.0.1.0/24 No conflicts there, he's using 10.0.0.x,10.0.1.x,and 10.1.0.x.

tun/tap are fundamently different. personally i'd allways use tun if you are not bridging. Routing over tap is just causing yourself more trouble then needed. tun will almost allways result in better throughput. quote from openvpn website: Now lets see benefits and drawbacks of TAP vs TUN. TAP benefits: behaves like a real network adapter (except it is a virtual network adapter)     can transport any network protocols (IPv4, IPv6, Netalk, IPX, etc, etc)     Works in layer 2, meaning Ethernet frames are passed over the VPN tunnel     Can be used in bridges TAP drawbacks causes much more broadcast overhead on the VPN tunnel     adds the overhead of Ethernet headers on all packets transported over the VPN tunnel     scales poorly TUN benefits: A lower traffic overhead, transports only traffic which is destined for the VPN client     Transports only layer 3 IP packets TUN drawbacks: Broadcast traffic is not normally transported     Can only transport IPv4 (OpenVPN 2.3 adds IPv6)     Cannot be used in bridges

Solution? Don't have a newb setup the VMware host server.  :-[  The problem was that there wasn't a gateway defined on the host server. It ended up not being an OpenVPN/pfSense issue.

Had the same problem with mine before my box crashed (now can't get it back working). Change the first firewall rule from DEFAULT GATEWAY to the GW-WAN…......that will get ALL the traffic off the Tunnel, but the tunnel will stay up and working......then peck, peck your way through the other. Now as to the rest, if I can get mine back up and working I believe that we will have to set up some kind of routes for the VPN and burn a firewall rule in for EACH device you want out the tunnel (by IP, Name, etc) P.S. Backup you config.xml file with your working configuration BEFORE you start tweaking!!! That way if you break it all....you can restore the working configuration....trust me I know. Haven't worked on mine lately...too much Holiday.....

Don't know about you robina80, but if you can get the tunnel up and running OpenVPN to your provider, then every device connecting with your PFsense Box will go out through the tunnel, as I understand it the OpenVPN client is by default bound to the WAN….......... Basically the way mine worked...(before the GREAT CRASH....and Decent Recovery) is that ANY device present on my Network that went to the Internet thru my Box, Went thru the tunnel. In my case I need to get mine back up and configured to EXCLUDE every device except a select few from going out the tunnel.........If it wasn't for the other half's soap's on Hulu and CBS I'd LOVE for everything to go out the tunnel............Women!!!! I know that doesn't do you any good when away from home.... You can set up IPSec, L2TP and PPTP like divsys said....buuuuttt I don't think you can use them all at Once.

Well, considering that the link in that post goes to a dead Drupal site, I'd say that we're probably all better off. Getting something like this going is probably a better long-term solution anyway. https://github.com/evgeny-gridasov/openvpn-otp

Update … fixed, by altering the OpenVPN client config to fast-io; persist-key;replay-persist cur-replay-protection.cache; remote-random; pull; verb 5; key-direction 1;route-method exe; route-delay 2;tun-mtu 1500;fragment 1300;mssfix 1450; persist-tun;keepalive 10 120; keepalive 10 120 was the actual differentiator that made it work.