@heper: you probably did something wrong in generating the certs. (no clue what) just start from scratch and try again with new a CA generate the servercert&usercert from the newly created CA. should be fine Alright, will do. Thanks.

Please don't hijack unrelated posts, split this into its own thread.

I don't know if this is a perfect solution but it works.  This will help with Netflix but not with torrent traffic. After setting up the VPN to work, create this firewall rule and leave it on top. set to: Pass Interface: LAN Source:  Local ip address of what is using netflix Destination: any Gateway: your vpn This will make  only that device send all of its traffic through the vpn.  Remember you have to give it a static ip address in status-> dhcp leases  .  To prevent the rest of your network from being on that vpn, you have to set a kill switch rule under that.  I think this will work. set to: Block Interface: LAN Source:  LAN Address    <–-( exact words by the way) Destination: any Gateway: your vpn

@chemlud: Is snort involved  on your pfSense? I would wireshark the LAN side, to see what's going on between the laptop and the pfSense box… :) You got me on the right track,, thanks. No I dont have snort on the fw….but... I hade a D-link switched called DGS-1210-16 with a Security option enabled. The switch itself can protect from: Land Attack Blat Attack TCP Null Scan TCP Xmascan TCP SYNFIN TCP SYN Src Port Less 1024 Ping Death Attack TCP Tiny Frag Attack And the problem was the Blat Attack rule, if I disabled it on the Switch then the OpenVPN connection worked perfect. Thanks to all that tried to help.

For all who can't figured this out and noone want to answer him. When you create tap based VPN after you create a bridge go to Firewall > Rules > Bridge interface > creat a rull to allow trafick on that interface with custome optoion "Gateway" internal gateway of your network. After that everything start flying :)

there should be a field in the openvpn server config named: "IPv4 Local Network/s" all subnets declared there get an automatic "push route' statement added in the underlying config.

The problem is solved for now. I stopped the apinger service manually and it stops restarting. Every 5 minutes that service made a "alert" of gateway down, but it isn't true… the gateway was ok all time. For now, I will keep that service down. Thank you for your answers :)

Adjusting the threshold seems to have fixed it.  Thank you!

Speaking for a very small segment of the pfsense community (ie. Myself), thank you very much for taking the time to drop in and give us an update. I've used the OpenVPN Manager and OpenVPN for many projects and it's one of the nicest combinations of work I've used. Thanks again!

@jimp: Any errors in the system log when you try to export a .p12? It must be something in the way the cert was imported. You might try to remove one of the imported certificates and then import it again. No entries in the system log. Is it possible to raise the loging level or to activate some kind of debug mode? I've already removed and reimported some of the IPCOP certificates with no success. I've also exported and reimported certificates created by pfsense, which was successfull. It definitely has something to do with the content of the IPCOP certificates… I also noticed the the distinguished name of the imported certificates is different to the one from the certificates created by pfsense (see attached screenshot). [image: screenshot.png_thumb] [image: screenshot.png]

I'd love to find some of the root causes for this one.  I run a box with about 25 client OpenVPN - PKI connections and when I reboot the box everything shows up fine, but over time I see "lost" connections in the GUI.  The total number and particular connections that are bad fluctuate but are somewhere around 5/25. I got mad one afternoon and was able to force a GUI restart on the downed instances by finding their PID's in the shell and killing their process.  It seems that the GUI gets out of sync with the PID and then gets lost.  In general OpenVPN has been very stable overall and the GUI thing is really just a nuisance. I imagine if I get ticked at this enough I'll dig into creating a script to identify the differences between the GUI PID's and the actual running PID's  :o

most of my installations have been update from 2.0-Beta -> 2.0.1 -> 2.0.3 -> 2.1 -> 2.1.1 -> 2.1.2 -> 2.1.3 as far as i can tell, there is nothing wrong with your openvpn configuration. for testing you could add a firewall rule on top of the openvpn-tab: PASS, PROTO:all, source:any , dest: some-lan-client-address, logging:on see in logs, if it shows up when you try to ping the client … if it does, then i'd say it's a client issue. If not, then only packet-captures could help to explain what is happening

@Derelict: Is this on? Strict CN/User matching: When authenticating users, enforce a match between the common name of the client certificate and the username given at login. It's in the OpenVPN server settings. EUREKA!!! Yes thank you -just tested, and is working as described. … In other news, i need to go and have my eyes tested - cant believe that i missed the setting  :o Thx Derelict / Guys :)

Hi , i tried all things ….........no luck ! the only way it worked is , when i used openvpn gui  !!! i was using openvpn client , but not working ! can you tell me wt the diffeence between them ?  why pfsense dont like both of them ?? also i have another issue with my iphone ! im trying to download the profile but it fail !!! it give me an error !!! anyhellp ?

many thanx viragomann, now i try to do it, i hope to have success. Can i ask you other in future? For me, this features is very important Regards

Hi, I have also added the following rules on the PRV5 interface you have to put the rule allowing traffic from OpenVPN to OpenVPN interface.