Here are various iperf/speedtest results… Summaries in bold.: -Inside VPN (TCP): iperf: 1.48 Mbits/sec http://i.imgur.com/v1CHGZM.png -Inside VPN (UDP): iperf: 1.45 Mbits/sec http://i.imgur.com/aJ2DF1O.png -Client to Outside Internet: iperf: 3.72 Mbits/sec http://i.imgur.com/MwlC8wX.png -Client to Outside Internet (Speedtest.net): Speedtest: 86.61/86.92 Mbps http://i.imgur.com/qDqOlel.png -Inside server network to Outside Internet: iperf: 23.3 Mbits/sec http://i.imgur.com/4v1YOyI.png -Inside server network to Outside internet (speedtest.net): Speedtest: 56.43/63.89 Mbps http://i.imgur.com/RRF2oKv.png So looks like the VPN is running at the speed allowed by my client ISP minus 60% overhead. What's more interesting is the Server ISP (50/50 Verizon FiOS) is showing only 20Mbits/s. Not sure what to make of that information, considering speedtest shows 50Mbps. Not sure if this conclusion is correct, but it looks to be traffic shaping by the client-side ISP. I'm going to fiddle around to try and reduce the overhead required. Need to better understand the impact of MTU Set up servers inside the client side network to better assess internal throughput. Experiment more with 128bit encryption

Are you trying to reach the client end point device or a network behind the client? For accessing the client device you will need to open up its firewall. If you want to access a network behind the client you will need vpn routes in addition. Is it a SSL/TLS openvpn or a shared key?

Does that mean, you're running a vpn access server + a vpn client for site-to-site connection to A on site B server?

Another point to check here is if the local and the remote networks overlaps.

You could prevent a device in your network to interrogate an unwanted DNS, adding two rules like these in the Firewall LAN tab. In your case the first rule should contain as destination an alias with the DNS addresses you want to authorize.  

Can you help me ? @sinanc: Hi, I am using PFSense version 2.3.2-RELEASE-p1 1 wired metro ethernet internet connected and 4 multi ip address. I use open ssl vpn service from my main wan ip address which is defined as virtural ip. I want to set up an open ssl vpn service from a different main virtual ip address. The open ssl vpn service I installed will not be able to connect to the local network, but when the client connects to this open ssl vpn, I want to get the open ssl vpn ip address, which is my second definition of the internet out ip address. Sample diagram, Main wan ip 192.168.1.1 open ssl vpn service has local network access client exit ip address 192.168.1.1 Multi wan ip 192.168.1.2 open ssl vpn service local network access disabled client exit ip address 192.168.1.2 I tried to make adjustments, but it did not work. Client vpn wan could not get out ip address because I did not select Tunnel settings / Redirect Gateway in open ssl vpn settings. Can you help me ? Regards.

Many thanks Duren :D I will try that advanced auth entry.

The routing was correct. The packets were being sent out the correct interface. Rebooting other devices must have cleared something elsewhere. Glad you got it sorted out.

I assign an addtional interface (ovpnc1 in this case). Activated this (no ip nothing just activated) Then i set an static route to 192.168.50.0/24 on the gatway of this interface.(this was the way of doing this, as i know since years) But my question is, the text in newer Version state like this is not needed any more.

You were right. After dealing with the datacenter's support, we found I could enable IP spoofing on the LAN interface for the pfSense VM and after allowing that, it works fine without NAT.

@Soyokaze: Test with same hosts and ports on your own PC (not from pfsense), Test from both PC and pfsense with different hosts/ports. Did this and was the same but it did give me an idea and found what was the issue. A power surge took one of my ports out on my switch and was stuck in 10MB half duplex which was causing the whole network to go to it. Repalced the switch and good to go. Thank you!

Then I would suggest you put that in as a feature request on redmine or possible the package section.

The firewall can't easily act as both a destination (routing) and a bridge. You would have to manually set a route on each system in your local network, pointing the VPN subnet to the firewall's IP address. When a VPN client tries to contact a server, the server's reply would be going to its default gateway (on the WAN side of the firewall) and not back to the firewall itself. It may also be possible to put a route on the default gateway to point the VPN subnet back to the firewall's IP address, but that would be rather messy. It is nearly always better to NOT bridge, but to do routing. If your ISP provides you with two blocks (one for WAN interconnect, second block routed to the firewall in the first block) then you can do away with bridging and use a proper routed setup instead.

I was able to figure this out. The problem was caused by "Authenticated Users" no longer being included in the Pre-Windows 2000 Compatible access built in security group. This group normally provides read rights to all AD Objects. Previous and existing domain admins were automatically being assigned some of these read permissions. Fixed by giving the pfsense LDAP Active Directory account read access to all users.

Do you actually need separate interfaces? Are they all active at once, or is it meant to fail from one to another? If it's the latter case, you could just add a bunch of "remote x.x.x.x yyyy" lines to the config of the first one. If it's the first case, then there isn't an easy way to automate that currently. (And it's too late for new features on 2.4)

@Derelict: I would be surprised if you saw a difference in speed with AES-NI in use or not with OpenVPN. There is a lot of overhead already there that has nothing to do with crypto operations. If anything you might see less CPU utilization to accomplish the same speeds but that is more difficult to measure. I would expect a measurable but not dramatic speedup moving to GCM and changing from aes256 to aes128. It's worth doing, but won't fundamentally change the performance characteristics of a machine.

You are the best Derelict! Thank you so much.  It seems to be working, but I'll do some full testing tomorrow. I added a rule so that traffic going to my LAN net doesn't use the WAN interface.  I put that at the top.  Then, I followed it with the rule for traffic going any to route out the WAN interface.  Now, I can ping my internal LAN devices as well as pinging external sites.

Anybody please help ? I just want to loadbalance between P2P and Internet but Internet traffic I want to encrypt so I am using open vpn? Any other suggestion please help. Thanks