dude I have NO freaking idea what your doing wrong, since you have provided NOTHING in the way of information… What does the log say on both the server and the client when your saying it doesn't log in?

thank you so much I realized that bit defender what blocking the connection to the adapter I edited the adapter as trusted Thank you so much pretty new to openvpn [image: Clipboarder.2015.12.26-005.png] [image: Clipboarder.2015.12.26-005.png_thumb] [image: Clipboarder.2015.12.26-006.png] [image: Clipboarder.2015.12.26-006.png_thumb]

Found it!! With the current (2014-06-11) state of VirtIO network drivers in FreeBSD, it is necessary to check the Disable hardware checksum offload box under System > Advanced on the Networking tab and to manually reboot pfSense after saving the setting,

Figured it out.  My Local IPv4 network was being listed as the gateway address and not the scope. I changed the last part of the ip from .1 to .0.

Thank you I just ended up using ELK to keep all the logs then filter it to find the user and external IP of the OpenVPN Thank you again ;)

So would the following be a good secure way to issue new certs with minimal disruption? Create another Certificate Authority. Ensure the values are correct for my needs and today's standards. <– I need to research guidance on this. Issue Certs for my clients. Deploy them one at a time when we have the machine in for maintenance. Then using the CRL turn off that old cert and eventually remove the entire list of Certs and old CA.

I'm trying to setup 100K predefined users with certification, I created script to add them all. On what hardware you are trying this to realize? once the script reached to 9K users, openvpn become very slow. And writing a script that adds even and only adding 5000 users per run should not work? Any idea how to figure out what is the root cause for it ? The CPU is to lame The RAM size is to low The storage is to slow or small Why not using an external OpenVPN Server? We use CentOS 6.6 and SoftEtherVPN Server on it. Intel E3-1286v3 / 32 GB ECC RAM / Samsung840 Pro 512 GB SDD Comtech AHA600 VPN acceleration card (AES-CBC) Comtech AHA PCIe372 compresison card (on each side)

Hello, the client must be pingable otherwise you will be missing rules to permit that. If you get no respond form hosts behind the client while your rules allow the access, check this two points: Does the default route at the host you try to reach point to VPN client? If it doesn't you need a route at the host to direct the traffic to the VPN client or you activate NAT for VPN traffic at the client. Ensure that the hosts software firewall allow access. E.g. Windows firewall drops packets from unknown private networks.

Plot thickens: For some reason it seems to tls-verify successfully, but only for the first connection after making a change (which reloads the server config I'm guessing), subsequent connections fail as above: openvpn[56619]: x.x.x.x:59134 VERIFY SCRIPT OK: depth=1, C=xx, ST=xx, L=xxxxx, O=xxxxx, CN=vpn.example.com, emailAddress=xxxxx

After looking at it for several hours, its the little things you miss. Cheers! As to the net30 crap, I wasn't getting routes pushed, so I'll fix that up now, not that it's causing too many dramas, but you are right, I doubt I need it. Thanks again.

@Derelict: https://doc.pfsense.org/index.php/What_is_policy_routing And, in particular: https://doc.pfsense.org/index.php/Bypassing_Policy_Routing I had made an attempt at this previously and failed, following the instructions I used an alias to include 192.168.0.0/16, 172.16.0.0/12 and 10.0.0.0/8 this is now working perfectly. Thanks Derelict! Would you be able to use this method to solve this, https://forum.pfsense.org/index.php?topic=104090.0, problem?

Hi, thanks for suggestions. Tested and introduced. Regards JMat

So I got this working finally. Turns out, for my DNS servers, I needed to put my DHCP server there. This allowed the DNS to get resolved. Thanks for your help folks.

Yeah good i have upgraded to 2.2.5 8) 8) stil same problem Site1:192.168.114.0 site2:192.168.116.0 site3:192.168.140.0 cant access site2 from site3 cant access site3 from site2 remaining all success. can you please check the screenshots [image: site1.jpg] [image: site1.jpg_thumb] [image: site2.jpg] [image: site2.jpg_thumb] [image: site3.jpg] [image: site3.jpg_thumb] [image: status-openvpn.jpg] [image: status-openvpn.jpg_thumb]

Well, I don't know how to explain this but it's working now. I manually re-keyed the "IPv4 Local Network/s" on the OpenVPN server setup screen and after saving it started working. The 7.0/24 subnet is on the other end of the OpenVPN client tunnel, so perhaps that was the commonality between tunnels causing them to interact? And my previous note about it working with split tunneling disabled also touches this since that field disappears when the "redirect gateway" option is checked. It makes no sense to me at all, but so it is. After manually re-keying the subnets into that field everything is now working.

@Derelict: You are natting your OpenVPN port to your Wii. Yes I was! Everything works after I disabled the Wii rules. Thank you for the help!

Thats it! I was assuming that the gateway for this interface was set to the pfSense box since I use DHCP server on pfSense, with the default route set, to service the LAN addresses. But, I checked and the default route, although set in DHCP, was not set. After adding the default route to this interface manually the OpenVPN works! Now I only have to figure out why the gateway is not set by DHCP. Thanks all!!!

As I said before, the concept of "Server" and "Client" in OpenVPN is more about terminology than the roles of a traditional server and client you may be used to. Specifically the OpenVPN Server is the end of the connection that listens on a port for the start of a connection, the Client is the end that initially makes the call from the outside. Once the two have negotiated a valid connection, routing information is passed between them and the routing really can be from either end. I'm not  really sure what your getting hung up on as far as who's the Server and the Client. If you really want to have both ends to be Server and Client, there's nothing stopping you from creating two OpenVPN instances on each end, one a Server and Client the other a Client and Server.  If you go with that type of design, you'll need to use distinct port and certificates as well as figure out which end will route what information.

Glad your up and running  :) You might want to update the subject of your first message to include  "(SOLVED)". It's helpful for people checking in the future.