when you configure the client, do you fill in the tunnel network or is it enough to define this on the server ? I always do to make sure it's correct at both ends, I use a /24 subnet even though it's often overkill.  It needs to be the same in the Client Specific Configuration entry for each client as well. on the server > advanced;  do I understand it correct I have to add the route for every extra branch office ? Yes that's correct, you list the all subnets that the server will route to any of the clients and then add a specific "iroute" in the CSC entry for each client according to the subnet that client needs. In pfSense 2.2.4, it's easier to use the "IPv4 Local Network/s" and "IPv4 Remote Network/s" boxes (although the "old" Advanced box method still works). The "Local" box is a comma delimited list of all of the Server's subnets, while the "Remote" box is a comma delimited list of all of the Client's subnets. As noted above, CSC entries split them where they need to go. The only other thing I've run into when adding new pieces to an existing OpenVPN setup is that pfSense does a fairly good job of trying to keep it's pfSense servers and clients up and running.  That sometimes means when you make changes on the fly, you have to explicitly stop the server and client one at a time and then restart both to make sure your changes are in place.  Changing/adding certificates on the fly can be very problematic sometimes. Seeing as you have two sites working OK, you probably have the basic techniques done correctly.  I would make all the entries in the server for all the clients, then reboot the pfSense server box.  Then you can work on each client one by one and see the changes in the server's OpenVPN status log to see what's going on. In the end I find this stuff takes more time to describe than to actually get going, especially if you've managed to get two clients working already. Keep at it and let us know how it goes.

If you have a failover , and ovpn is runing on that then server run on the tier 1. Tier 1 drops , ovpn runs on tier2.  When tier 1 came up , ovpn changes

@Bunkai.Satori: Hi Doktornotor, Fmslick, The Computer Guy, thank you very much for your advice. I have realized, for VPN communication, I have to open local firewall ports on the remote PC. Somehow I thought, because I have VPN connection, I am bypassing the firewall rules. Indeed I am bypassing the firewall but on the pfSense appliance only. On the remote PC I am trying to ping/access, I have to block the firewall or open appropriate ports. I have tried so many combinations and invested many hours into this problem just to find out that I have to open target device firewall ports. Indeed Doktornotor, you were perfectly correct. :-) Thank you very much that you were trying to help. I am marking this question as solved. Bye. I'm happy to hear you go it to work!!  ;) HAppy to hear you got it to work.

Outbound traffic isn't controlled by rules on the OpenVPN interface/tab.  It's just like a WAN.  If you have no rules, no inbound connections from the VPN tunnel will be accepted and no rules are required for outbound connections. Traffic going out the VPN is allowed into pfSense by LAN rules which policy route the traffic to the VPN gateway, then, absent any advanced outbound floating rules, the traffic is allowed out the VPN, just like connections out WAN.

what does client to client connectivity setting have to do with talking to devices on your lan behind openvpn on pfsense? That setting says openvpn clientA can not talk to clientB.. that has nothing to do with clientA or B talking to lan device 192.168.1.42

awesome thanks!

thanks jimp. i will go with SSL/TLS method. appreciate the link.

I use the watchdog package to monitor ntp, freeradius an openvpn.  Even can be setup to send you alerts if has to restart something.

Hi, at first sight, seems that there are two errors: The first: /usr/local/sbin/ovpn-linkdown ovpnc1 1500 1542 172.27.232.9 [More Information] 255.255.252.0 [More Information] init    Closing TUN/TAP interface  Exiting due to fatal error Appears to be a problem related to the hardware (patch cord, network card, etc.) Due to something, the link is going down. If you can verify the above components and see if the errors are gone. The second error: ERROR: could not read Auth username from stdin  TLS: soft reset sec=0 bytes=257104590/0 pkts=272786/0 Question: This error occurs few seconds after the first one? If yes, maybe it's related to the first. If the first error gets corrected and this error continues, try to increase the verbosity of the log file (one way too is to add to the file /var/etc/server1.ovpn the lines: "verb 5" and  "log-append /var/etc/log.txt", restart openvpn and see the log file contents. This modification will be lost after reboot) to have more information which command exactly is complaining about the missing  Auth username and so we can solve the problem.

why does it say user cert on that - are you trying to use the server cert as your user cert as well?  You have to create a specific user cert, you can not use the same server cert for your user.  See my example where I have a johnpoz cert as the user cert. [image: samecert.png] [image: samecert.png_thumb]

OK, if you're using a physical IP, I'm guessing your WAN is setup with a Static address? Does the current WAN->Interfaces IP address match what's in your OPenVPN client? I notice another problem, if I connect at my server and try to PING in my Client, I can't, I lose all the packets, the same happens if I connect at the client, all PING packets are lost. (Yes, ICMP is enabled in both sides). My internet provider are the same in both sides. But if I connect in another computer outside my network (My Personal Computer) I can ping in both sides (Client and Server). Huh? I don't quite understand, are you trying to connect to your OpenVPN server from the LAN (inside your own network) side of your pfSense box? That's not going to work properly using OpenVPN, and that's not what the VPN is for in the first place. If you can connect from outside (using OpenVPN?) then what's the problem with your setup? I'm getting confused as to what your problem is here. Can you post a simple diagram explaining your setup and the problem you're trying to solve?

I do route DNS lookups through it and I did not setup the 127.0.0.0/8 rule and it's working fine. I'm using Hybrid Outbound NAT and just added the LAN Subnet.

thank a lot ! I noticed that I only searched in repositories and not in files.

Yes.  That's pretty much the purpose of the VPN; to access the LAN.  Have full access to everything 192.168.2.0/24.  Also to the LAN the client is connected to (assuming it's not the same as the remote LAN; 192.168.2.0/24). Be sure the LAN the client is connected to is not the same as the remote LAN.  That's why I use 192.168.2.0/24 instead of the common defaults 192.168.0.0/24 or 192.168.1.0/24 that most private LANs are configured as.

Hi Johnpoz, Thermo, I have redone that, as you recommended. As part of my learning process it was great exercise: IPv4 Tunnel NEtwork: 192.168.188.0/24 IPv4 Local Networks: 192.168.168.0/24, 192.168.169.0/24 That is correct, that I will have a bit more flexibility now to grant access to only one network if needed. Thank you.