When you make the connection it will add routes.. You can bump up the logging verbosity to view them being added.. example, here is my currently connecting to my pfsense openvpn setup at home..  See the routes get added Mon Jul 13 16:38:31 2015 Successful ARP Flush on interface [22] {5A2F7EEA-6ED4-4F64-84E8-6A9A17179285} Mon Jul 13 16:38:36 2015 TEST ROUTES: 4/4 succeeded len=4 ret=1 a=0 u/d=up Mon Jul 13 16:38:36 2015 MANAGEMENT: >STATE:1436823516,ADD_ROUTES,,, Mon Jul 13 16:38:36 2015 C:\Windows\system32\route.exe ADD 192.168.9.0 MASK 255.255.255.0 10.0.8.5 Mon Jul 13 16:38:36 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4 Mon Jul 13 16:38:36 2015 Route addition via IPAPI succeeded [adaptive] Mon Jul 13 16:38:36 2015 C:\Windows\system32\route.exe ADD 192.168.2.0 MASK 255.255.255.0 10.0.8.5 Mon Jul 13 16:38:36 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4 Mon Jul 13 16:38:36 2015 Route addition via IPAPI succeeded [adaptive] Mon Jul 13 16:38:36 2015 C:\Windows\system32\route.exe ADD 192.168.3.0 MASK 255.255.255.0 10.0.8.5 Mon Jul 13 16:38:36 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4 Mon Jul 13 16:38:36 2015 Route addition via IPAPI succeeded [adaptive] Mon Jul 13 16:38:36 2015 C:\Windows\system32\route.exe ADD 10.0.8.1 MASK 255.255.255.255 10.0.8.5 Mon Jul 13 16:38:36 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4 Mon Jul 13 16:38:36 2015 Route addition via IPAPI succeeded [adaptive] if you add verb 4 to your config you should get more details.. [image: routesopenvpn.png] [image: routesopenvpn.png_thumb]

what are you rules in your openvpn tab? What do you want to do?  Do you want to route all traffic through your vpn, or only use the vpn to access the networks behind the vpn? Do a route print from your client to see your routes

If the goal is to get VPN going between the ASA and pfsense, the most straightforward approach is to use ipsec vpn on both. The ASA doesn't support OpenVPN. the ASA does support ipsec vpn client connections and I just saw a package for Synology NAS units that apparently lets you connect to a Cisco concentrator.  I haven't looked at it much yet but it might be possible to get raccoon running on the pfsense box.  There's a discussion of raccoon on BSD here: https://matt.bionicmessage.net/blog/2011/06/18/Configuring%20Racoon%20on%20FreeBSD%20to%20connect%20to%20a%20Cisco%20IPSec%20VPN I don't know how much good that will do you - I don't know if you can use clients behind the system to connect to the far side once you've got pfsense connected to the ASA.

Thanks!

@Supermule: The good thing is that the way OpnSense is built its updates are quite frequent https://forum.opnsense.org/index.php?topic=944.0 Allready getting patches later today. Those "quite frequent" updates are easy when you don't do any testing. If it had applied, those who wanted a fix would have had one within an hour via 2.2.4 snapshots, with release soon to follow (still is coming soon, just not because of this) after it's been tested. But better off if you don't need patches at all because you aren't running two diff copies of OpenSSL unnecessarily.

That was the issue, I assumed that pfSense would automatically generate a certificate for the OpenVPN server if it was the certificate authority. Thank you!

pfSense is not the default gateway in LAN?

Do you push routes to your connected client with the pfsese server? Also, do you advertise your tunnel subnet so machines in the LAN can access it?

@cmb: That's what I was wondering, whether it was a client or server you were binding to the VIP. I'm guessing you probably don't have a firewall rule on WAN allowing traffic to the destination VIP and port for the non-working instance. Here is the config from the Cisco Router. ip nat inside source static 10.20.1.102 98…..... route-map PFSENSE-AWS ip access-list extended TWC-ACL deny  ip host 10.20.1.102 host 10.20.1.254 deny  ip host 10.20.1.102 172.32.0.0 0.0.255.255 deny  ip host 10.20.1.102 172.31.0.0 0.0.255.255 permit ip host 10.20.1.102 any ip access-list extended AWSEXCEPTION deny  ip host 10.20.1.101 10.20.0.0 0.0.255.255 deny  ip host 10.20.1.102 10.20.0.0 0.0.255.255 deny  ip host 10.20.1.102 172.31.0.0 0.0.255.255 deny  ip host 10.20.1.102 172.32.0.0 0.0.255.255 deny  ip host 10.20.1.101 172.31.0.0 0.0.255.255 deny  ip host 10.20.1.101 172.32.0.0 0.0.255.255 permit ip host 10.20.1.102 any permit ip host 10.20.1.101 any route-map TWC permit 10 match ip address TWC-ACL set ip next-hop 98..... route-map PFSENSE-AWS permit 10 match ip address AWSEXCEPTION 10.20.1.101 is the LAN Interface that is working - which has the same exact config on the Router. There is no firewall running between Router and PFSense Box. On the PFSENSE box, I have put in allow all traffic rules to try and get it working.

You may need to install one or more intermediate CAs so that your firewall can follow a chain all the way back to a trusted root CA.  You can verify this by checking /etc/ssl/cert.pem, which contains the list of CA root certificates that are trusted by your device.  If the issuer on your certificate isn't in that file, then you'll need to install intermediate CA certificate(s). For example, we use RapidSSL certificates here.  Since RapidSSL isn't a trusted root CA, we have to install their intermediate CA certificate, which bridges back to GeoTrust, which is a trusted root CA.  (Screen shots attached.)    

You can do this with the Rules section under the firewall settings, setup an Alias list for all the steam servers *.steam.com, then under the LAN rules, source LAN net, dest ALIAS NAME, all ports, then under advanced sections pick the OPT(OpenVPN) as the gateway.

There doesn't seem to be an option to just restore the certificates, but then as the machine name has changed I don't the certificates from our live system would work anyway. Since my first post I had a brain wave, create a new openVPN server through the wizard and that seems to have done the trick. Just need to test the VPNs work now. Cheers Dean

Thanks for the answer. Meanwhile I found the following on in the OpenVPN manual which describes the address assignment pretty well: “Specify an IPv6 address pool for dynamic assignment to clients. The pool starts at ipv6addr and increments by +1 for every new client (linear mode).” I believe that the linear mode is the only option for address assignment using a tun interface, and only tun is supported by my iOS devices. I’m going to request a feature like "Simulate IPv6 Privacy Extension" from OpenVPN, but I don’t see an straight forward solution for that.

Thanks,  you were right,  the provider's server will not reply to a ping.  I fixed it by monitoring another IP address only accessible via the VPN.  Thanks

I've managed to setup a few DD-WRT to pfSense OpenVPN links over the years and the experience has definitely improved. My earliest attempts (still working after 8+ years!) with Linksys routers involved scripting and other kludges to survive a reboot. My latest was with a pair of ASUS N66RT's allowing access to the owners office server(s) from two remote locations. The latest DD-WRT made it feasible to implement the whole thing through the GUI - no scripts required. That said, it's always an experience to find the most reliable firmware version to match the device you've got. I've tended to go for units with more Flash/RAM to avoid the feature "squeeze" of smaller units. All in all the setups have been very reliable. I would still rather find a small box to run pfSense, but where that doesn't work DD-WRT keeps things at least reasonably sane…..

@doktornotor: Have you noticed the "Disable this client" checkbox? I have noticed it. I could also shutdown my PIA interface but I was looking for more of a solution that leaves the service/interface enabled but just doesn't start on boot. Worst case I'll just use the disable client option as you pointed out.

I already linked what you nee to do above so that everyone can talk to everyone.

Attached the photos. Two more that I couldn't get on the previous post. [image: PFSensePing-1.png] [image: PFSensePing-1.png_thumb] [image: pingtest.PNG] [image: pingtest.PNG_thumb] [image: firewall2.PNG] [image: firewall2.PNG_thumb] [image: firewall3.PNG] [image: firewall3.PNG_thumb] [image: firewall4.PNG] [image: firewall4.PNG_thumb] [image: firewall5.PNG] [image: firewall5.PNG_thumb]