In the future there is no need to hide or try and obfuscate your local address space (rfc1918) ie 192.168/16, 10/8, 172.16/12 We all use the same addresses, it does not route on the internet.  If I tell you I use 192.168.9.0/24 and my machines address is 192.168.9.100 and my vpn clients use 10.0.8/24 as their tunnel.  It doesn't give away anything at all that could be used to find you or know who you are, etc. etc. To me hiding it does 2 things, it make it harder to understand so can help, and 2nd thing is it makes me think the person posting is not the bright bulp in the pack when it comes to networking.. Should prob talk to them like they are 3 going on 4 years old and had a hard time in preschool with learning their colors ;) heheheeh  You know the kid sitting in the corner drooling eating glue..

Yes its called policy based routing.. Your going to want to make sure you don't pull routes from vpn client connection on pfsense.  And then just create firewall rules to send what traffic or devices you want to send down the pfsense client vpn connection.

I've solved. In common name i use the username from active directory and advanced config with ifconfig-push. It work with or without user certificate.

I manual start  freeradius  but  openvpn+motp not login so i use this method agin click services->freeradius->users and find not login user click "edit this item" do not change any thing and click "save" then login again , motp is login OK so  the freeradius motp  has bug

Thank you for your reply, and for providing me with a recommendation. Sorry if my post was a little confusing at first. Originally I thought of this but wasn't completely sure as I have felt that even on a network of the same private ip of my local home network; tunneling thru the vpn still worked for me. I wanted to see if there was something else to try as changing my local home network would require me to edit all my static IP I've created  :'(

Yeah its funny how some of these auditors don't actually understand what they are auditing ;)  Ok MFA is a requirement, we are using MFA already.. How many factors you want ;) Should we have the uses submit a DNA sample everytime they auth? ROFL  They you would have 3, cert they have, password they know and their dna something they are.. Glad you got it sorted.. Your users would of prob had a fit with many a help desk call having t add the OTP auth along with their password, etc.

Thanks Viragomann I appreciate it this concludes my 2 week search for the masquarade or outbound NAT as u call it in pfsense. When I did that and logged to mikrotik from my iphone the ip was that of pfsense therefore I can see all 10.0 networks on the miktrotik. Thanks again I hope I can help others who experience issues in this transition from PPTP to Openvpn.I had no idea that the interface address meant the pfsense IP so I was putting my ip as a /32 subnet and didnt work.Also I used source nat openvpn interface instead of LAN so it was 2 mistakes I did. Now all that remains is to fix the 2 broken packages that remain on the menus after the upgrade and make me nuts!!!!nut and BandwidthD that return 404 error. Yes I know I should have uninstalled them before the upgrade but who reads the fine print right?Especially in Greece! [image: openvpnNAT.PNG] [image: openvpnNAT.PNG_thumb]

I would gently suggest you try this setup using PKI. My experience has been SSL/TLS gives you a more robust and flexible setup, especially if you need to expand later on. You can probably keep your existing server-client setups, just create a new CA on the server and use that to create individual certificates for: OpenVPN server - type Server Each client - type User You can enable auto-TLS on the server and use that key for an extra layer of security. The clients will need a copy of the CA cert (not the private key part) and their respective certificates (created in 2)  ). It sounds a little daunting, but once you have one done the rest will fall in line pretty simply. If you post back, we can hep along the way.

Perfect - you fixed the PBX issue for me!  Zoiper works well! Only two other issues for me seem to be related to external web traffic. If I am browsing facebook or reddit it works fine on:  Wifi or cell service.  If I log into the VPN, the web isnt loading anymore. It seems like I am good for internal things on my network (for the most part) Root Explorer on Android is having a hard time browsing SMB folders on my freenas box over VPN but works fine on wifi.

I just checked this morning at the cpu usage and as written about above, the two OpenVPN instances are using loads of cpu time. See screesnhot. Any ideas on this? [image: cpu_usage.png] [image: cpu_usage.png_thumb]

Any idea? Should I change to gre over ipsec?

@divsys: Yah, the full screen shot has a few other sections (like Topology for one) that might affect things. The other things to try are a full reboot of the server box or (if that's too onerous) search for the running server process and explicitly kill it. Worth it just to make sure you're on a level playing field as far as previous attempts go. You can up the server's verbosity so you should be able to see if the CSO is getting applied when the client connects. Similarly the client logs may show what's trying to apply if you up the logging level. Are the clients just typical Win, android, iPhone, or something else? Attached SS's of the Server and CSO's.  When I get home later I can troubleshoot further.  And yes the client I'm testing with is android phone. [image: Server.jpg] [image: Server.jpg_thumb] [image: CSO.jpg] [image: CSO.jpg_thumb]

@Derelict: Is something not working? No, I just want to understand the settings before I implement them. I've had to Restore-To-Default once because of the major update to Snort, and me not understanding settings.

The openvpn wizard does not create a port forward, it does create a rule on your wan for the port you use for that vpn instance. How would a port forward to your pfsense lan IP allow for scanning of your "machines"  even if you did create the forward..

Heeeeeelp :'(

Can I add a question? If I want to set up multiple client sites, do I need separate server entries on the server firewall? Thanks,

"SSL3_GET_CLIENT_CERTIFICATE:**no certificate returned[b/]" Seems kind of heard to validate if there is no cert presented.**

I assume NAT is not possible, because I run in transparent mode/bridged?