I'm getting the same error, I'm not sure why either.  :-\

Updated to Version 2.3-RELEASE Still the same error trying to connect to the openvpn-Server… If i install a debian on the same hardware, the vpn will nearly max out my connection. on freebsd it's still very slow. Seems like i still can't use it. Any more help?

using 2.3.9 [2.3-RELEASE][root@pfSense.local.lan]/root: openvpn –version OpenVPN 2.3.9 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Mar 31 2016 library versions: OpenSSL 1.0.1s-freebsd  1 Mar 2016, LZO 2.09 Originally developed by James Yonan

That would be entirely up to your client. OpenVPN itself only routes by IP address or subnet. There is no concept of routing by port at the IP level. I don't think any clients support doing what you propose currently, however. If it was a site-to-site firewall and there was a pfSense firewall in front, then you could do some work to policy route port 22 into an OpenVPN connection, but that is a bit different situation.

ugh i dont know why my pictures failed lol but viragomann was right! I changed my vpn tunnel to 10.10.10.0 and everything works! thank you!

Restarted and working perfectly, thx cmb!

Could you at least answer the questions JimP asked? There are no apparent issues there, if we can get some details about your config maybe we can find something.

Yes, but at the web interface you can use standard routing table and add the ipsec security associations info to have all the routing related info in a single place [IMHO]…

@lagreca: On this end, I can ping a remote LAN machine using the Diagnostics -> ping functionality. If you do that pfSense uses the VPN IP, which is known by the Asus router, of course. If you cannot add a static route to the router, you can also solve this by NAT. Go to Firewall > NAT > Outbound, if it do automatic rule generation, check hybrid or manual and hit save. Add a new rule: Interface: OpenVPN Source: Network and enter your LAN network The rest can be left at defaults, save it. If you have more than one OpenVPN connections, you have to assign an interface to each at first and use this in the rule here.

Is this close to being correct? If not can you draw it out? If this is close your asa needs to know how to send packets back to the 192.168.0.1 So a route on the asa for 192.168.0.1 next hop should be 10.0.50.2     ASA                                      PFsense                                    Remote Network +---------------------+                  +--------------------+      open^pn      +-------------------------+ |                    |                  |                    |                    |                        | |    10.0.50.1/24    +-------------------+10.0.50.2          +--------------------+  192.168.0.1          | |                    |                  |                    |                    |                        | +-------+-------------+                  +--------------------+                    +-------------------------+         |         |         |         |         |         |         |         |         |         |   +-----+--------+   |              |   |              |   | 10.0.50.3    |   |              |   |              |   |              |   +--------------+

@divsys: It's happening on more than one user Do you mean its happening with more than one certificate on the phone or on more than one phone? If more than one certificate, then definitely try dropping/changing (upgrading?) the phone app. Normally I like OpenVPN Connect as well, but perhaps it's being problematic here. If more than one phone, I'd be tempted to try another OpenVPN Server instance using a new port, CA, Cert to get a clean install. More than one phone and more than one user.

The OpenVPN connection for the laptop needs to pushed routes for East,North, and West. Each of East,North and West also need the route to reach your laptop connection. Central will need to push each of them a route to 192.168.50.0/24 and/or possibly the laptop's "home network"

Check the server, make sure it's set to 'net30' for the topology, save on the server then save on the client to restart it fully.

if you have WPAD it should grab the proxy. Did you check the auto detect proxy on firefox or chrome?

Would a CPU with AES-NI instructions help with this configuration?

Hilarious! Thanks Marvosa…I must have been very tired last night! I must have tried three or four times so was convinced I had typed it correctly, M

Wow, that seems nuts.. for such a large network wouldn't you normally just see a typical mpls cloud or sdn or sd-wan..  Managing 200 some s2s vpns seems nuts.

Ok, great, thanks. ~~Do I need to do something with the advanced configuration here, too? Like push route or so? (It was necessary for the windows clients.) Ah, and is there a way for me to remote connect to the branch office pfsense via this active site-to-site setup or do I need to run an OpenVPN server instance on the branch office pfsense as well? I'll hope you bear with me ;-)~~ Best regards, Mel Edit: Got it working.