@saytar: I know I had Private Internet Access setup on 2.1.5 fine, but after the upgrade my user id and password file was not carried over to 2.2.1. After I made a new file everything else worked. That is normal for changes made outside the GUI. You don't need the file any more after 2.2.  There are now a username/password fields in the client config GUI.  You can populate those and clear the auth-user-pass entry in the Advanced text area.

@doktornotor: The rules go on the OpenVPN tab. Not on LAN/OPT. Succulent comment…........just defined an answer to a question I had been contemplating about my extra interfaces and a build out on my home network....................... 8)

@kejianshi: I assume you are trying to setup some sort of gateway-failover by using 2 separate VPN tunnels? Not really. I want a vpn solution without modify the local network clients (install openvpn, update, configure, …). We life in germany and my girlfriend wants to use Netflix US (with his desktop or/and notebook). She can not configure openvpn and i think she dont need that ;) My idea is: If she want watch Netflix, she must only change her ip address. That is no problem for her. And I need a exit point in the netherlands and switzerland. I can use openvpn directly but than i must protect every pc against dns leaks and so on. That is the reason why i want manage the vpn clients at pfsense and "select the route" on the clients only with the ip address. @kejianshi: I'd advise using 2 separate openvpn services who don't assign same subnet ranges and don't use same gateways IPs. This is possible but then I have to pay two accounts. And this sucks a little bit.

I'm also interested in any write-ups from people who have gotten this to work. Thanks in advance!

Solved , i figure out that my ldap settings where wrong Thanks anyway :)

As said, the interface for incoming VPN connections can also be the LAN interface. So no further interface is necessary for your goal, just one. For openvpn server set up, the wizard will guide you through and there are also some tutorials in this forum and in the pfSense docs: https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server

No one has any clue?

@Pitchoun511: I have found nothing that resolve my problem I just went through the procedure in the thread I linked earlier on two 2.2.1 boxes and it worked fine, or rather well enough for me to get in and fix a problem preventing a remote host from routing out correctly. If you are still having problems, I suggest you look over that and then post some specifics of your config.

I see the same behavior on an Alix box we have.  The upgrade to 2.2.1 did nothing to fix this issue. OpenVPN settings: AES-128-CBC (128-bit) SHA1 (160 bit) I've checked the throughput via the command line (openssl commands), and I can set up ipsec tunnels and verify that the HIFN 7955 card is working - IPSEC I see great throughput, low CPU utilization. OpenVPN - 100% CPU at about 6Mbps of throughput. Something doesn't work correctly.

Perfect.  Thanks for the great explanation.

@robi: Don't think you need to NAT on both ends. You should be able to create a single 1:1 NAT on the VPN server side between 192.168.53.0/24 and 192.168.1.0/24. All the VPN clients (which I presume are simple Windows clients on home PCs or laptops) can see 192.168.53.0/24 ast it would be 192.168.1.0/24. No idea how you imagine this to work, really. So, you get traffic from the VPN server side's LAN via VPN. Won't ever reply back via VPN. It's like NAT reflection backwards.

Read this: https://software.intel.com/en-us/articles/intel-advanced-encryption-standard-instructions-aes-ni Performance Improvement The performance improvement expected with the use of AES-NI would depend on the applications and how much of the application time is spent in encryption and decryption. At the algorithm level, using AES-NI can provide significant speedup of AES. For non-parallel modes of AES operation such as CBC-encrypt AES-NI can provide a 2-3 fold gain in performance over a completely software approach. For parallelizable modes such as CBC-decrypt and CTR, AES-NI can provide a 10x improvement over software solutions.

Just look at the routing tables and see what's going on. netstat -rn and probably something else on windows.

Hi jimp, your sentence "Both should use the same certs, but different tunnel networks" was the right answer to make that work! Thank you a lot :) Cheers

Thanks for the reply… I only have windows firewall... haven't tried disabling it. But when I did, its working!

Make the OpenVPN server listen on the failover gateway group Register with a dynamic DNS provider (if not already). 3)Add a Dynamic DNS entry to update the name based on Failover Gateway Group Setup the OpenVPN client systems to use the dynamic name to connect

@phil.davis: Our subnet here is 10.0.0.0/16 and the tunnel networks are 10.0.2.0/24 and 10.0.3.0/24 Whatever worked previously must have been by luck. OpenVPN tunnel network should not overlap with any other local networks on your pfSense (or in your intranet). Change the tunnel networks to outside of 10.0.0.0/16 - e.g. make them 10.1.2.0/24 and 10.1.3.0/24 Then if there is still a problem we can think further. Well that sorted it, thanks. Must have been something odd in the set up for that static gateway. @kejianshi: Making subnets arbitrarily huge is a mistake. Noted, bit more work needs to be done on this network.

Hi, Solved it, had to assign an interface, assigned VPN1 to ovpnc1, added no ip configuration what so ever. That automatically created a gateway interface under system - routing, then in the firewall rules, I could use that gateway, and the it worked :)

The primary files that I'm transferring are .mkv files and Acronis True Image backup files .tib The .tib files are around 400GB and get pushed every 14 days. The .mkv files are around 30GB or so and get accessed as needed. Before I had a VPN setup, I was using FileZilla FTP over TLS to an older firewall with forwarded ports. Said firewall forwarded the ports to a 2012 R2 VM running an FTP site with IIS. I suppose I could still do that if need be…