Is your AD auth happening using RADIUS? It looks like your RADIUS server is passing back an invalid IP to the client, from the output. Or at least one that isn't valid given the server configuration.

Thanks jimp,

Yep. I did some testing. I haven't been able to set up an OpenVpn. Seems the two Firewall has a too different approach on the subject :-) Due to my current setup I can't find a common setup. On Endian I'm using Openvpn with PSK and Username/Password credential and seems it's not possible to use them in pfSense. I tried also IPSEC but while pfSens has an extended set of options, Endian as a lesser support of it. If someone could say "Yes, I did it and it works!", I'd do more tests but i'm not optimist. So far I didn't found evidence that it could be done.

Thanks - that solved the problem

Thanks for the clarification. For me the easiest rule to follow is: If you have more than one instance, assign all instances and don't use the openvpn tab.

For sake of helping others having the same problem, this is not a rules issue. It was a NAT'ng issue. Make sure you select MANUAL NAT when you want to "kinda bridge" openvpn… if not it won't work.

hi, From your client config, you are using Blow Fish cipher. openvpn config of client: dev tun persist-tun persist-key cipher BF-CBC tls-client client resolv-retry infinite remote x.x.x.x 1194 udp tls-remote ZGopenVPNsvr pkcs12 pfsense2-udp-1194-vpn.p12 tls-auth pfsense2-udp-1194-vpn-tls.key 1 BlowFish is one of the ciphers which is very light in CPU load, so it is definitely not the CPU load is the problem. One suggestion is that, you can put your client 1 PC directly into your GB LAN at your external server's LAN, preferably with a public IP address and access to your server via OpenVPN, this way, you can actually see what is the max bandwidth or transfer rate you can get. If you can get a good decent transfer rate, it means that there is nothing wrong with your OpenVPN setup (client/server), it must be something from the internet (e.i. your ISP Verizon?) ; I am not sure if there could be a max CAP for UDP port 1194?? If you can't get a decent transfer rate, then you can trouble shoot the Open VPN config. I would normally benchmark our setup this way, to see what the max bandwidth we can get out of our boxes, before we put them at the client end. regards,

Appreciate your folks assistance. I've managed to track down the issue. Weirdly enough it was some leftover IPSec configuration that conflicted with the VPN tunnel. All I had to do was remove it from the client and immediately it worked. Thanks!

More Screenshots  

Just as you posted your reply vielfede, I seemed to have fixed my own issue. Under "IPv4 Local Network/s" I removed the opposite spoke's subnet. I then rebooted all of the units and everything seemed to run perfectly fine. Thanks for your tip, though! I'll read through that anyhow so that I can become more familiar with OpenVPN.

I can confirm it has todo with heavy traffic. Any help with traffic shaping is much apprechiated.

Congrats! Keep in mind that rules on an interface are incoming to that interface.  By making an "any" to "any" rule on WAN or VPN you let anything through to anything.  ( this took me a few times to get across to myself…) For a box only dealing with clients on the lan side and no servers (no reason to allow someone on the outside acess to the inside) there should never be any rules for other than the LAN interface.

Thx interesting to know,  I checked my VPN but no mention of IPSEC support it does support AES 256 though. Am going to give pfsense a go soon as I get the settings,  see if its what I would like to use more long term.

Ok. I wasn't thinking it through very well. From your response it looks as though I need to force all traffic from the client through the tunnel in order for them to be recognized as coming from my IP when connected to the VPN. Otherwise, it sees their home WAN IP as what is trying to connect. Is that correct? Also, here's my current setup pertaining to OpenVPN: I firewall rules allowing all OpenVPN traffic through the WAN and all OpenVPN traffic through the LAN. I don't have the Redirect Gateway option checked as shown in the second attachment on the original post. I have Advanced Outbound Nat turned on with a rule allowing OpenVPN on our LAN (had to implement AON due to outbound pptp VPN). Thanks so much for your help.

That works fine just add routes to each of the client sites for all of the other networks. For example on 192.168.6.1, make sure it has a route for .1.x, .2.x, and .3.x. If you're on 2.1 it's as easy as entering them separated by a comma in the "IPv4 Remote Networks" box: 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24