Sure, ctrl-click the auth servers on the server config and it will try them in the order it shows in the list.

I have the same issue with the VPN. And same config. Can you recommend the VPN provider?

You must have missed the direction on that page that tells you to create the file. From their page: Execute the following: echo "username" > /etc/openvpn-passwd.txt; echo "password" >> /etc/openvpn-passwd.txt Though on pfSense 2.2.x you don't need to do that or use their "auth-user-pass /etc/openvpn-password.txt;" line in advanced options. If you fill in the username/password boxes in the pfSense GUI, omit both of those things: don't make that /etc/openvpn-passwd.txt file and remove that auth-user-pass line from advanced options.

Use the viscosity client if you don't want to run as admin on windows.  https://www.sparklabs.com/viscosity/ Its not free..

Haha, no big complaints. Just that their pipe is huge and SMB performance is just so small comparatively. In any case, BranchCache is out simply because we're not looking to put in servers out there (not yet anyway) and we're running Win7 Pro (not enterprise or ultimate unfortunately.) Looks like Riverbed or the eventual Win10 upgrade will help us. No worries there as they still remote in generally but it would just be nice if they had a bit more available bandwidth in that area for when they're working locally. Thanks for all the help mate- glad to see we're about where we can be, all things considered.

Hey everyone, just in case it helps someone in the future ; I found the solution, which was in a detail I forgot to tell about ; it's a vmware installation. My set-up was OK, the TAP VPN was up, and it was forwarding L2 trafic, however the vmware host simply discards any packat with a mac "not from the guest", which makes it impossible to have something like an ARP-proxy (or Layer2 vpn) on a vmware guest Solution is to allow "promiscuous" on the vswitch (altough I don't need promisc mode at all, I just need less paranoid enforcement of the MAC filtering) I tried disabling the other MAC-related option, but it did not work. Only works when allowing "promisc". Hopefully this helps someone someday

Did you ever get this working?  This is incredibly similar to something I'm looking to do and have not had much luck with it.

I'll bring up the topic again because it really should be done and not just for this reason. Thanks again for your time on this.  Much appreciated.

Much like cmb already mentioned, why wouldn't you just define your routes on the server side?

"is pretty much standard for things like bank inter branch vpn's, hospitals, data-centers etc." No No its not… We have a fairly large hospital as one of our customers that I support.  No they do not have any sort of TPM storing the vpn keys be it the remote users coming in, nor to any of the vpn connections between their branches and the datacenter or between each other. We also have multiple DCs across the country and the globe, I can tell you that no there is not any TPM storing any of the server keys.  And to be honest I am not aware of any customer even doing it for their remote users, etc..

Thanks! work like a charm I did the NAT solution but will maybe to the other one later on.

Anyone? :(

If you don't know what captive portal is, then you probably don't have it enabled. But check Services>Captive Portal. That would intercept web requests. If that's not enabled, what output do you get on the FreeBSD machine for "host pkg.freebsd.org"?

While sure that would be possible, I see that service also provides webdav via ssl, wouldn't that be an easier solution?  And faster?  SMB performance over wan with latency is normally horrific..

Omaigad.. Thank You Very Much. I understand a bit now. ;D ;D ;D

The NTP service will not relate to this issue. Let's go to troubleshooting. Take a packet capture (Diagnostic menu > Packet Capture). At server and client select LAN interface and at Protocol ICMP and hit start below. Then start the ping. If you see nothing at on site, select OpenVPN interface and repeat it. Post the output.

I understand that it will get blown away and that manually editing it was the wrong thing to do but I was missing something in the GUI that meant I couldn't get it to work. This, and software upgrades are the only changes I've made in the last year and as I've now got a copy of the working files, after the next upgrade, if things do break, I can put them back. I tried putting a chained cert in the CA cert and it didn't work, does the order of the certificates in the file matter? It may also be that the restart didn't work correctly or it needed a reboot after the change to make things work. I'm not blaming pfSense here, I'm sure it was probably something I messed up in replacing the certificate. If I get chance I'll try again with a chained cert as the CA and update with the results.

You'd have to mess with base64. Could you send me a copy of the certificate file? No need for the key portion, and the cert on its own isn't usable for anything.