@cmb: With it bound to 443, do you have your GUI bound to something other than 443? That might be one reason. I'm guessing though it's the issue where OpenVPN writes out the wrong PID in its PID file. What's in your /var/etc/openvpn/serverX.pid file and what is the actual PID of OpenVPN instance that's running? where serverX probably == server1, but could be some other number depending on how many you have and have had in the past. I switched the webgui port to 1234 before I created the OpenVPN service. It works fine now since I rebooted it and was quickly able to get back an IP from DHCP. It's weird how it got into that state… The openvpn daemon was definitely running (even though it was reported stopped) and I was able to vpn in from the internet once I got an IP. The pid file explanation makes sense. I'll try it again in a few days so I can get it in that state again and report back. Thanks for your insight.

You essentially have two options: Configure a client specific override for that one user and each future user with the same situation Configure a 2nd OpenVPN server… one full tunnel and one split tunnel.  Then just export the split tunnel package when needed From a management overhead standpoint, I think option#2 makes more sense.  This is also the solution that I've implemented.

Very rarely desirable to do that when the firewall's a client is why it's sat there forever with no movement. It's not hard to add to ovpn-linkup if you want to do so.

just run a speedtest though it with iperf

So your going to have multiple machines on gce?  An they are going to use this vpn machine as their gateway to your network?  Can you setup the GCE networking that way for their instances?

I want something like this https://forum.pfsense.org/index.php?topic=66796.0 but there is no answer there too

Viscosity is great, we recommend it all the time. The only downside is the cost. If you're OK with the cost it's an excellent bit of software and works on both Mac and Windows without any problems we're aware of.

Glad you got it figured out. Don't be stranger to the forums (even it's only to eavesdrop) a lot to be learned around here.  ;)

The other issue you may run into: You may need to tell SQL to allow database connections from the OpenVPN subnet. I take it access to other devices/applications across the OpenVPN works, it's just a problem with SQL?

What connections are allowed in from an OpenVPN are governed by the rules on the OpenVPN tab and the OpenVPN assigned interface tab. For client connections to VPN providers such as this, they should be treated like rules on WAN. Delete/disable all rules unless you need something passed. It sounds like you have a misunderstanding of what it means to be a STATEFUL firewall. Look that up and how it relates to return traffic for an outbound connection state.

Another user posted a solution a few weeks ago. https://forum.pfsense.org/index.php?topic=107415.0 Hope that helps!

Check if you can ping the site A pfSense's LAN interface. I can ping Site B's LAN interface from Site A. However I can't ping Site A's LAN interface from Site B. If you want to access hosts at client site that to not use the pfSense running the vpn client as default gateway, you'll also have to add a route to these hosts for the network behind site B. Or you add the route to the gateway router. Site A will be using the PFSense as a default gateway to ideally redirect when the hosts make request for Site B's subnet, PFSense will properly route them. Thanks again for the assistance!  ;D

I fixed the text and removed the impacted screenshot.

Glad you got it working. If you want an idea of what your certificates look like take a look through the "Certificate Manager" section of your WebGui. Welcome to pfSense!

There wasn't much detail in the OP, which makes it difficult to help troubleshoot.  Post your config (server1.conf).  Check the routing table on the client, is there a route to your LAN?  Are there any blocks in the logs?

I think so.  I changed the Outbound NAT from Automatic to Advanced Outbound NAT (AON) and created new rules based off the four default rules created by pfSense, just changing the interface.  I now have the four rules created by pfSense and the four new rules for the VPN interface.  For the interface, I had the option to use OpenVPN or StrongVPN (the name I gave my VPN interface).  I used StrongVPN for the new NAT rules. I attached a screenshot of the NAT rules I have in place. [image: AON.jpg] [image: AON.jpg_thumb]

Did you have to do anything special to configure the VPN gateway?  Mine is getting an IP assigned from the VPN server at the other end, but the gateway always shows it is offline. The gateway log shows: apinger: ALARM: STRONGVPN_VPNV4(10.8.4.165) *** down ***