The vpn tunnel is working fine now. On the home pfsense firewall, it is a dual pfsense firewall using CARP for virtual ip's, the issue was my openvpn config on the home pfsense side was not listening on the CARP virtual ip but the real ip, once I changed it to the CARP ip the tunnel came right up.

God I feel dumb. I thought that being a member of the domain admins group meant I'd also have VPN rights, but looks like I had to be added to our VPN group in active directory. I feel humbled. Thank you for going out of your way to offer to help. But looks like I'm good to go now.

@johnpoz: If you want to use pfsense as your router, then turn off the wifi on your sky box, turn it into just a modem if possible so pfsense wan gets a public IP - so your not double natting.  And then connect a wireless AP on the lan side of pfsense.  Any wireless router can be used as AP.. Yeh I had it this way some years back when I had 3 x NTL modems and a 3com AP. I don't have a separate AP anymore but this way works just fine, well kind of. @johnpoz: "default gateway for the WAN side devices" What?  Your trying to use the wan as the gateway for clients?  What rules did you set?  That is not a common configuration no. I was ofc referring to the WAN side of the PFsense firewall (which is in transparent / bridge mode) which is still on the LAN side of the SKY modem router. I now have in effect two gateways to choose from on the same 100.x network, 192.168.100.254 & 192.168.100.1. If I set all the clients to use 100.254 then any internet packets are then sent onto 100.1 then on to the ISP GW or up the VPN if destined for 200.x. [image: Untitled20.png] However if laptops and tablets (on the wan side of the bridge but LAN side of the modem) are set to use 100.254 internet access is sluggish and confused for them, but still works. So I have to set Laptops and tablets to use 100.1, not a massive problem but I loose control of their outbound traffic. If I can fix this one bit by messing about with things I have yet to learn I will do but in the mean time it is a very good clever working solution. For me anyway. Thx.

Well I tested a clean installation from a virtualbox machine, and the export utility works properly. It seems there's something broken throught the update.

Thanks for the reply. I can indeed do that but the underlying problem still remains with the transition. I am transitioning from one gateway to another. I think the packets dont like going out via pFsense and back via the MPLS firewall/router. So, as it currently stands, I would have to go all or nothing in the move from one gateway to another. I can make the transition, one office at a time by temporarily adding routes to ALL of our servers for remote office subnets that are not on the new gateway, but I thats a messy solution.

https://doc.pfsense.org/index.php/FreeRADIUS_2.x_package https://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#Enable_Mobile-One-Time-Password_.28OTP.29_support Probably you need to make sure that the correct version of bash is installed on pfsense since the mOTP script needs bash - or your rewrite the script to work with pfsense's basic shell.

Your free to use whatever client you want to use that has openvpn support. If you want to use openvpn connect, sure - I use it on my ipad without any issues. Are you wanting the openvpn connect client as a download option in the export package?  The server used in pfsense is not the access server..  You can grab the connect client from any access server.. Grab the access server package if you want it, etc. Example just download https://openvpn.net/index.php/access-server/download-openvpn-as-sw/113.html?osfamily=Ubuntu And your connect dmg is in this path openvpn-as-2.0.7-Ubuntu13.amd_64\data.tar\data\usr\local\openvpn_as\etc\exe openvpn-connect-2.0.7.100.dmg

I downgraded to 2.1.2 (backup restore) but the OpenVPN service does not start because of the same error. I upgraded again to 2.1.3 and the problem has now been solved.

Sorry, You're going to have to use a little longer explanation, to explain your problem. I'm guessing that we're fighting a language barrier  :P If you can give a clear explanation of your problem, someone here will try to help.

I added comment to your post on the other forum. I have v6-over-v4 working with this configuration: push "redirect-gateway-ipv6 def1"; push "route-ipv6 2000::/3";    <<<-----  Global Unicast Address Of course the IPv6 prefix (in the screen shot) is unique from the LAN.  I get a /60 from DHCP-PD. Just FYI:  I also have a second OpenVPN instance running for v4-over-v6.  One thing I found was that you need to use tcp6.  If you use udp6, there is very nasty interface looping. [image: ovpn.jpg_thumb] [image: ovpn.jpg]

You have a strange VPN setup. VPN1: 10.2.6.0/29 VPN2: 10.0.0.0/8 ????? VPN1 is part of VPN2! Why is VPN2 as large? I can't believe that your hardware can manage as many connections. Why is VPN1 as small? By default the server allocates a /30 net for each client. You should clean up this at first.

Add an additional rule to LAN interface underneath the one that directed PC #1 over VPN, that blocks any traffic from this PC to anywhere. If you have additional subnets on other interfaces that should be accessible you have to exclude this. This rule is applied only if VPN id down.

@jimp: Not that I'm aware of, no. Not unless you manually setup a mesh of tunnels. You might look into Tinc. I see, i will take a look =).

Thanks for the reply We have a bunch of servers and for security we limited access to them to a specific group of ip address. Our WAN ip addresses. They are not located in the same location as our PFSense box so we have to go over the internet to connect to them. So when people need to connect to them from home they have to connect to the VPN first. I didn't know that it went through the default gateway so that is good to know. I went ahead and added a rule to the openvpn tab as you suggested and I got the desired effect. My brain thanks you! You are the man!  

It was the firewall on the remote windows machine, I totally forgot that windows blocks shares outside the subnet by default. Thanks a lot!

Glad it all worked out. Like many others around here I find the forums to be a wealth of excellent information for pfsense. It may take a little time, but searching and asking polite questions seems to yield great results (at least for me). Good luck  :D

We use OpenVPN Access Server at work on a dedicated server which replaced our old Microsoft VPN server.  The "engine" is basically the same with exception that the GUI is provided to manage it.  There is one thing I do like about OpenVPN Access Server is the Web GUI for users to install the pre-packaged OpenVPN client created specifically for that user and their certs are generated on the fly.  Long as the users are part of the "OpenVPN" security group in Active Directory they can easily use it. In PfSense I have to pretty much have to install it for each user manually.  It's not big of a deal for a small office using the OpenVPN export add-on but 200+ users it would take awhile.  But once it's installed users don't have to do anything other than launch the client and log on. This is little more what you were asking about but wanted to point out a couple of key differences in terms of deployment. I prefer using PfSense as I don't have to deal with licensing nightmare and very flexible in network configurations.

I was just coming back after taking some time off of work and going to post something.  Thanks for fixing this guys!