If you are using the exact same certificate on all of those, make sure you checked "Duplicate Connections" on the server config.

@phil.davis: You still do not know if 192.168.3.33 can correctly route back to 10.0.8.0/24. From 192.168.3.33 do a "traceroute 10.0.8.1" and see how that goes. The path it takes and where it stops will help you find the device/s that do not know how to route to 10.0.8.0/24. OK, will be next week at the location and will be able to perform the test. Thanks a lot for help, stay in touch for replies next week ;-)

@jimp: Yeah I'm doing that right now actually. Going to move it to 2.3.3. I'll bump the export pkg version when I'm done. Export should be OK now – https://forum.pfsense.org/index.php?topic=74948.0

@BradWaite: For others with this issue, be sure to add a pass rule on the OpenVPN interface. The firewall rules for traffic inside the VPN has no relation to the outside of the VPN, that would have been a coincidence or otherwise unrelated.

@phil.davis: The user certificates for all the users that connect to 1 server must all be under the same CA. Thank you Phil, i just created a RADUIS configuration with my domain controllers and it works really great. thank you so much to other who might have the same issue or want to have a RADUIS to AD. please follow the below link. https://doc.pfsense.org/index.php/OpenVPN_with_RADIUS_via_Active_Directory

That's kind of a major thing to not have a dedicated option for.  I'm thinking the GUI should have an option specifically to enable or disable that.  Is there a way I should officially propose that? Feature requests and bug reports are entered at https://redmine.pfsense.org

Um, because some people don't like mass surveillance by governments and large corporations? Your data and DNS requests… are encrypted between you and the VPN provider end point. But the VPN provider knows who you are, and your DNS requests go to their DNS server, and your ordinary data to and from the various public internet sites you use goes between the VPN provider and those sites as ordinary data. One has to assume that these agencies are gathering the data they want from VPN providers and matching it to user VPN accounts. So actually I don't see how any of us can really "hide". But it might be fun to try ;)

I figured it out! So it looks like I do need to have that manual outbound NAT after all, it's just a bummer that I can't use aliases for that either. So I looked in my openvpn logs and saw there were a bunch of encryption/decryption errors. So I changed my cipher from AES-256 to BF and now I am up and running! Now to test for any leaking. Thanks for all the help guys, you were all very helpful and friendly.

edit: solution https://forum.pfsense.org/index.php?topic=74743.0

I am doing basically the reverse of what you are doing. Check this out for an idea on what needs to happen: https://forum.pfsense.org/index.php/topic,29944.0.html You can create rules that are based on Aliases, hosts, network range, etc. That can re-route your traffic however you define. You just have to setup the interface and gateway correctly.

Try changing the monitor ip address in system->routing

using the current 2.1.1, originally setup on 2.1.0. both connect ok. Try following the tutorial I linked above. I am having an issue with speeds and also an odd time out fail to reconnect issue.

Hi Phil, all working now I was expecting it to load balance across both openvpn no matter what I was doing. but it works per session which if fine with me. I do get what I would call true load balancing when I use a download manger. I have now moved VPN providers to PrivateInternetaccess and have 3 openvpns working in the group.  Thanks for your help

Thank you all!!!  I really appreciate the help!

Should be no problem with pfSense behind your ISP router. As long as the PIA VPN link is up you are good. Feels like deja vu - sure I have typed this stuff before. Make sure PIA VPN client has an interface assigned. Make rules on LAN that policy-route traffic to PIA VPN GW. Firewall->NAT, Outbound, switch to Manual. On 2.1 you will get some rules generated for NATing out the PIA VPN. They should help, press save. On 2.1.1 and later, those rules are no longer generated (they were an inconsistent behavior). Add rules yourself to NAT out the PIA VPN GW.

Ok maybe openvpn cant do the whole but this is how i was able to get around and get my solution. Make an OpenVPN Server with SSL/TLS only (thus no username password needed) on pfSense Export a client, with OpenVPN Manager Install openvpn manager on a workstation.Leave it with its default settings. Now I created a bat file and with the following line only : "C:\Program Files\OpenVPN\OpenVPNManager\OpenVPNManager.exe" -connect "xx-xxx-xxxx-xxxxx-config (service)" Named that file Openvpn start Now go to schedule tasks in windows and created a task to run as someone with administrator access, hidden,with highest privilages. Selected to run during startup and thats it. It might not be the best way to do it but it does work and i am able to authenticate with AD no problem. Hope this might help someone else. Thanks to phil.davis for his input but unfortunately that did not work for me even though I would love his way to work as that would have removed the bit of running that file with administrator access. If anyone else has any other way, let me know. I did not test this with wireless connection.  Might not work on wireless. Cheers, Raj

Well, I have ended up just assigning static IPs to the different clients, this will work for me.  Still curious why it wasn't working before.

ok I think I got it working, I had the above settings - as recommended by phil - and it turns out you need some NAT rules (firewall-nat-(manual)outbound) and add an entry: select 'openvpn' as interface and 'from all' 'to all' or in my case I narrowed it down to from 10.0.7.0/24 to 192.168.2.0/24 and another entry 10.0.8.0/24 to 192.168.1.0/24 respectively (openvpn interface) I did a traceroute from sat1 to sat2 and it timed out at 10.0.7.1 so tested with the nat rule, I might have swapped the .7. and .8. but you get the idea… now in a perfect world: how to route all internet traffic out of the main office's connection...

Hello, I have the same situation. I tried to solved it following the instructions but I can not  make it  to work. Can you give more detail instructions please?