It worked, after I restarted the pfsense box. Thank you :-)

Why are you omitting that value when the documentation recommends it be set for increased security? The  optional  direction parameter enables the use of 4 distinct               keys (HMAC-send, cipher-encrypt, HMAC-receive,  cipher-decrypt),               so that each data flow direction has a different set of HMAC and               cipher keys.  This has a number of desirable security properties               including  eliminating  certain  kinds of DoS and message replay               attacks. When the direction parameter is omitted, 2 keys are  used  bidi-               rectionally,  one  for HMAC and the other for encryption/decryp-               tion. You're just hobbling the feature by omitting the direction. Seems it would be much simpler to add the direction on the server side like it wants.

Not that I'm aware of. RADIUS or LDAP would work, if it's AD, LDAP should work out of the box, and RADIUS can be done via NPS if needed.

The fields on that page must not be set to support international characters. Using them in a CN is probably not a good idea anyhow.

So this public computer, does it allow you to install openvpn client?  Or are you talking abut using ipsec or l2tp or pptp?

Also adjust your Windows box's firewall to allow pings from outside their subnets.

I thought it would let me go to the other page to change the DHCP range. Those two options should be on the same page! We were all new once, right?  ::) Fixed it. So now my network is 192.168.100.0/24. And everything works. I think.  :P Thanks everyone for the help so far.

Thanks, this work, thanks for you help

So what about the vps idea?

@itguy001010: If I dont redirect traffic then I can control it with which local networks to access but I want to used traffic redirect so as to get the same public IP address as the VPN server it is as soon as I give this ability that the VPN Client can access all networks. With "local networks" setting in OpenVPN setup you can just specify the routes which should be pushed to the clients. But this wouldn't deny access to your networks. You can add additional routes to the client so you can access other subnet if it is not inhibited by firewall rules on pfSense. So access permissions are controlled by firewall rules. I assume you will have an any to any allow rule at your OpenVPN interface. To prevent DMZ access edit this rule, check "not" at Destination area, change type to "DMZ net" and save it. This rule will permit access to anywhere, but not DMZ subnet.

@thermo: Well you don't really need to run as admin  if you install the service part. You mean the management interface? Well, I have yet to find a box where it works (as opposed to just confusing itself with config file locations and making itself completely no-op).

A "smart card" never lets the private key out.  It performs the crypto operations onboard. The host has no access to the key. With your typical OpenVPN installation, your private key is just a file.  Perhaps password protected, but in-the-clear for the host to snag when connecting. The problem with the tokens/smart cards is operating system support.  You can get it working but it usually requires drivers, client support, etc.  It's really a downer the industry couldn't cooperate and come up with something universal and open.

https://community.openvpn.net/openvpn/ticket/301 so if openvpn 2.4 ever gets released …. maybe

And is that computers firewall setup to allow you too? A machine being static or dhcp has nothing to do with it - unless you messed up the mask/gateway or something when you set it as static.  Or it is out of the range you setup for local networks in your openvpn connection.  Did you setup using your /27 vs the actual whole /24 ?

While you're making the change, get a domain, free DNS hosting on HE.net, and change your clients to connect to a hostname instead of an IP address. Then to change your clients in the future you make one change to DNS and you're done.