I was looking for instructions for TorGuard OpenVPN and ended up here. Here's a link to TorGuard's own setup guide that I found after further searching. Hope people find this helpful  :) http://torguard.net/blog/how-to-setup-pfsense-with-torguard-openvpn/ This has worked for me after brief testing. Guide is relatively easy to follow. They don't specify IPv4 or IPv6, so I just did the configuration for IPv4 and ignored IPv6 completely.

Yeah this is what I was saying earlier its hit and miss with VPN support + pfsense…. seems one has to figure out the settings. Strangely its not that much settings its the other pfsense configuration which I found tricky... The easy option is of course to join black vpn or a provider that supports pfsense support in general.

Thanks, Phil.  I had a working config and then added a DMZ and was surprised that my VPN users couldn't get to it.  Your reply clued me in that I forgot to update the IP4 Local Networks to add the DMZ subnet.

if "some" pc's are not working and others in the same subnet are working, then the ones that don't work, probably have a wrong gateway set in their config or have a local firewall

Oh.  Sorry.  Client-Specific overrides only work for SSL/TLS connections, not shared key, at least as far as I can tell.  I've never worked much with shared key on openvpn since I went to openvpn to get away from shared key. No, putting them on the same private network won't help unless you bridge, which is even more complicated.. Forget everything I said and add the routes to the remotes as specified above. If you're in learning mode, you might consider ditching shared key and generating some certificates.

Give more information on what you want to achieve and what you have done so far, e.g. a) Are you happy to be in "tun" mode where the remote client gets a tunnel IP address, and thus you access network shared folders by typing in the server name and folder name (you don't see general advertisements of shares on the LAN because you are not actually on the LAN)? b) What IPs do you have for LAN and tunnel subnets? c) What is in the Local Network/s field on the OpenVPN server? d) What rule/s are on the OpenVPN tab? e) Can you reach LAN devices by IP address? …

I thought you could do this in the webGUI with Client Specific Overrides - for each client certificate, specify the various settings you want to give that client, like the tunnel network you want it to use (inside the overall tunnel). Give a /30 to each client and the resulting client IP address is fixed.

One more update.  We figured a workaround, for now.  Basically, we have defined the openvpn tunnel with all of our local subnets in the config.  Then, we tunnel those same subnets using ipsec.  This adds up to 50 or so phase 2 entries, but those are pretty static; we don't have to change them often. Apparently, the ipsec tunnels take priority in the routing table over the OpenVPN ones.  This means that when we have to add a new route to the OpenVPN tunnel, and thus restart OpenVPN, traffic over the ipsec tunnels still flows and only the traffic to the customer sites (which is minimal, at least from the site that we're dealing with) is interrupted by the OpenVPN restart.

In your case, is this a client and not a server? For servers, we do check for and display the routing table but that code doesn't exist for client display. It may not be too difficult for someone to adapt that same code to work for the client side.

I'm not sure how IPcop stores the certificates and such, but you should be able to export everything from IPcop, then import the CA cert/key to pfSense, then the server cert/key and all the user cert/keys as well if you have them available. When importing the CA, take care to set the serial number high enough that you don't get a collision between the serial for an old and a new certificate. For the VPN server, you'll have to compare the GUI settings for each and set them up as close as you can.

Shared key is 1:1 – one server, one client only. The two clients will fight over which one is actually online/up. If you want one server and multiple remotes then you'll need to use a site-to-site PKI/SSL setup which is a bit more complex. Otherwise, setup one server process for each remote node.

Thanks for the reply.  We ended up resolving the issue on Monday and it was indeed an issue with the phase2.  It was a problem with the route coming from the Cisco router and the Netgear.  Everything was good in pfSense, just had to get the configs right on the other ends.  We just had 1 thing on each crossed up.  Thanks guys!

I have same problem Please some body help

We have links to Viscosity in a few places and we mention it in the book and other documentation. It's supported by our OpenVPN Client Export package so it's alright.

I think you made a typo in your /24 New PFSense Firewall  LANIP 10.0.2.254 LAN IP Range  10.0.0.1/24  - same range 10.0.2 is not the same network as 10.0.0 with a /24 – do you have say a /8 or a say a /22 which would put 10.0.0 on the same network as 10.0.2 ?

@phil.davis: the issue i am having is that the client/profile i exported displays my IP address and i never saw a spot to use/enter my dynamic DNS name. The dynamic DNS names should be in the "Host Name Resolution" field drop-down list on the Client Export page. ohhh, i see them there, i just left it at the default option of 'interface IP address' i switched it to the dynamic dns host name but it still says waiting for server on the phone app.  there must be something in the config it doesnt like or i missed a setting (i did put the new config on my phone).