Johnpoz, Forgot to mention: The firewall has a Pentium 4 HT with 1Gb of ram. I have a ADSL connection with a speed of 12Mbs max and 0,625Mbs upload. Thank you

I guess what I really wanted to do was be able to add a pfsense vm without nat, dns, or dhcp to an existing network and use it just as an openvpn appliance with the old router (or in this case fortigate and cheap router ) just port forward to pfsense on the lan side with static ip. Thanks for the help.

I've run into the situation a few times with OpenVPN, mainly when I'm "fiddling" with my configurations. I think the scenario occurs when a client is in the middle of establishing a link and I try to pull the server side down. The server instance tries to stay alive and complete the link so the restart ends up failing (sometimes "silently"). Normally a manual command line kill of the session solves the issue.  Worst case you're stuck with a reboot (very rare). Once you stop playing with the config files on both ends (especially mid-connect), I've found OpenVPN to be very stable.

PsySkeletor, did you get this to work?  If so, can you post a description on your configs, I can't get the pfsense client to connect to my softether server - my configs are off.

Yes, using Framed-IP-Address. If you're using a normal style setup then you set that to the IP address to assign the client and it sets one IP address lower as the "server" end. If you have topology subnet enabled you have to send back the address as above but also supply a Framed-Mask parameter that has the subnet mask in dotted quad notation (e.g. 255.255.255.0)

This issue still exists. Can't seem to run the PKI server as user/group nobody with advanced option: user nobody;group nobody

Thank you friends, I will follow the guidance of Lords.

Thanks for the quick reaction, the problem was as you described and I found the way to solve this. Since it defaults to "Peer to Peer (SSL/TLS)", Safari auto completed the authentication section. I used Chrome to delete the client and create a new one, and it is working now. Thanks! Joost.

filesystem permissions?

You can do this in System > Routing > Routes.  Add a rule for the site you want to go to over the WAN by getting the correct IP Address using the below method: Get a Websites IP Addresses to exclude from VPN using the Terminal: host domain name      [to obtain IP Address] whois ip address use the CIDR ip address range (69.53.224.0/19)        [This is the IP I have set for Netflix] On the rule you create, set the Gateway to WAN.

Thanks, heper!.  Your post helped me a lot. I had the same suspicion , but got scared from the new 2.2 advanced routing screen :-) For anyone in the future who might have the same problem. On Pfsense 2.2, go to NAT -> Outbound NAT. Switch to Hybrid NAT. Add entry on WAN(most likely) for NAT. Source should be your Openvpn LAN of the remote site.  Please have in mind that in my case there was NO NAT(on purpose)  between openvpn remote  LAN and tunnel net. In case you have such NAT, you might need to change advanced NAT rule, source to be the tunnel net.

If I understand your description, your setup is something like: Started with: LAN_B–-------[SiteB Client1]-WAN->(OVPN 10.76.0.8/30)<-WAN-[SiteA Server1]–-------LAN_A (192.168.42.0/24)                                                                                                          (192.168.40.0/24) Then you added a new OVPN server on SiteA to give you: LAN_B---------[SiteB Client2]-WAN->(OVPN 10.76.0.8/30)<-WAN-[SiteA Server1]–-------LAN_A (192.168.42.0/24)                                                                          /      |                        (192.168.40.0/24)                                                                                                       /      |           LAN_C--------[Other Client2]–-------(OVPN 10.76.0.44/30)--/      [SiteA Server2] (192.168.0.0/24) So (B) <-> (A) can communicate fine, but (C) <-> (A) sees only the tunnel address 10.76.0.45&46? This is usually a routing problem in the OpenVPN config. What type of server did you create for Server2 (SSL/TLS, Shared Key, Remote)?

To accomplish what you're asking would involve configuring a bridged solution.  But the question is what are you trying to overcome by implementing a bridged VPN solution?  Routed is "better" in almost every case, so I'm curious as to why you're thinking about implementing a bridged solution. The only reason to go bridged is if your clients need to communicate with an application that relies on broadcasts.

Yes, the DNS server originates from another subnet than the configured local network. What do you mean with /32? Since your DNS server is in a different subnet, you will have to enter their IP's in the DNS section and push a route to that network, which is what viragomann described.  The /32 is CIDR notation and has to do with routing.  In this case, if your DNS server was on 192.168.100.10/24, instead of pushing a route to the entire network (i.e. 192.168.100.0/24), you could just push a route to the host by entering 192.168.100.10/32, which would isolate access to the DNS server only instead of the entire network it sits on. Is the ip only not sufficient? For the DNS servers, yes, but not for the "IPv4 Local Network/s" section or any other network portion of the config.

I missed iroute in client overrides :) From official documentations: For a site-to-site SSL/TLS server using IPv4, the IPv4 Tunnel Network size can alter how the server behaves. If x.x.x.x/30 is entered for the IPv4 Tunnel Network then the server will use a peer-to-peer mode much like Shared Key operates: It can only have one client, does not require client-specific overrides or iroutes, but also cannot push routes or settings to clients. If an IPv4 Tunnel Network larger than that is used, such as x.x.x.x/24, the server will accept multiple clients and can push settings, but does require iroutes.

Yup.  That's why I just took it at face value and didn't try to interpret.