You have to put "Remote Networks" in the server settings. That is what creates the FreeBSD route into the OpenVPN instance. This is the OpenVPN route directive. Then, in the CSOs, you put the actual remote site networks. These must be contained within the server route above. This creates the OpenVPN iroute directives which tell OpenVPN what to do with the traffic when it gets it - as in what client to send it to. So in the example given, server local networks would be 192.168.11.0/24, 192.168.12.0/24, 192.168.13.0/24, server remote networks could be 192.168.1.0/24, and the CSOs would contain the /26 for each client in the IPv4 Remote Networks there. I would probably opt for something more like: Server remote network: 172.29.160.0/19 CSOs: 172.29.160.0/24, 172.29.161.0/24, 172.29.162.0/24, etc Or even: 172.29.160.0/22, 172.29.164.0/22, 172.29.168.0/22, 172.29.172.0/22 so each site has 4 /24 subnets to do with as they see fit without changes to the VPN. The /19 would allow growth to 8 branches of 4 /24s each, while the address "collision" possibility with other sites would be limited to 172.29.160.0/19. You should probably use Peer to Peer (SSL/TLS) mode for the server for this.

they are under Firewall > NAT >Port Forward and Firewall > Rules > WAN Thanks very much

Any updates on this? I have a similar setup working fine but I'd like to do this with multiple VPS IPs and multiple hosts behind the pfSense router. If possible, I'd also like to rewrite the source IP to the actual client IP and not the VPN gateway.

I figured it out. It was the Manual Outbound NAT rule generation rules that had to be configured. I used this guide: https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_OpenVPN-connection_in_PfSense_2.1 But instead of using the WAN interface I had to use the vpn interface which I created from the Openvpn Client connection. Good Luck!

dev tap isn't included in that on purpose because, as you stated, those devices don't support tap. If you load that config into the app it would fail to import or function because of the dev tap line. The way the export package is coded it isn't feasible to disable those export buttons for some VPNs and not others, so we err on the side of not creating invalid configuration files for the platform.

@Mithrondil: I was referring to that AES-256-GCM is not slectable in the Encryption algo rolldown window in pfsense. It isn't supported until OpenVPN 2.4, which is only on pfSense 2.4. And it is in the list there.

Never Mind.    Turns out OpenVPN Interface options must have "any" selected.  It was WAN only before. Is this still safe to chose any? cheers

Thanks will do.  I am not using VPN-> iPsec but instead my client is in VPN->OpenVPN.

The setting for the site-to-site I've suggested above is necessary anyway for correct routing. Look, if you try to access a LAN device on site B from a VPN client on site A, the packet is sent to the site A pfSense, cause of the route which is pushed to the client. Site A directs the packet to site B, cause it also has a route for the site Bs LAN. The packet reach the device on site B, which send its response addressed to an IP in 10.10.210.0/24 back to its default gateway which is site B pfSense. If there is no special route for 10.10.210.0/24 the gateway will send the packet to its upstream gateway, thus to the internet where the packet will be dropped, cause the destination subnet is not routed there. Therefor you need a route on site B which direct packets destined to 10.10.210.0/24 back over site-to-site tunnel to site A.

Hey John, did you ever get this working? I am experiencing a similar issue trying to connect a 2.3 PfSense to a Openvpn server. Thanks Martin

Are you trying to access them by name or IP address? If you are trying to access them by name, try by IP address instead. If that doesn't work, check the local system to be sure it allows connections from outside its subnet. The local system hosting the share may not allow connections from the VPN subnet and may need some adjustments, such as having an exception added to the Windows Firewall or having the Windows Firewall disabled.

I'm an idiot. Problem was me accidentally deleting the port forwarding rule on my router when deleting rules for my camera server/recorder. (I use a separate router instead of the pfSense box serving as router).

Great news! I'll look into adding a GUI knob for that, I have a couple others that need to go in as well and it may be good to have set by default for upgrades to preserve the existing behavior.

@emammadov: But I see that there are two types of SHA256 here: RSA-SHA256 and SHA256. They are the same. http://security.stackexchange.com/questions/91908/using-rsa-sha-as-instead-hmac-in-openvpn

That is not a client connecting/disconnecting. It's the GUI polling information for the widget or openvpn status. Your OpenVPN instance must be set for a verboseness level that logs that info.