Not currently, no. It may be possible with changes to some of the nsis scripts used to do the install but it's not something that gets requested often and I'm not sure how complicated it might be. Windows installers are not something I like hacking on ;-)

It's working ! I don't do anything more, just sleep a long night and it's working ! Amazing ! … Yesterday, my test don't work because i must drop existing tcp/udp flow before testing

@TheIPdude: I experienced the same problem! How did you solve it?

When you make a new CA, you have to remake all of the server and client certificates to go with it.

Is it possible to map a VIP (10.0.8.1) to a local ip (192.168.x.x)? so that the camera app can search the local ip cam

Can we assume no news is good news?

Yes, I've set up two openvpn roadwarrior servers, one per wan interface with same configuration both but different TCP port, because we have two DSL lines, is there a better way to set up X openvpn roadwarrior servers listening to diferent DSL lines without create X different networks? I want to simplify the client override settings, because we are assigning an static ip to some users, and if we create X networks we also need to create X client overrides thanks

10.0.50.3 is in the same subnet as 10.0.50.2/30, it's the broadcast address for the first users subnet. 10.0.50.2/30: 10.0.50.0 … network 10.0.50.1 ... server 10.0.50.2 ... client 10.0.50.3 ... broadcast You may give the second user the next /30 subnet, that's 10.0.50.4/30, so the client will get 10.0.50.6 and the server 10.0.50.5.

@Derelict: That'll do it. Indeed. For my own understanding, why would OpenVPN allow one connection though? I get that 10.8.15.0/24 couldn't get outside of VLAN 15 because there were no routes outside of it, but why would the first connection be able to get to all other VLANS? Is OpenVPN somehow above the law so to speak in the network stack?

Another possibility is "helpful"(?!) browsers auto-filling/auto-correcting on screen forms. Might be worth trying a different browser just to be sure.

Thanks a lot well, i thought there will be one instance in the server talking with many remote sites so now, i must have instances in the server as many as the number of remote sites so the topology in the clients settings is just for client-to-site it make sense, but it's a hell of work thanks again

Has anyone been able to get this working? i'm trying to configure a 3 cluster configurations for my 3 proxmox noeds. 2 proxmox nodes are in the same physical network and i have no issues clustering them up. my issue is when i try to add the 3rd node which sits in a remote location, i get the "waiting for Quorum" time out  error, im assuming this is due to the multicast traffic not being passed through the S2S tunnel I've configured the ovpn server via TUN / UDP. i have access to the remote side, and vise versa. any suggestions ?

One would be led to believe, but since it's a filtered bridge, I don't assign an IP to the LAN side of it.  I'm just saying it's showing up as 10, even though it's not set.  My locals (which are working) are 104.49... Regardless, I'm still where I was - All of my rules are working, folks can get in and out of my statics/servers, but OpenVPN client can connect but go nowhere.

@Pippin: Fix time on client side, cmos bat.? Push NTP to the client(s) … Client is a VM. The host had its time set improperly (ESXi). I set the time manually on the host because the NTP service wasn't starting properly. Not sure the deal there, will troubleshoot that eventually. What concerns me is the VM rebooted and even though it had NTP enabled it pulled time from the host and never updated itself. In order to fix it I logged in, went to system-> settings, saw the NTP was enabled, clicked "save" and the time updated. Trying to figure out why the pfsense VM didn't automatically update until I logged in and clicked "save", seems like it should've noticed that NTP and local time were off and auto-corrected without me intervening.

So if your routing table doesn't mention 20.0, then it really truly doesn't know how to get to it, and will send that traffic to default gateway. The openvpn server may very well push the route to 20.0 to the remote clients.  The clients will contact the specified gateway. However that doesn't mean the gateway (ie probably your pf box with the missing route), knows how to get to 20.0 Add a System / routing / static route if needed.

amazing..such a simple fix! thank you so much!

Awesome! I'm glad it worked for you. I don't know why the system gets out of sync but it's happened to me a few times and you can find threads back in 2013 with people having the same problem. I don't know if anyone's ever looked in to fixing it?

There's a few possibilities. You might try switching to a different PIA server, they are not all created equal. Here's their list. https://www.privateinternetaccess.com/pages/network/ Another potential issue, is your Nighthawk router running as an AP only (all services DHCP, DNS, QoS, NTP, etc. turned off at the Nighthawks WebGUI)? If it's trying to do a bunch of stuff it may be working against pfSense and causing issues. My guess is that you've already done this but I thought I'd ask. Last option, if neither of the above two work is that your CPU is probably the limiting factor at 1.6Ghz, if this is the case then you have two options. One, obviously buy a new CPU. The ASrock Apollo Lake SoC's are cheap, have the latest AES-NI, have higher clock speeds while remaining low power and fanless. Unless you need 4 cores for something else CPU intensive you are doing, I would recommend the J3355 for its high clock speeds and low cost. The other option is keep your existing hardware and create two OpenVPN client processes. All you do is create a new OpenVPN client, just mirror the one you already have, then go to System >  Routing > Gateway Groups and create a new group, select both of your VPN clients and set them both to tier 1. Finally, go to your firewall rules and for everything you want to use the VPN, select your gateway group as their gateway in advanced settings. What you are doing here is splitting your VPN into two streams, since OpenVPN is purely singlethread, this lets your CPU use two of its cores to process your traffic. By setting both of the clients to tier 1 your computer will balance the load between the two processes. This isn't a magic bullet, your per instance VPN total speed will not double, if your CPU maxes at 50Mbps and you do this then if only one computer is using the VPN, it will still noly get 50Mbps. But, if you have two computers each trying to use 50Mbps at the same time they will now each get the full 50Mbps. So even though it isn't a perfect solution, I still recommend you do it for another reason(s). PIA servers sometimes (rarely) go down completely and more often suffer from decreased performance during peak hours. If you configure two or more clients in this method and select a different PIA server for each, you can mitigate this shortcoming by spreading your traffic over multiple servers. Here's the thread where I learned of this, which links to another thread with more instructions if you're interested. https://forum.pfsense.org/index.php?topic=123927.msg690987#msg690987