No not PFM.. simple networking..  Again without you posting what you did, its impossible to know what you had missed..  Maybe the guide font was too small and you were missing half of the steps? Glad you got it sorted, but how are you retired tech and don't know how to ask a support question and post what you did?  What pages to post - how about the pages you edited via the guide? Good luck with your router and vpn that you believe if PFM… that is not a good sign of success when you don't understand how the tech your using and managing works.. Its ok if the users think its PFM, but the person with the hand on the controls needs to have a little more understanding than I clicked on some shit and now its working..

Yup, that did it. I went ahead and added a static route to both PFSense boxes, forcing their destination network through the appropriate GW. At least right now, My office can ping and hit endpoints on the clients side. I cannot yet ping my office from the clients side. That may be due to a pending reboot though. For whatever reason, that seems redundant to me. But I guess you're saying that if the PFSense box is behind another router, then that sort of thing needs to happen? Otherwise if both boxes were up against the public IP/modem, that static routing would not need to occur? Thanks again for a nudge in the right direction. Now to clean up my mess, and work on DNS passing through. -Chrisso

Dropping connections every minute usually means you are connecting from two different clients and have not configured the server to accept connections from multiple clients with the same credentials.

Bingo. That's what I needed. I had configured it from a tablet in trying to troubleshoot and must have set it to SSL/TLS + UserAuth, switching it back brought back the client export list. Thanks,

One more thing to mention - if you assign your VPN clients IPs from subnet which is different from your LAN - you will need a separate NAT rule to allow this traffic to leave your pfSense box.

In the future there is no need to hide or try and obfuscate your local address space (rfc1918) ie 192.168/16, 10/8, 172.16/12 We all use the same addresses, it does not route on the internet.  If I tell you I use 192.168.9.0/24 and my machines address is 192.168.9.100 and my vpn clients use 10.0.8/24 as their tunnel.  It doesn't give away anything at all that could be used to find you or know who you are, etc. etc. To me hiding it does 2 things, it make it harder to understand so can help, and 2nd thing is it makes me think the person posting is not the bright bulp in the pack when it comes to networking.. Should prob talk to them like they are 3 going on 4 years old and had a hard time in preschool with learning their colors ;) heheheeh  You know the kid sitting in the corner drooling eating glue..

Yes its called policy based routing.. Your going to want to make sure you don't pull routes from vpn client connection on pfsense.  And then just create firewall rules to send what traffic or devices you want to send down the pfsense client vpn connection.

I've solved. In common name i use the username from active directory and advanced config with ifconfig-push. It work with or without user certificate.

I manual start  freeradius  but  openvpn+motp not login so i use this method agin click services->freeradius->users and find not login user click "edit this item" do not change any thing and click "save" then login again , motp is login OK so  the freeradius motp  has bug

Thank you for your reply, and for providing me with a recommendation. Sorry if my post was a little confusing at first. Originally I thought of this but wasn't completely sure as I have felt that even on a network of the same private ip of my local home network; tunneling thru the vpn still worked for me. I wanted to see if there was something else to try as changing my local home network would require me to edit all my static IP I've created  :'(

Yeah its funny how some of these auditors don't actually understand what they are auditing ;)  Ok MFA is a requirement, we are using MFA already.. How many factors you want ;) Should we have the uses submit a DNA sample everytime they auth? ROFL  They you would have 3, cert they have, password they know and their dna something they are.. Glad you got it sorted.. Your users would of prob had a fit with many a help desk call having t add the OTP auth along with their password, etc.

Thanks Viragomann I appreciate it this concludes my 2 week search for the masquarade or outbound NAT as u call it in pfsense. When I did that and logged to mikrotik from my iphone the ip was that of pfsense therefore I can see all 10.0 networks on the miktrotik. Thanks again I hope I can help others who experience issues in this transition from PPTP to Openvpn.I had no idea that the interface address meant the pfsense IP so I was putting my ip as a /32 subnet and didnt work.Also I used source nat openvpn interface instead of LAN so it was 2 mistakes I did. Now all that remains is to fix the 2 broken packages that remain on the menus after the upgrade and make me nuts!!!!nut and BandwidthD that return 404 error. Yes I know I should have uninstalled them before the upgrade but who reads the fine print right?Especially in Greece! [image: openvpnNAT.PNG] [image: openvpnNAT.PNG_thumb]

I would gently suggest you try this setup using PKI. My experience has been SSL/TLS gives you a more robust and flexible setup, especially if you need to expand later on. You can probably keep your existing server-client setups, just create a new CA on the server and use that to create individual certificates for: OpenVPN server - type Server Each client - type User You can enable auto-TLS on the server and use that key for an extra layer of security. The clients will need a copy of the CA cert (not the private key part) and their respective certificates (created in 2)  ). It sounds a little daunting, but once you have one done the rest will fall in line pretty simply. If you post back, we can hep along the way.

Perfect - you fixed the PBX issue for me!  Zoiper works well! Only two other issues for me seem to be related to external web traffic. If I am browsing facebook or reddit it works fine on:  Wifi or cell service.  If I log into the VPN, the web isnt loading anymore. It seems like I am good for internal things on my network (for the most part) Root Explorer on Android is having a hard time browsing SMB folders on my freenas box over VPN but works fine on wifi.

I just checked this morning at the cpu usage and as written about above, the two OpenVPN instances are using loads of cpu time. See screesnhot. Any ideas on this? [image: cpu_usage.png] [image: cpu_usage.png_thumb]

Any idea? Should I change to gre over ipsec?

@divsys: Yah, the full screen shot has a few other sections (like Topology for one) that might affect things. The other things to try are a full reboot of the server box or (if that's too onerous) search for the running server process and explicitly kill it. Worth it just to make sure you're on a level playing field as far as previous attempts go. You can up the server's verbosity so you should be able to see if the CSO is getting applied when the client connects. Similarly the client logs may show what's trying to apply if you up the logging level. Are the clients just typical Win, android, iPhone, or something else? Attached SS's of the Server and CSO's.  When I get home later I can troubleshoot further.  And yes the client I'm testing with is android phone. [image: Server.jpg] [image: Server.jpg_thumb] [image: CSO.jpg] [image: CSO.jpg_thumb]