@kaas: Hi. So I followed this video: https://www.youtube.com/watch?v=xiy52Hn5bTc I had this running on my old network. It's used for me to get access to my work network from home. So, I recently switched ISP both at home and work to the same new one. I setup PFsense and OpenVPN. When I boot my PC, I can connect. However, after disconnecting and then trying to reconnect nothing happends. These are the logs: Tue Dec 12 21:31:17 2017 Initialization Sequence Completed With Errors ( see http://openvpn.net/faq.html#dhcpclientserv ) Tue Dec 12 21:34:47 2017 Warning: route gateway is not reachable on any active network adapters: 172.16.0.1 Tue Dec 12 21:34:47 2017 env_block: add PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem Tue Dec 12 21:34:47 2017 Warning: route gateway is not reachable on any active network adapters: 172.16.0.1 Tue Dec 12 21:34:47 2017 env_block: add PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem Tue Dec 12 21:34:47 2017 NOTE: Release of DHCP-assigned IP address lease on TAP-Windows adapter failed: An address has not yet been associated with the network endpoint.  (code=1228) Tue Dec 12 21:34:47 2017 SIGHUP[hard,] received, process restarting Tue Dec 12 21:34:47 2017 OpenVPN 2.4.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 26 2017 Tue Dec 12 21:34:47 2017 Windows version 6.2 (Windows 8 or greater) 64bit Tue Dec 12 21:34:47 2017 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.10 Tue Dec 12 21:34:52 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xxx.xxx.xx:1194 Tue Dec 12 21:34:52 2017 UDP link local (bound): [AF_INET][undef]:1194 Tue Dec 12 21:34:52 2017 UDP link remote: [AF_INET]xx.xxx.xxx.xx:1194 Tue Dec 12 21:34:52 2017 [www.safesurf.dk] Peer Connection Initiated with [AF_INET]xx.xxx.xxx.xx:1194 Tue Dec 12 21:34:53 2017 open_tun Tue Dec 12 21:34:53 2017 TAP-WIN32 device [Ethernet 3] opened: \.\Global{734D00E0-401D-46F7-B1E7-420E4AB1DF67}.tap Tue Dec 12 21:34:53 2017 Set TAP-Windows TUN subnet mode network/local/netmask = 172.16.0.0/172.16.0.2/255.255.255.0 [SUCCEEDED] Tue Dec 12 21:34:53 2017 Notified TAP-Windows driver to set a DHCP IP/netmask of 172.16.0.2/255.255.255.0 on interface {734D00E0-401D-46F7-B1E7-420E4AB1DF67} [DHCP-serv: 172.16.0.254, lease-time: 31536000] Tue Dec 12 21:34:53 2017 Successful ARP Flush on interface [12] {734D00E0-401D-46F7-B1E7-420E4AB1DF67} Tue Dec 12 21:34:53 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Tue Dec 12 21:35:28 2017 Warning: route gateway is not reachable on any active network adapters: 172.16.0.1 Tue Dec 12 21:35:28 2017 env_block: add PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem Tue Dec 12 21:35:28 2017 Warning: route gateway is not reachable on any active network adapters: 172.16.0.1 Tue Dec 12 21:35:28 2017 env_block: add PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem SYSTEM ROUTING TABLE 0.0.0.0 0.0.0.0 10.0.0.1 p=0 i=37 t=4 pr=3 a=4252 h=0 m=25/0/0/0/0 0.0.0.0 0.0.0.0 25.0.0.1 p=0 i=6 t=4 pr=3 a=2213 h=0 m=9256/0/0/0/0 0.0.0.0 128.0.0.0 172.16.0.1 p=0 i=37 t=4 pr=3 a=0 h=0 m=26/0/0/0/0 10.0.0.0 255.255.255.0 10.0.0.17 p=0 i=37 t=3 pr=2 a=4252 h=0 m=281/0/0/0/0 10.0.0.17 255.255.255.255 10.0.0.17 p=0 i=37 t=3 pr=2 a=4252 h=0 m=281/0/0/0/0 10.0.0.255 255.255.255.255 10.0.0.17 p=0 i=37 t=3 pr=2 a=4252 h=0 m=281/0/0/0/0 25.0.0.0 255.0.0.0 25.68.1.73 p=0 i=6 t=3 pr=2 a=2212 h=0 m=9256/0/0/0/0 25.68.1.73 255.255.255.255 25.68.1.73 p=0 i=6 t=3 pr=2 a=2212 h=0 m=9256/0/0/0/0 25.255.255.255 255.255.255.255 25.68.1.73 p=0 i=6 t=3 pr=2 a=2212 h=0 m=9256/0/0/0/0 xx.xxx.xxx.xx 255.255.255.255 10.0.0.1 p=0 i=37 t=4 pr=3 a=0 h=0 m=25/0/0/0/0 127.0.0.0 255.0.0.0 127.0.0.1 p=0 i=1 t=3 pr=2 a=4271 h=0 m=331/0/0/0/0 127.0.0.1 255.255.255.255 127.0.0.1 p=0 i=1 t=3 pr=2 a=4271 h=0 m=331/0/0/0/0 127.255.255.255 255.255.255.255 127.0.0.1 p=0 i=1 t=3 pr=2 a=4271 h=0 m=331/0/0/0/0 128.0.0.0 128.0.0.0 172.16.0.1 p=0 i=37 t=4 pr=3 a=0 h=0 m=26/0/0/0/0 169.254.0.0 255.255.0.0 169.254.225.200 p=0 i=12 t=3 pr=2 a=281 h=0 m=291/0/0/0/0 169.254.225.200 255.255.255.255 169.254.225.200 p=0 i=12 t=3 pr=2 a=281 h=0 m=291/0/0/0/0 169.254.255.255 255.255.255.255 169.254.225.200 p=0 i=12 t=3 pr=2 a=281 h=0 m=291/0/0/0/0 224.0.0.0 240.0.0.0 127.0.0.1 p=0 i=1 t=3 pr=2 a=4271 h=0 m=331/0/0/0/0 224.0.0.0 240.0.0.0 10.0.0.17 p=0 i=37 t=3 pr=2 a=4259 h=0 m=281/0/0/0/0 224.0.0.0 240.0.0.0 25.68.1.73 p=0 i=6 t=3 pr=2 a=2213 h=0 m=9256/0/0/0/0 224.0.0.0 240.0.0.0 169.254.225.200 p=0 i=12 t=3 pr=2 a=378 h=0 m=291/0/0/0/0 255.255.255.255 255.255.255.255 127.0.0.1 p=0 i=1 t=3 pr=2 a=4271 h=0 m=331/0/0/0/0 255.255.255.255 255.255.255.255 10.0.0.17 p=0 i=37 t=3 pr=2 a=4259 h=0 m=281/0/0/0/0 255.255.255.255 255.255.255.255 25.68.1.73 p=0 i=6 t=3 pr=2 a=2213 h=0 m=9256/0/0/0/0 255.255.255.255 255.255.255.255 169.254.225.200 p=0 i=12 t=3 pr=2 a=378 h=0 m=291/0/0/0/0 SYSTEM ADAPTER LIST Intel(R) 82579V Gigabit Network Connection   Index = 37   GUID = {EEFB3D55-B31A-4562-8806-BC209AC7BA0B}   IP = 10.0.0.17/255.255.255.0   MAC = 30:85:a9:b2:0f:c9   GATEWAY = 10.0.0.1/255.255.255.255   DHCP SERV = 10.0.0.1/255.255.255.255   DHCP LEASE OBTAINED = Tue Dec 12 17:26:49 2017   DHCP LEASE EXPIRES  = Wed Dec 13 17:26:49 2017   DNS SERV = 10.0.0.1/255.255.255.255 LogMeIn Hamachi Virtual Ethernet Adapter   Index = 6   GUID = {35D2D616-5D13-422C-B8CC-0FC2AF19B0B2}   IP = 25.68.1.73/255.0.0.0   MAC = 7a:79:19:44:01:49   GATEWAY = 25.0.0.1/255.255.255.255   DHCP SERV = 25.0.0.1/255.255.255.255   DHCP LEASE OBTAINED = Tue Dec 12 18:00:49 2017   DHCP LEASE EXPIRES  = Wed Dec 12 18:00:49 2018   DNS SERV =  TAP-Windows Adapter V9   Index = 12   GUID = {734D00E0-401D-46F7-B1E7-420E4AB1DF67}   IP = 169.254.225.200/255.255.0.0   MAC = 00:ff:73:4d:00:e0   GATEWAY = 0.0.0.0/255.255.255.255   DHCP SERV = 0.0.0.0/255.255.255.255   DHCP LEASE OBTAINED = Tue Dec 12 21:35:28 2017   DHCP LEASE EXPIRES  = Tue Dec 12 21:35:28 2017   DNS SERV =  The Broadcom 802.11 Network Adapter provides wireless local area networking.   Index = 7   GUID = {3DA5EF78-91FA-4975-80D1-6A36270A3755}   IP = 0.0.0.0/0.0.0.0   MAC = dc:85:de:57:16:90   GATEWAY = 0.0.0.0/255.255.255.255   DHCP SERV =    DHCP LEASE OBTAINED = Tue Dec 12 21:35:28 2017   DHCP LEASE EXPIRES  = Tue Dec 12 21:35:28 2017   DNS SERV =  Microsoft Hosted Network Virtual Adapter   Index = 14   GUID = {5CF15D9A-01CB-491A-8ACB-1DBE80F45FAB}   IP = 0.0.0.0/0.0.0.0   MAC = dc:85:de:57:16:90   GATEWAY = 0.0.0.0/255.255.255.255   DHCP SERV =    DHCP LEASE OBTAINED = Tue Dec 12 21:35:28 2017   DHCP LEASE EXPIRES  = Tue Dec 12 21:35:28 2017   DNS SERV =  Microsoft Wi-Fi Direct Virtual Adapter   Index = 26   GUID = {C5DC4ADC-C746-4A0D-98D1-0F604C1DD5F3}   IP = 0.0.0.0/0.0.0.0   MAC = de:85:de:57:16:90   GATEWAY = 0.0.0.0/255.255.255.255   DHCP SERV =    DHCP LEASE OBTAINED = Tue Dec 12 21:35:28 2017   DHCP LEASE EXPIRES  = Tue Dec 12 21:35:28 2017   DNS SERV =  Tue Dec 12 21:35:28 2017 Initialization Sequence Completed With Errors ( see http://openvpn.net/faq.html#dhcpclientserv ) I had this working on my old setup just fine. But now it only works first time. These are the configs: http://prntscr.com/hmnk7h http://prntscr.com/hmnkdi http://prntscr.com/hmnkmp http://prntscr.com/hmnkqe So when the openVPN client is just yellow, I see this in pfsense: http://prntscr.com/hmnmlb So it has established some kind of connection. However, I cannot ping PFsense nor anything else. I would be so happy if someone would lead me a way. I read a other post about this saying something about IP's, but I am unsure what should be wrong here…. Rules on WAN: http://prntscr.com/hmnn8d The OpenVPN rule is also added. At last, when trying over 4G connection it fails with: Tue Dec 12 21:48:12 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Tue Dec 12 21:48:12 2017 TLS Error: TLS handshake failed

great - glad you got it sorted, so you allow for ping then?  I normally run tcp port (443 normally since pretty given will be open anywhere there is internet) along with the udp port for my openvpn.  The gives you options where udp 1194 might not be open from where your at, or if your behind a proxy using tcp on 443 can be bounced off a proxy, etc.

The only rule you need on WAN for OpenVPN is the one on the server side passing the tunnel traffic itself (Default: any to WAN address port UDP/1194) After that, each site allows traffic in from the OpenVPN tunnel using rules on the OpenVPN tab. The any rule on WAN should probably be deleted or disabled immediately. A simple test is if you can ping the pfsense LAN interface address on the other side. If you can ping that, then the tunnel is working. If you can ping that and NOT something on the LAN you need to check that client for firewalls on it and routing (default route goes back to pfSense).

You may have meant to say something else, but this statement as written is not entirely accurate.  Pings are used to verify basic IP communication between endpoints, however, pings by themselves can't prove or disprove a DNS issue. I said if you can ping via host name.  That implies DNS is working.  Otherwise you couldn't ping by host name.

Well, the server is 2.3.4. I used a dummy endpoint for tests with 2.3.7 with the same result, so this is a non-issue. Yes, SHA1 is an auth scheme, not an encryption scheme. What makes me wonder is that the dummy endpoint as well as the actual server, when having no auth defined on both sides (hence SHA1 is to be used), the auth works -as expected- but when there' s a config error in encryption or compression, connection breaks -as expected- with an appropriate error message. In the current config/setup however, no matter how erroneous my encryption config or my compression may be, it doesn't even get to the point of complaining the wrong config. This makes me think that maybe there is something wrong with the auth mechanisms to be used by default by the current pfsense version

Ok, I finally figured it out.  Boy what a reminder on why software drive me insane, its just so imperfect. So after hours of messing with this and checking and rechecking, i got onto a thread where they mentioned the ROUTING TABLE in Pfsense.  Humm I thought.  So I went there  on my SEVER PF box. Well look at that, there is some weird IP of 192.168.0.1 attached to my OVPNSRV2 OpenVPN.  So i compare the entries for the server that works and that just is not right…it should be 192.168.2.0/24! So I DELETE the 2nd server which was from A to C.  Go back to routing table and this entry now refers to" TUN" instead of the deleted OVPNserv2.  What the? I restart the OPENVPN services, nope still there. So I had to reboot the Site A PFSENSE box.  THAT go rid of the rouge routing entry! I re-created my 2nd server at Site A and WA-La!  Its all working!  I can PING away! Ok, thanks self! HAve a good day!

Bump! I too have this same question. I am using PEER to PEER with preshared key.  A second connection to the server never generates an entry in the server the two seem to hack each other (when on is up the other is down) so I went to a separate Server for each client connection too. I used different TUNNEL Ip's if that matters, 172.16 /24 and 172.17/24 for the tunnel ips. Anyway with my multiple Servers at site A, I have established both client connections, to sites B and C.  A to B works fine and I can ping and both directions from A->B and B->A fine.  However I CANNOT do the same for A->C or C->A!!! Can not figure it out.  All Client settings ate the same except for those specific to the client. What would cause this?  I can ping from PFSENSE console at site C to ip's at site A, but from any PC at site C I cannot ping anything at site A. Rules look fine, again everthing is IDENTICAL in Clients/Server settings for B and C.  Cant figure it out! Thanks, MP

Have you added the VPN ip subnet in "Squid Access Control Lists" > "Allowed Subnets"

Then the second link for setting up OpenVPN as a Remote Access Server using the wizard is what you're after.

/var/etc/openvpn It's recommended to make the settings in the GUI. There are drop-downs and input boxes for the most common options, if you need others you can set it in the "Advanced Options" field.

after the change this is still an issue at least i was home this time.  i have been statically connecting to 64.237.37.121 for weeks now.  i think i am going to try another server…

Gateway load balancing seems to work well. I have two PIA VPN tunnels configured on an SG-3100. I have them both as part of a gateway group in tier 1, and my test machine matches a firewall rule that sends all traffic to that gateway group by default. When running a Speedtest, the download test uses both tunnels - one openvpn process on each CPU. During the upload test, it only uses one of the tunnels. If I have the gateway group prefer one tunnel over the other, the download test only uses that tunnel and not the other, and the upload behavior doesn't change. I was able to confirm that by watching top from a console and looking at the bandwidth monitor. I managed to pull down 60 mbit over OpenVPN doing it this way a few times, but on average it was about 50 mbit. I know there's more throughput available here given the hardware specs, so I need to figure out the best encryption algorithm to use. I want to try a real bench test to take the intertubes variable out of the equation to see how this really works.

Thanks Pippin. Doesn't help when you are watching the web page for a reason, huh

Just a followup to those who think about cert based OpenVPN from QNAP (client) to pfSense (server). In foreseeable future - password only. From their tech support: I have received information from PM that there are currently no plans for improving QVPN OpenVPN client security. However, I have created a feature request regarding this, so it will be considered and possibly implemented in future.

Where can I get a simple guide to setup openvpn in pfsense?

bump?

captive portal is not going to work. Can you elaborate?  Why? revoke the certificate if the router is lost/stolen This isn't really a good defense against someone with physical access to the router.  I'm less concerned about theft and more concerned about possible unauthorized use by others who may have physical access to where the router is stored. Use SSL/TLS + User auth How can I do this with a voip phone I'm attaching via one of the ports on an sg-3100 that needs vpn'd access to a non-public phone switch?  I can certainly do openvpn connections with password protected certs - in fact this is what I use for my other remote access clients. I'd like to use the sg3100 to provide vpn services for other hardware that can't do vpn services for itself, and I'd like it to take a user supplied password for initial connection to prevent casual access by unauthorized people. At this point, I'm leaning toward password-saved-in-the-router ipsec vpn for JUST the voip phone and software (openvpn client) on the laptop. I was just hoping to find some way to do both with the hardware.  Thanks for your suggestions.