Thanks Chris, i'll do some more testing and let you know if i find something else.

A last question. Should the AVPair imported rules be seen in the firewall configuration panel or somewhere else?

Thanks
Pablo

I have posted a thread but no answers as of yet. just saw this and thought maybe this is the issue im having

Post screenshots of all related GUI pages.

Are you sure the tunnel is working?

Awesome!
Is /etc/dh-parameters.* unique per pfsense installation or is it the same for all installations?

Did a clean reinstall and seems to be fixed. I think topic can be closed

I think I found the answer here: https://openvpn.net/index.php/open-source/documentation/security-overview.html

One notable security improvement that OpenVPN provides over vanilla TLS is that it gives the user the opportunity to use a pre-shared passphrase (or static key) in conjunction with the –tls-auth directive to generate an HMAC key to authenticate the packets that are themselves part of the TLS handshake sequence. This protects against buffer overflows in the OpenSSL TLS implementation, because an attacker cannot even initiate a TLS handshake without being able to generate packets with the currect HMAC signature.

Anyone? :(

My car suddenly won't go… help please!!!  ::)

Dude, post some logs and configuration, or try a crystal ball.

I just noticed 2 new lines in SysLog (OpenVPN)

Nov 11 21:26:33 openvpn[22448]: Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1131750 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Nov 11 22:15:56 openvpn[22448]: Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #85096 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

above these 2 lines, everything is still the same as in the image above this post.

Anything i should worry about?

Thanks

I would like to thanks everyone for the help I was able to get working exactly what I wanted by having radius push routes and firewall rules all managed from AD. Thanks Again

do you use outbound-NAT ?
do you have more than one openVPN-Server running on that pfsense?

if yes, look here:
https://forum.pfsense.org/index.php?topic=101115.0

how do I do the edited client config

cipher AES-256-CBC
auth SHA256
thing?
Thanks

Why'd you be "upgrading" to completely obsolete release now?

Yup, +1 on that.

From all accounts 2.2.5 is stable, especially as far as OpenVPN.
I've got more than a few iOS devices talking to  various 2.2.5 sites using OPenVPN.

I'd be inclined to make sure your pfSense is up to date, then make sure the iOS client is as well.

How many users do you have??

Dude really it takes all of 15 seconds to create a new ca..  Not sure where the problem is here with redoing your setup.. Delete your openvpn setup and run through the wizard it takes all of really to be honest if it takes you more than 3 minutes your doing something wrong!!!

All true.

But your use case will work.

You would 1:1 NAT the LAN to your 172.16.X.0 network at each remote site.

It will require an OpenVPN assigned interface at each satellite to do the NAT on.

The HQ VPN server could be one instance with 172.16.0.0/16 as the remote network route and iroutes for each /24 to the appropriate site instance.

Very nice solution!

Much more elegant than my brute-force approach  :)

OpenVPN doesn't yet support AES-GCM, so the benefits of AES-NI are more limited with it. The AES CBC modes will take some advantage of it.