When using a more powerful machine as VPN client I'M able to saturate the 100mbit link. Sftp to pfsense over openvpn maxes out at 20 mbit Any thoughts? Edit: the link between both sites has a pretty low latency btw (+- 10 ms)

As a practical matter, I would also change that LAN 192.168.1.0/24 in the middle to some other more obscure private address space. That will help avoid problems for your Road Warriors when they are sitting in their local cafe and the cafe WiFi hotspot is also 192.168.1.0/24

I guess you are using policy-routing rules on your LAN, to direct traffic to WAN1 and WAN2 according to your failover and load-balancing needs. In that case, you need to have a rule on LAN that matches source LANnet, destination OpenVPN tunnel subnet (10.0.8.0/24), gateway none. That will allow the traffic returning from LAN to the OpenVPN client to be passed normally to the routing table, which knows how to route it to across the OpenVPN tunnel to the client. Without that, the traffic can be forced out WAN1 or WAN2 by a policy-routing rule, and of course never reaches the OpenVPN client.

I am currently having the same issue - with 2.2 and tap. I used a HE tunnelbroker to get IPv6 on a server in the datacenter. The server is connected to another pfSense installation at home. I allocated a /48, and split it into /64s. One of the /64s was to be used for the home network, and the other /64 was to be used for the rest of the clients on the OpenVPN network. Whenever any IPv6 address is added to the TAP interface, the entire interface instantly wipes itself out, removing both IPv4 and IPv4 addresses. As a result, it makes OpenVPN unusable.

Anyway, this is resolved. I needed "route 192.168.25.0 255.255.255.0 10.9.0.2 (ip address of the ovpn interface where the subnet is located" Yes, the routing issue was fairly evident once you posted the configs.

So this does not morph into a vps thread, please start a new post to discuss vps'. Thanks

you need to select this option on the VPN server " when authenticating users, enforce a match between the common name of the client certificate and the username given at login." the user A will only be able to log with his certificate

@rand4505: Stop using PSK, use 2048bit+ RSA/DSA keys, with group 14 or higher DH, PFS. See: http://cdn.media.ccc.de/congress/2014/h264-sd/31c3-6258-en-Reconstructing_narratives_sd.mp4 Thank you for the video !

Hi, thanks for the quick reply. I tried this setting without effect (in fact, the box WAS checked, so I unchecked it. From the description, state killing takes place, when it is unchecked). In my understanding, it only does something, if a gateway fails. So it would kill the "normal" states of connections on my WAN gateway. However, the states of connections through my VPN are not affected and still stay in place…

Hey, Check this thread: https://forum.pfsense.org/index.php/topic,56565.msg364122.html however, IMHO always, get an Alix box or use OpenVPN AS Hyper-V VM (2 free users), or (don't know your Hyper-V edition), use a Linux VM with openvpn server. Best regards Kostas

Jingles, I think adding two servers will allow the client to use the second one if the first one isn't working. Dmitriy, I am reviewing their client config file they don't specify a digest algorithm. The provide the following: client dev tun proto udp remote [REPLACE WITH SERVER NAME] 1194 resolv-retry infinite nobind persist-key persist-tun ns-cert-type server cipher bf-cbc comp-lzo verb 3 mute 20 ca ca.crt mssfix 1300 key CN1.key cert CN2.crt #tls-auth ta.key 1 Since I am using pfSense. I don't need to specify the path for the files since pFSense allows me to put the certs in the certificate authority and load the tls key in the GUI.  Right? I changed the verbosity to 4 and got this: Jan 20 18:19:21 openvpn[84390]: real_hash_size = 256 Jan 20 18:19:21 openvpn[84390]: virtual_hash_size = 256 Jan 20 18:19:21 openvpn[84390]: client_connect_script = '[UNDEF]' Jan 20 18:19:21 openvpn[84390]: learn_address_script = '[UNDEF]' Jan 20 18:19:21 openvpn[84390]: client_disconnect_script = '[UNDEF]' Jan 20 18:19:21 openvpn[84390]: client_config_dir = '[UNDEF]' Jan 20 18:19:21 openvpn[84390]: ccd_exclusive = DISABLED Jan 20 18:19:21 openvpn[84390]: tmp_dir = '/tmp' Jan 20 18:19:21 openvpn[84390]: push_ifconfig_defined = DISABLED Jan 20 18:19:21 openvpn[84390]: push_ifconfig_local = 0.0.0.0 Jan 20 18:19:21 openvpn[84390]: push_ifconfig_remote_netmask = 0.0.0.0 Jan 20 18:19:21 openvpn[84390]: push_ifconfig_ipv6_defined = DISABLED Jan 20 18:19:21 openvpn[84390]: push_ifconfig_ipv6_local = ::/0 Jan 20 18:19:21 openvpn[84390]: push_ifconfig_ipv6_remote = :: Jan 20 18:19:21 openvpn[84390]: enable_c2c = DISABLED Jan 20 18:19:21 openvpn[84390]: duplicate_cn = DISABLED Jan 20 18:19:21 openvpn[84390]: cf_max = 0 Jan 20 18:19:21 openvpn[84390]: cf_per = 0 Jan 20 18:19:21 openvpn[84390]: max_clients = 1024 Jan 20 18:19:21 openvpn[84390]: max_routes_per_client = 256 Jan 20 18:19:21 openvpn[84390]: auth_user_pass_verify_script = '[UNDEF]' Jan 20 18:19:21 openvpn[84390]: auth_user_pass_verify_script_via_file = DISABLED Jan 20 18:19:21 openvpn[84390]: port_share_host = '[UNDEF]' Jan 20 18:19:21 openvpn[84390]: port_share_port = 0 Jan 20 18:19:21 openvpn[84390]: client = ENABLED Jan 20 18:19:21 openvpn[84390]: pull = ENABLED Jan 20 18:19:21 openvpn[84390]: auth_user_pass_file = '[UNDEF]' Jan 20 18:19:21 openvpn[84390]: OpenVPN 2.3.3 amd64-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 15 2014 Jan 20 18:19:21 openvpn[84390]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock Jan 20 18:19:21 openvpn[84390]: WARNING: using –pull/--client and --ifconfig together is probably not what you want Jan 20 18:19:21 openvpn[84390]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts Jan 20 18:19:21 openvpn[84390]: Control Channel Authentication: using '/var/etc/openvpn/client1.tls-auth' as a OpenVPN static key file Jan 20 18:19:21 openvpn[84390]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Jan 20 18:19:21 openvpn[84390]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Jan 20 18:19:21 openvpn[84390]: LZO compression initialized Jan 20 18:19:21 openvpn[84390]: Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ] Jan 20 18:19:21 openvpn[84390]: Socket Buffers: R=[42080->65536] S=[57344->65536] Jan 20 18:19:21 openvpn[84390]: Data Channel MTU parms [ L:1542 D:1300 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Jan 20 18:19:21 openvpn[84390]: Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client' Jan 20 18:19:21 openvpn[84390]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server' Jan 20 18:19:21 openvpn[84390]: Local Options hash (VER=V4): '504e774e' Jan 20 18:19:21 openvpn[84390]: Expected Remote Options hash (VER=V4): '14168603' Jan 20 18:19:21 openvpn[84425]: UDPv4 link local (bound): [AF_INET]XXX.XXX.1.222 Jan 20 18:19:21 openvpn[84425]: UDPv4 link remote: [AF_INET]XXX.XXX.111.111:1194 Jan 20 18:19:21 openvpn[84425]: TLS: Initial packet from [AF_INET]XXX.XXX.111.111:1194, sid=2dbd86cf 06dd0388 Jan 20 18:19:21 openvpn[84425]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]XXX.XXX.111.111:1194 Jan 20 18:19:23 openvpn[84425]: TLS: Initial packet from [AF_INET]XXX.XXX.111.111:1194, sid=2dbd86cf 06dd0388 Jan 20 18:19:23 openvpn[84425]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]XXX.XXX.111.111:1194 Jan 20 18:19:27 openvpn[84425]: TLS: Initial packet from [AF_INET]XXX.XXX.111.111:1194, sid=2dbd86cf 06dd0388 Jan 20 18:19:27 openvpn[84425]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]XXX.XXX.111.111:1194 The only places I think may be wrong are the bolded. Thanks for any help. Also, when posting what info should I take out or clean. Just the IP addresses?

Thanks, But How?

Thanks mate, sorted it.

The only rule I have is the auto generated one, Allow all from all. I am not using squid as a proxy. However you asking the question made me start thinking in a different direction. I have a content filter in between pfsense and my network. I bet something is happening there. That would explain why it's just http/https. Thanks. If I figure it out I'll update.

So I am at company X, and my company has servers lets call them serverA.companyX.com for example How does 10.0.8.1 as your home DNS know about serverA.companyX.com when it is only resolvable by computers on the companyX network - its is not open to the public NET..  For example the Active Directory servers. While you can hand out multiple dns to your pfsense clients, just because you have multiple dns, depending on what the dns returns when asked for serverA.companyX.com its just going to stop..  And if I ask say the companyX dns for something at home pfsense.localdomain.net - it sure and the hell does not know.. The best solution to this sort of problem is say run bind on your box..  Point to it for dns.. And in it have forwarder for localdomain.net to ask your dns on your home network, and everything else go to your corp dns. That way you can resolve both your company stuff and your home stuff when you have a vpn connection.  It does not have to be bind, could be dnsmasq, tinydns, unbound, anything that can make the call..

@Derelict: I think most of what you need is here: https://forum.pfsense.org/index.php?topic=46984.0 I don't think you need the fix package any more.  That post is a couple years old.  I don't see it listed in available packages. Thanks !! I will try the guide!

Derp.  Thank you.  I don't know how I missed that option during the setup wizard, but I did.  I edited the server entry under OpenVPN for my LDAP server, changed it to Remote Access (SSL/TLS + User Auth), and the client export wizard now shows a client build for the certificate I cut for my test user.  Now I jsut need to install it someplace and verfiy it's all working :D  Thanks a ton!

you need to add the network so the traffic can return Absolutely, you need a return route for the road warrior tunnel network on PFsense02, so the return traffic gets routed down the tunnel….but if you notice, the road warrior tunnel network is 10.0.7.0/24 not 10.123.45.0/24. I'm guessing he was working on multiple documents and posted the wrong subnet by mistake because 10.123.45.0/24 is no where in his diagram. Someone please point it out if it's right in front of my face and I'm missing it, but going strictly off the diagram... I don't see any reason for routing 10.123.45.0/24 down the tunnel.