@jimp: If your VPN client is OpenVPN and it receives its default route dynamically over that channel (e.g. "redirect-gateway def1" on the server) then you'll need to use "route-nopull" in the advanced options so that the client will ignore the default route information. Hmm, Jim, if I do that I get: ] | Jan 3 15:29:30 | openvpn[73188]: Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS]) | | Jan 3 15:29:30 | openvpn[73188]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS]) | | Jan 3 15:29:30 | openvpn[73188]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS]) | | Jan 3 15:29:30 | openvpn[73188]: Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS]) | | Jan 3 15:29:30 | openvpn[73188]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 209.222.18.222,dhcp-option DNS 209.222.18.218,ping 10,route 10.124.1.1,topology net30,ifconfig 10.124.1.6 10.124.1.5' | | Jan 3 15:29:30 | openvpn[73188]: SENT CONTROL [Private Internet Access]: 'PUSH_REQUEST' (status=1) | | Jan 3 15:29:28 | openvpn[73188]: [Private Internet Access] Peer Connection Initiated with [AF_INET]x.x.x.x.:1194 | | Jan 3 15:29:28 | openvpn[73188]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA | | Jan 3 15:29:28 | openvpn[73188]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication | | Jan 3 15:29:28 | openvpn[73188]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key | | Jan 3 15:29:28 | openvpn[73188]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication | | Jan 3 15:29:28 | openvpn[73188]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key | | Jan 3 15:29:28 | openvpn[73188]: VERIFY OK: depth=0, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access, name=Private Internet Access, emailAddress=secure@privateinternetaccess.com[/t][/t][/t] My settings are: | auth-user-pass /etc/openvpn-password.txt; ca /etc/ca.crt; verb 3; route-nopull; What might this mean? Thank you  ;D

If there is some computer behind the pfSense at the remote site, then you can install something like TeamViewer on it. That will also find its way out from behind private address space. Then you can TeamViewer to that computer (VM or whatever) and open a browser there to access pfSense webGUI even when the OpenVPN is down/off.

I just finished writing up a quick set up guide on a local forum of ours, please feel free to check it out: http://mybroadband.co.za/vb/showthread.php/669041-Mini-Guide-Setup-free-VPN-(Froot-using-OpenVPN)-in-PfSense Seems to be working fine on my side.

If you are using authentication against AD for OpenVPN, why do you touch the user manager? They do not need account entries there. Make certificates directly under System > Cert Manager on the Certificates tab. Ignore the user manager.

In the advanced options for the gateways, adjust the latency thresholds higher so that they won't trigger so soon, and set the down time higher (30-60sec) https://doc.pfsense.org/index.php/Gateway_Settings#Advanced_Options

As written, there is no Log on the server side … not one line (about this instance) OK ... problem found ;) I've set the server to the WAN-Interface ... but he have to listen to a virtual ip on this interface ... so he tried to bind to the main ip instead of the virtual ip address. I've changed the interface and one second later, the client was connected. Anyway ... many thanks for your inputs ... Kind regards

Yes, you can open your openvpn-port (normaly 1194) not only on the wan-interface, but on the lan2 interface too. Set the openvpn-server to listen on "any" interface.

Hi Heper! Thanks for the response. I looked at this great tutorial: https://forum.pfsense.org/index.php?topic=76015.0 The problem I had was that I was missing the NAT rules, did as suggested there and it all works great!

Problem #1 is your tunnel network is inside your LAN.

I have not seen anything that shows PFsense can be configured to do so, but you can always dump to a syslog and implement filters to show you what you want to see.

bump

It is a client from pfSense up to an internet-VPN service. Advanced box: remote-random auth-user-pass persist-key persist-tun tls-client comp-lzo verb 1 I have added link-mtu 1574;tun-mtu 1532; and restarted but I see the following in the log: openvpn[4644]: /usr/local/sbin/ovpn-linkup ovpnc2 1500 1542 10.12.0.22 10.12.0.21 init Thank you for your help

You should be able to just add an Outbound NAT rule on LAN, source "the VPN tunnel network", destination LAN net, NAT to LAN address. The traffic from your client device should have a source IP in VPN tunnel network, so will match that NAT rule, be translated to LAN address, go to the switch/es and the switches can answer.

It is a shame that Windows does not have a concept of adding a drive letter mapping for a share that is available system-wide ("net use /systemwide" command). It is happy to let an administrator define drive letters for the real partitions on the local disks, and those are seen by all users, so it couldn't be that difficult to allow the same for network shares.