@ssbarnea: I need to generate OTP user/pass needed for auth-user-pass on OpenVPN client and I need to run a script that saves these to a file before the connection attempt is made. How can I do this on pfSense (2.4.1)? PS. This needs to run on reconnects too. I was able to do this on Linux and even on Viscosity MacOS clients but I don't know how to do it on pfsense…. preferably in such a way that these changes would not be lost on a system update. Update: as I was unable to find an answer, I ended I as raising a bug at https://redmine.pfsense.org/issues/8122 Have you tried using OpenVPN's auth-user-pass-verify parameter? From the manpage : –auth-user-pass-verify script method Require the client to provide a username/password (possibly in addition to a client certificate) for authentication. OpenVPN will execute script as a shell command to validate the username/password provided by the client. If method is set to "via-env", OpenVPN will call script with the environmental variables username and password set to the username/password strings provided by the client. Be aware that this method is insecure on some platforms which make the environment of a process publicly visible to other unprivileged processes. If method is set to "via-file", OpenVPN will write the username and password to the first two lines of a temporary file. The filename will be passed as an argument to script, and the file will be automatically deleted by OpenVPN after the script returns. The location of the temporary file is controlled by the --tmp-dir option, and will default to the current directory if unspecified. For security, consider setting --tmp-dir to a volatile storage medium such as /dev/shm (if available) to prevent the username/password file from touching the hard drive. The script should examine the username and password, returning a success exit code (0) if the client's authentication request is to be accepted, or a failure code (1) to reject the client. This directive is designed to enable a plugin-style interface for extending OpenVPN's authentication capabilities. To protect against a client passing a maliciously formed username or password string, the username string must consist only of these characters: alphanumeric, underbar (''), dash ('-'), dot ('.'), or at ('@'). The password string can consist of any printable characters except for CR or LF. Any illegal characters in either the username or password string will be converted to underbar (''). Care must be taken by any user-defined scripts to avoid creating a security vulnerability in the way that these strings are handled. Never use these strings in such a way that they might be escaped or evaluated by a shell interpreter. For a sample script that performs PAM authentication, see sample-scripts/auth-pam.pl in the OpenVPN source distribution.

finally latest test, i switch my pfsense 2.4.1 for a 2.3.3 and everthing is working as expected with OpenVPN and UDP. My openvpnclient acquire IP from DHCP. So there is something wrong with my 2.4.1 I'll reinstall a 2.3.5 on my pfsense 2.4.1 we'll see.

Ran into many other issues, but certainly not your one. :) Just as a note: you should see meaningful log messages at least on the pfsense side (dont know the other device) by the time the reconnect should happen. Both sides should attempt the reconnect if so configured and give some hint on what is happening - especially if messages are missing.

I have similiar config however I am using AirVPN instead of PIA and it is working as it should. A single LAN rule should be sufficient. Make sure Disable reply-to on WAN rules is UNCHECKED in Advanced->Firewall/NAT.

You dont need to use TAP, TUN will work. When you set the VPN server as default gateway (redirect gateway) your public IP will be the WAN IP of the VPN server. Can you ping all the remote networks you want to be able to reach from your Pfsense? Does the remote networks you want to reach use the Pfsense as default gateway? Depending on your setup, you may hit your remote networks OK but they do not have a route back to your VPN client range.

Thanks for the help. I figured out what was happening. I had another application (AntennaPod) on my phone that was registered to open .ovpn files. That was the application that was generating the error messages. I had to download the file, then import it from within OpenVPN Connect, instead of opening the file from my email.

I have the same issue and the same device from amazon that sheen73 has,  I have a Gigabit connection, with PIA defaults I only get 40Mbps :( In the UI I changed the Send/Receive Buffer to 512K and UDP Fast I/O to true. My speed increased to 130Mbps… all my NICs support Gigabit.

Solved by Self ! :( :) Each Interface by VM´s must have Promiscuous Mode !

@viragomann: Maybe not the best solution, but that one that will work in your case: Add a source NAT rule to pfSense to translate your VPN IP to the pfSense LAN address. To do so, go to NAT > Outbound. If the NAT mode is set to automatic rule generation set it to hybrid and save this settings. Then add a new rule: Interface: LAN Source: <the vpn="" tunnel="" network="">Destination: <transmission jail="" ip="">Translation: Interface address Enter a description and save it.</transmission></the> This solution works! Thanks! ;)

@viragomann: The source has to be 172.16.100.0/24 - LAN1 network. Ah yes, thank you for that. I can now ping 192.168.12.45 from LAN1 and it responds correctly. Now….How can I configure it so I can ping 172.168.1.45 from LAN1 or LAN2 and it routes to 192.168.12.45 in LAN2? I need this because I have more sites with 192.168.12.0/12 networks. Cheers, Mike.

bump Any thoughts?

Yesterday it was not working. But now Openvpn as connect to my pfsene. I afraid I do not learn how is this work?  >:( it is working by miracle. I do not remember what do i change in pfsense? Thanks everyone. Now try to access my local pc from Outeside home. Please see the openvpn log in pfsense and another question where do i find (link-mtu : 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1542')? Nov 18 10:07:33 openvpn 38877 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:5: dhcp-renew (2.3.14) Nov 18 10:07:33 openvpn 38877 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:6: dhcp-release (2.3.14) Nov 18 10:07:33 openvpn 38877 Options error: option 'route-metric' cannot be used in this context ([PUSH-OPTIONS]) Nov 18 10:07:33 openvpn 38877 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS]) Nov 18 10:07:33 openvpn 38877 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS]) Nov 18 10:07:33 openvpn 38877 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS]) Nov 18 10:07:33 openvpn 38877 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS]) Nov 18 10:07:33 openvpn 38877 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS]) Nov 18 10:07:33 openvpn 38877 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:18: register-dns (2.3.14) Nov 18 10:07:33 openvpn 38877 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:19: block-ipv6 (2.3.14) Nov 18 10:07:33 openvpn 38877 TUN/TAP device ovpnc3 exists previously, keep at program end Nov 18 10:07:33 openvpn 38877 TUN/TAP device /dev/tun3 opened Nov 18 10:07:33 openvpn 38877 ioctl(TUNSIFMODE): Device busy: Device busy (errno=16) Nov 18 10:07:33 openvpn 38877 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Nov 18 10:07:33 openvpn 38877 /sbin/ifconfig ovpnc3 10.128.0.3 10.128.0.1 mtu 1500 netmask 255.192.0.0 up Nov 18 10:07:33 openvpn 38877 /usr/local/sbin/ovpn-linkup ovpnc3 1500 1542 10.128.0.3 255.192.0.0 init Nov 18 10:07:38 openvpn 38877 Initialization Sequence Completed

The local networks option is still there in 2.4. No need to do it with overrides. The only time the local networks option is hidden with that kind of setup is if you have set the option to redirect all traffic over the tunnel ("Force all client-generated  traffic through the tunnel.") and in that case, local networks are redundant because all of the user's traffic is already going over the tunnel so sending a specific route for your other subnets is unnecessary.

that is what "don't pull routes" do. You then have to set up rules on LAN to push devices and ports you want out the VPN interface.

yep - the official OpenVPN connect clients are solid …ugly, but solid!