That error is from the client, not pfSense. Something else is already using the address/port it wants. Also your Windows OpenVPN client is very out of date and vulnerable. Uninstall that and install the latest version. If you installed it from the client export package, update your export package and then export a new installer. Use the 2.4 installer if you can.

@shetu: Another question - Does lan pc ip change to vpn subnet or not? My lan ip is 192.168.1.17. it is not changed. You mean the PCs IP?? That should be static and is not changed inside the LAN network. The outbound NAT rule you've added translates the address when packet go out the vpn interface. On the vpn server it is translated once more to the servers public IP. In the LAN rule you have permitted only TCP protocol. Change this to TCP/UDP and configure the pc to use a public DNS server to avoid DNS leaks. DNS also require UDP.

What interface is that openvpn running on? In your client config what are you pointing them too in your export of the config? If you want your wifi clients to use the vpn, then it should be listening on your wifi interface of pfsense, and NOT your wan.. [image: vpn.png] [image: vpn.png_thumb] [image: address.png] [image: address.png_thumb]

@johnpoz: "Openvpn supports ipv6 (arguably not very well), but since it does, I want to get it working, for the sake of getting it working." Not sure where you got that idea - I have openvpn on ipv6, even hand out ipv6 address to ipv4 clients.. You said: @johnpoz: Borked config.. You would never use /65 on anything.. /64 would be the correct prefix for any network/transit in ipv6. The /65 wasn't my idea. It was from the "IPv6 in OpenVPN" wiki https://community.openvpn.net/openvpn/wiki/IPv6. I tried using the /65 because I couldn't get it to work with a /64, I think because the route created by openvpn for the tun0 conflicted with the default route for eth0. You say Openvpn supports ipv6. I'm not disputing that, but while the software may support ipv6, it's hard to argue that the documentation for using openvpn with ipv6 is not sorely lacking. The "Bridging and Routing" wiki https://community.openvpn.net/openvpn/wiki/BridgingAndRouting mentions that openvpn supports ipv6, but then only provides examples for ipv4. I got the client and server fully working for ipv4 and I was also able to get it to hand out an ipv6 address to the client and the client and server to ping each other back and forth. However, I can't get the server to pass the ipv6 traffic. That's what I'm asking for help with. I'm asking here, because if pfsense needs to be configured for it to work, where better to ask about that than here? Also, for the record, quite a few people on the openvpn forum and the openvpn-users email list have admitted that the documentation for ipv6 is lacking because ipv6 is not widely used, so I don't think I'm alone in holding that opinion. @johnpoz: Drawing is pretty much useless from a network perspective.. Where are you networks in use - lets see a logical layer 3 drawing.  With networks and prefixes labelled.. You can obfuscate your ipv6 prefixes if you so desire.. You said: @johnpoz: I asked you for a drawing before, I would highly suggest you draw up your network so you can easy work through this stuff and makes it much easier to explain to someone trying to help you.  Either breakout the crayons and napkin or use of the multitude of FREE options for drawing basic network diagrams. Good thing I didn't use my napkin and crayons… I gave you a drawing that depicts the configuration in a manner that anyone familiar with virtualization should understand. I also explained each network (modem / lan, pfsense 2.3.4 / lan and pfsense 2.4 beta / lan have separate /56 prefixes and the lans are /64 subnets. Aside for packets from all three networks being visible on the NIC, the networks are completely independent. I've been using this configuration for several years with no problems. I have used the modem lan exactly once, to enable port bridging. The only devices on this network are the pvr and stb. Both of the pfsense networks are minimally simple. They each have one wan and one lan interface. Both use dhcp, dhcpv6 with assisted RA and unbound. Snort is also running on pfsense 2.3.4. The wan interfaces have pd only, no address, because that is only configuration the ISP supports. The lans have no subnets. The routing is all default. I haven't made any changes. I'm not going to post the prefixes. What information about the networks that would pertain to getting the openvpn server to work is missing or unclear? @johnpoz: Where is the vpn your trying to put in play - is it site to site between your pfsense, is it road warrior to one of them?  Is client from one of them?  Site to site to some other location, etc. I should have been more clear about this. I want the server to be used to provide a local routed gateway for a single client as if I'm at home, for use when I'm away from home - not a site to site bridge (i.e., it should work the same as any other vpn privacy service). As I already explained, it's working for ipv4, but not for ipv6. I'm asking for help to sort out why it's not working for ipv6. I can post the client and server configs or whatever. Just let me know what is needed.

Ok I finally found the solution. disabling squid proxy server was the the fix. Must be a misconfiguration in squid. EDIT: I can now use squid also. In squid settings under "Transparent Proxy Settings " -> "Bypass Proxy for These Source IPs" i put in my vpn client ip adresses.

So I have finally discovered the source of this problem. And I would like to share with you, if you encounter the same issue. Seems like one ISP was doing traffic shape, and from what I have saw seems like they are targeting UDP packages. I have not test it to be sure because I have changed both UDP to TCP and also the port number to another non official. In Portugal I have tested this VPN with MEO, NOS and Vodafone, and the ISP that I am talking belongs to Vodafone.

If setfib(1) was usable on pfSense and integrated to the GUI so that the FIBs could be managed easily you could use them for policy routing but only based on the destination addresses which would be fine assuming the NTP peers are known and don't change. This would of course require integration with the OpenVPN start/stop events to properly hook the custom FIBs when appropriate.

Thanks for your reply - I'm thinkin its probably too much effort, interesting method though. Thanks for this!

So a bit confused still.. So your using pfsense as just a openvpn server on what it counts as its WAN that is on rfc1918 space, ie this 192.168.0.175..  And you want to get to devices on 192.168.0/24 So you have this internet - publicIP wan ispdevice lan192.168.0.? –- your network 192.168.0/24 devices --- 192.168.0.175 wan pfsense So here is a problem for sure, maybe not all of them but for sure this is going to be an issue. So you want to go to say 192.168.0.100 some computer on your network..  What is its gateway I would assume your isp device 192.168.0.1 lets call it. If a ISP modem is in bridge mode but normally has a network of 192.168.0.0/24, and the main network for pfSense is 192.168.0.0/24 will that cause problems? I can connect to VPN and get internet access and access a few machines on the network when connected remotely but I can't access all machines and services on the LAN. For example there is a web application running on the LAN but I can't even ping it when connected via OpenVPN.

First of all thanks for reply…......... I am using Server-Client Configurations. Package Manager was working properly before configurations of OpenVPN. Can this be due to VPN Certificate ??? If yes then how it can be resolve?

So below is a screenshot for my DNS resolver with NordVPN. For the DNS in the general settings I have them exactly as the guide shows, first DNS is not set to any interface and the second is set to the VPN interface. I did try assigning the DNS resolver to both the WAN and the NordVPN interface but it did not help. Is there anything else I am missing? Patrick  

Are you talking about a user for an SSL/TLS Remote Access or a site-to-site PSK OpenVPN tunnel? If it's for a remote access SSL/TLS setup then their certificate must be signed by your CA, what you're having them do is not compatible with how OpenVPN needs to work. They can't make their own self-signed certificate that will work with the VPN. Unfortunately, until pfSense 2.4 you can't have them make a CSR that can be signed by the pfSense VPN CA in the GUI, though you could maybe copy the CA cert+key somewhere and manually do it with openssl at the command line and then send them back the signed certificate. If they do a CSR and send you the CSR, you never see their key. That's an area we're working to improve in 2.4.

I have already told you exactly what you need where. You do not need to push anything. You do not need iroutes. You just need to look at every site and put the networks you want to reach FROM THAT SITE ON THAT OPENVPN INSTANCE in IPv4 Remote Networks there. UDP is better for OpenVPN transport. You still have TCP on TCP connections inside the tunnel for guaranteed delivery where required. One writeup: http://sites.inka.de/bigred/devel/tcp-tcp.html

pfSense 2.3.x uses OpenVPN 2.3.x.  pfSense 2.4.x (still in Beta) uses the newest OpenVPN, 2.4.x, and I've found that key renegotiation is much faster and smoother in the 2.4 version of OpenVPN, so I can't wait until pfSense 2.4.0 is ready to ship. At any rate, my thread was mostly about the Client configuration, but some directives apply to Server configuration as well.  The most important directive to use is reneg-sec 0 to disable the timeout every 3600 seconds (1 hour).  I've since disabled the reneg-bytes 1073741824 directive since it got to be annoying, since it still takes about 1 minute to renegotiate. I'm not sure if remote-cert-tls server applies to a server configuration (in fact, it may not). tl;dr:  the most important directive to use is reneg-sec 0 to disable the key renegotiation timer. Re: your question about having to re-issue OpenVPN installers to all employees:  I doubt it.  It really depends on what you have in the employee configuration files.  reneg-sec 0 in the server config should disable it for the connection unless your client configs have some other number set in reneg-sec.

It will be harder to track exporting the CA certificate to all your clients as LE evolves and changes it. Trust me. It's a BAD idea to use that as a VPN server certificate.

@johnpoz: Why not just get your typical wifi router that supports 3rd party and put dd, openwrt on it and off you go? This is the other option I'm considering but it requires more config on my part.  I'm looking for these routers to be as plug and play as possible as I don't live near most of my family members.  I have a pfsense box with separate wifi setup at my parents as you eluded to but I did all the setup.  I'm trying to make these setups as user friendly as possible for non-technical users.  This way I can avoid as much troubleshooting of issues in the future.