Hi Marvosa, Here's the config: dev ovpns2 verb 1 dev-type tun tun-ipv6 dev-node /dev/tun2 writepid /var/run/openvpn_server2.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto tcp-server cipher AES-256-CBC auth SHA1 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown client-connect /usr/local/sbin/openvpn.attributes.sh client-disconnect /usr/local/sbin/openvpn.attributes.sh local xx.xx.xx.xx tls-server server 192.168.89.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc/server2 username-as-common-name auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' false server2" via-env tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'router.domain.local' 1" lport 443 management /var/etc/openvpn/server2.sock unix max-clients 1 push "route 192.168.88.0 255.255.255.0" push "dhcp-option DOMAIN domain.local" push "dhcp-option DNS 192.168.88.3" push "dhcp-option DNS 8.8.8.8" ca /var/etc/openvpn/server2.ca cert /var/etc/openvpn/server2.cert key /var/etc/openvpn/server2.key dh /etc/dh-parameters.2048 tls-auth /var/etc/openvpn/server2.tls-auth 0 persist-remote-ip float topology subnet push "route 192.168.88.0 255.255.255.0" mute 10 comp-lzo

Hey, have you found a solution to your problem? Cause i have exactly the same trying to connect to VPN Service provider (nordvpn). thanks. kind regards,

You haven't described what connects to what in this setup. Is a Linux server acting as an OpenVPN server and other boxes connect as clients? Any Windows clients? How many boxes/connections are we talking about? Is it a full mesh setup? Have you designated a single server or other system as the "Keeper of the Certificates"? In general it shouldn't be too tough to migrate over to pfSense fairly seamlessly. Should be a matter of importing the required CA and (possibly a new) Cert for the pfSense OpenVPN server. Then it's a matter of copying in the settings from the existing config into a new OpenVPN server instance under pfSense. Personally, for one server, I would hand enter the settings from the old OpenVPN server's config into the pfSense GUI. Better error checking and less chance of something "odd" happening.

@dotdash: Try deleting the gateway under system, routing. Also check if it is assigned as an interface (interfaces, assign) Aaaand: it's gone. I just hit you with da karma stick, thank you  :-*

i think this boils down to the way OpenVPN is implemented in tomato. if i use a client from behind the tomato, i'm able to connect. if i use the same parameters, it connects but no traffic flows thro. ::) :o :o >:(

Theres one extra line in the vpn config with the problem = lport 0

@mark1210: unable to ping the server. The OpenVPN server? From where? Have you added proper firewall rules to the OpenVPN rule tab?

@PGalati: I was able to solve this scenario and soon hope to create a how-to to help others that specifically use pfsense and Tomato.  This link pushed me in the right direction: https://doc.pfsense.org/index.php/Why_won't_OpenVPN_push_routes Click on this link to get some additional info about the correct way to configure the openvpn server on pfsense: https://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_%28SSL%29 To the point, once I changed the pfsense openvpn server mode from Remote Access (SSL+User Auth) to Peer to Peer (SSL/TLS), made the appropriate adjustments on the Tomato side, I started getting ping responses from clients from the server side.  Our Cisco voip phones work both ways now too. Finally! Hi , i'm trying to do the same thing. can you please tell me what your tomato side config is? have you enabled TLS Authentication? did you enable Extra HMAC authorization (tls-auth)? i'm getting TLS Error: incoming packet authentication failed from [AF_INET]

If the interface you are pinging on the server isn't its primary interface, ensure the server has a valid route for return traffic on the interface that you are pinging. Examin "route print" on the server to see where traffic from your OpenVPN subnet will end up.

So, configure an implicit deny firewall rule and only allow what you want.

With Derelict on this - I can see zero reasons why your vpn used by your clients would need to use public CA certs..  The only time public certs need to be used is when you would have uses accessing it that need to trust the CA that you do not control their devices used to access and can not add your CA to their trust list.

HINT: Don't forget to reload / restart your OpenVPN server, after chancing CCD / User specific config.

I was able to fix my mOTP issue using pfsense 2.2.6, however I was able to replicate this issue of yours. Is it possible to upgrade freeradius2 version on a pfsense 2.2.6? Current version is freeradius2 1.6.19.

@Derelict: Then your dyndns isn't bring properly updated. Thanks,Derelict, it was something with the freeDns client update, I changed service to DuckDNS and now everything working smoothly.

Nothing obvious jumps out at me unfortunately. Any time I've had an OpenVPN tunnel blocking in one direction but not the other it's been a firewall rule issue on one of the two pfSense boxes or a firewall in one of the endpoint devices (you're not hitting a Windows firewall issue?) The only other thing different I see from my typical setups is the use of PSK, I typically use PKI. Perhaps you could try to rebuild the link with defined certificates for the server and client? Might be worth a shot to try something different instead of banging your head against the same thing expecting different results (been there…...)

Off course you may change the name of the interface. You have  also to add appropriate firewall rule to the new VPN servers interface. Maybe you just want an allow anything to any rule.

thanks bookmarked  :) really clear and useful guides

you mean for every user i must create Server Certificate  . i'm sorry i'm new to this You don't need a "Server Certificate" for every user, you need a ….. "User" certificate for every user. The general use of these SSL certificates needs: a Certificate of Authority (CA) usually created on the OpenVPN Server a Server Certificate created using the CA in 1) a User Certificate (NOT another Server Certificate) created using the CA in 1) Repeat 3 for as many users as you need. If you go into the Certificate Manager in pfSense you should be able to see all these pieces and verify that the OpenVPN Server cerificate is type "Server=YES" and the User certificate is type "Server=NO". As marvosa suggested, if this gets messed up from your various attempts it may be simpler to start clean and work through the steps. It really shouldn't be too tough to setup.