Is your work LAN subnet really 192.168.1.0/24? Also, your tunnel network is fairly narrow (/29) which means it can only handle 6 clients max (depending on your topology)… even less if you switch to net30 .. is that what you wanted?  Although, you're not even getting that far, you're having handshake issues... so first... we'll need to see more of the log and second, were the client certs created upon user creation?  If not, that may be your issue.

I found the answer on a commercial vpn guide page. Basically I had to setup outbound nat rules to route the traffic.

i could go back to tomato but wanted to have a more secure setup on one end. thank you for your help anyway. was looking for a more stepbystep idea. i mentioned iptables just as a reference..

Anyone have any kind of feed back? Did I post this in the correct section of the forums?

@viragomann: That should be possible though. However, you have to care, that each client connects through the WAN gateway. So in the client settings of each check "Don't pull routes" to avoid that the server sets the default route. Now you have to control VPN traffic by firewall rules (policy routing) and each client should connect well. Thanks Viragomann!!! That worked.

I just upgraded to advanced tomato version. everything seems fine settings wise but still i need 3 certificates: CA, Client certificate and a Client key… when i do a export from pfsense i get just one certificate... how can i get the other ones?

if your telling the client go down the tunnel for EVERYTHING, there is little reason to have to send routes for your specific networks since EVERYTHING will be coming down the tunnel ;)

@ThePieMonster: haven't been able to find any guides on how to use Windows AD authentication with pfSense's OpenVPN Server. How much time have you spent searching? 0 secs? https://www.google.com/#q=pfsense+openvpn+radius+active+directory

Yes, the problem was, that I haven't created a certificate for the user itself, but used the VPN's CA… After the modifications everything goes well now. Thank you for your help and I wish you a happy new year!

Solution: we have to stop routing service

Got it to work.. The biggest problem I had was determining the correct external IPV6 address to use as I made it more complicated on myself as I did not have my cable modem in bridge mode. But, figured it out. Thanks again for trialing this so that I at least knew that it did work (or didn't have some sort of bug). Then I knew I just had to play around to get the right addressing and port forwarding. Awesome!

I saw this thread from 2013 and wonder if anyone has found a solution to syncing from iOS over OpenVPN to iTunes on the other side of the tunnel. Thanks…

@johnpoz: That really should have zero to do with it.. Is your remote client a member of your AD?  And you want it to register its vpn IP when it comes in via vpn? Yes this is a AD Member, as i say the same Device and Shrewsoft Client with IKE without any Problems only openvpn.

you guys were spot on! much appreciated !

@sos: I've reset my pfSense setup back to factory default, and just re-set up my openVPN server using the wizard, before setting any other services or firewall rules up. Glad to report that all is working, using my android phone and linux clients, via a 3G connection. As I carefully rebuild the rest of my configs, I'll keep checking functionality and may retrospectively be able to figure out what caused the issue in my case. Perhaps there was some stale firewall rule or state. Will report back if I find anything, but in the meantime, thanks for all the suggestions. Yesterday, I did the same: reset to factory defaults -> start new configuration with openvpn-server first and now it works ??? After setting up the ovpn-server, I reconfigured all (nat-)rules, snort, webproxy, vpn-clients, outgoing vpn-failover and wan-failover and did a connection test after every single step, without any errors. Now the configuration is exactly the same as before and openvpn-server is reachable. So I have no idea what the problem might have been.

you'd need to script a marcro to write the config (examples can be found in the wiki link i posted before) i posted some examples for someone who wished to change settings to captive-portal here: https://forum.pfsense.org/index.php?topic=121762.msg673072#msg673072 its not all that difficult but will need some experimenting.

We've been watching it. It's on pfSense 2.4 snapshots now and we're looking over what it's added that can be brought in. Already have a few good reports of speed improvement with AES-NI and AES-GCM in OpenVPN