Do you run snort? I've found these instances and it typically happens when I use the TCP and TCP Strong/4096 configs, on a OpenVPN client PC, and the connection to PIA would drop.  On the regular IP config file, connection to PIA can and have lasted for weeks. I ask about snort because I'm noticing this alerts/blocks…which I believe may be related to a "keep alive" from the server or more likely, client side [?]  Please pardon my ignorance as a hobbyist. These are alerts/blocks from snort on the LAN side. 209.222.18.222  53 1:28039 INDICATOR-COMPROMISE Suspicious .pw dns query 209.222.18.218  53 1:28039 INDICATOR-COMPROMISE Suspicious .pw dns query 209.222.18.51  502 1:2018378 ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Server Init Vuln Client) Suppressing or even disabling these rules are easy enough but I'd like to know what I'm disabling first.

Add the tunnel subnet of the respectively other vpn server to the "Local Networks" of each server.

@Pippin: with openvpn 2.4 and AES GCM on AES-NI hardware Even without AES-NI capable hardware it will improve I would think. It'll improve, but the difference won't be as dramatic as for the AES-NI hardware (because you're not replacing a software MAC with a hardware-assisted MAC, you're replacing one software MAC with a somewhat more efficient software MAC.) And really I'm using AES-NI as a more familiar shortcut here, the real differentiator is the PCLMULQDQ operations, which are only on CPUs with AES-NI, but there are AES-NI CPUs (like the avotons/rangeleys) which lack PCLMULQDQ and aren't as efficient for AES-GCM on an instructions-per-byte basis.

It's working now, I can ping the vps, and reach it throught 10.0.8.3 from my LAN :) Dunno what I did…just uploaded the config again, restarted, and suddenly it worked.

I already thought I could edit the firewall rules, indeed I've done the following:  first, a rule to allow any -> 192.168.0.0/16.  second, a rule to block any -> any. Like this, I can only access private resources but not the company's internet. But there's a problem, which is that, if I don't check "use this connection only for resources in its network" on the openvpn client (I'm using Ubuntu for in this example", the connection to internet at my home is no longer working. I wonder if there's a way to enforce this, otherwise I must explain to every von user that they need to check this box in order not to receive a new gateway for their internet connection.

Set up a second vpn client to connect to the other server and add both client gateways to a gateway group.

Thanks a lot.

Or I kind of see what you mean. (I think) My windows server 2012 is the dhcp server and it is on 255.255.255.0 subnet. I need to somehow change the subnet that my dhcp server is on (thus changing what it hands out to the clients)?

Thanks for your suggestions. I'll look into both options (I don't use a Radius server today however).  every client might not be huge problem and worthwhile if it works. I don't think I can fix the authentication server though. AD is case insensitive by definition and design as far as I know, when it comes to user login names. "OpenVPN doesn't have a concept of names being case insensitive": But nevertheless, strict "User-CN Matching" does not bother about case, while common name matching in client overrides does, so in that sense it is not consistently handled it seems.. Thanks!

put .200 & .201 in an alias rule1: PASS / proto: any src: myalias dst: any gw: WAN rule2: PASS / proto: any src: any dst: any gw: TGINTERFACE

Or you can just NAT packets from VPN to local subnet, that way you will not have a problem with asymmetrical routing, but, depending on number of VPN users and services they will access in your LAN, you can have from almost zero problems (for web services for ex.) to totally non-working (services which really doesn't like to be NATed, like SMB or NFS).

@Avides: Thats what i am afraid of. Default Firewall Rule uses the gatewaygroup. That rule apply for outbound connections from clients on your LAN, not for OpenVPN server which reside on firewall host itself. @Avides: Whats the best way to solve that problem? Define a firewall rule with the Remote Subnets and no gateway set? I do not understand what you mean here. @Avides: Do i need to enable default gateway switching for that case? It doesn't failback, AFAIR. You can try to search forum for some script solutions for your case, it is not unique. Also, you can just make a cron job to automatically reboot outpost firewalls everyday.

Answering my own question. I had 2 OVPN servers, each with different port config's running. This didn't work for me.  Disabling one of the server config's allowed 443/udp to work very well on an iPhone over a cell connection. I haven't tried this yet from a wifi connection outside of my home.

Definitely a client error. Completely uninstall OpenVPN and the tap adapter from the client and then download the most recent release from the OpenVPN site and try that.

Off course this is possible. pfSense is a firewall, that's its primary job. How to do depends on whether you want to restrict access to a particular user or to all vpn users. If all users should be restricted modify the default allow any to any rule on OpenVPN interface (assuming you have used the wizard for setup) and change the destination to "single host or alias" and enter the host you want to permit access to the vpn users. If you want to restrict only certain users you have to configure client specific overrides at first to assign static IPs to these users and then use these IPs as source in the firewall rules.

Nevermind. Found it. DHCP Service on that Interface lets you specify all that.

My point was how you would access your machine would be via your normal wan IP from the public internet. I would not go through some vpn tunnel you have already set up with some vpn provider.. I would go direct to your wan IP.  But would just vpn in via a vpn server you run on pfsense not some client to some vpn service.