I ran into the same issue a while back and solved it using the instructions from the user Efonne in this post: https://forum.pfsense.org/index.php?topic=43507.msg225465#msg225465

@iorx: By using NAT on the the routed OpenVPN connection, all client OpenVPN clients will originate from the the same, accepted IP, address. It's a solution, but I would like to see that each client poses with a unique IP (They've got some medical software which backtracks the clients IP and connects back to the client) You can use outbound NAT to translate a whole subnet. So you can get a unique IP for each client as well. E.g. the VPN tunnel network is 10.10.10.224/27, outbound NAT can translate it to 1.1.1.224/27. To wit 10.10.10.228 will be translated to 1.1.1.228 , 10.10.10.229 to 1.1.1.229 and so on. What's the problem with this???

Yeah because those instructions are no longer valid.. Put in your username and password..  The username and password can be put in the gui now. I was just showing them because you have a username and password to auth with, etc. When you were saying you didn't have any.. PM me your username and password for torguard and I will walk through a setup giving you pictures, etc.  I would do this on my own if they had a free trail, but don't really feel like giving them my cc.. To be honest not really a big fan of any of these vpn sites.  I just run my own off vps I have all over the place.    Once I am done you can change your username and password, etc. Been here a long time, don't think I am going to try and do anything or steal your vpn account ;)  Just trying to help.. And sure clear instructions for 2.3.2 will be useful for the other users here as well.

no you can listen on port X on ipv4 and port X on ipv6.. I would assume as soon as openvpn 2.4 comes out of beta they will move to it..

In the OpenVPN server settings "inter-client communication" have to be checked to enable it. The GW-client should have a static IP. Use client specific overrides on server to set this up. On the GW-client you need a firewall rule on OpenVPN interface which allows Internet access. Also there is an outbound NAT rule necessary on WAN interface which translates the addresses from source = VPN tunnel subnet to the WAN address.

There is no reason to push more routes to the client with redirect gateway set. That option pushes a default route. 2.3.2_p1 on Firefox hides local networks when redirect gateway is set on both new and edit. What specific version and browser are you using.

You could renumber your 192.168.1.0/24 network They could renumber their 192.168.1.0/24 network They could exchange traffic with your 192.168.16.0/24 if they implement 1:1 NAT on the VPN but that would have to be done at their end. The best solution is for one of you to renumber off 192.168.1.0/24

What interests me is the OpenVPN connection site-to-site. In fact I attach firewall configurations of both the server (192.168.10.1) that the client (192.168.8.1).    

So this server accessing your friend is an access server? If it is check "Redirect gateway" in the server settings to direct any client traffic over vpn and add an outbound NAT rule for the vpn tunnel subnet. Firwall > NAT > Outbound. The outbound NAT has to be set to automatic or hybrid mode. In the NAT rule select WAN at interface, at source enter the vpn tunnel subnet and at translation "interface address".

Yes, I find it wierd behavior. But the device is otherwise good - and this has to be a one device environment. Asus AC-55U. It's got proper syslogging, good wifi and good 4G with antenna support. Compared to others, this is enterprisey. And comes with a OpenVPN -client built in. The specs with just one device is pretty unbeatable. I hate the NATtin though, and hope to find some obvious misconfiguration being the reason.

That is what happens on pfsense default "Allow all" policy and when the routing is properly done. So congratulations! To block the traffic I did: First I added one "quick" floating rule permiting my IP address to pass everything (like an antilock out rule to access the webgui). Secondly I  added another "quick"  floating rule bellow it to block all ipv4/6 traffic from all the subnets that have routes on the server, with every interface selected on this rule.  I did this using an alias with every subnet that I which to block. Thirdly, above the previous rule I created another  "quick" floating rule allowing only the desired subnets, or even single ips, to pass. All interfaces maintained their "allow all" rule. From the moment you add a floating "quick" rule to block it all, you are bound to use floating "quick" rules above the "block all" to permit access to anything you need communicating. That is how I did it.

my apologies. The latency was due to a faulty internal connection on my side, which coincided to the exact minute of testing the vpn. such is the life on IT Cheers

<= bump => Hopefully it's something obvious. My second attempt was with pfSense 2.3.2 (2 Nics, 1 assigned WAN, 1 assigned 'LAN') I have openvpn listening on the LAN adapter.  I have created a nat rule to allow vpn connections to the lan (WAN,UDP,,,WAN ADDRESS,1194,lan adapter ip, 1194)… however who shows wan adapater. I have setup other servers running OpenVPN (off an Ubuntu box) and the server logs are as I would expect (client IP shows). ==================================================================================================== Well if anyone stumbles upon this, here is what I did to fix this: *Automatic nat to manual nat *Removed WAN nat entries for my tunnel network (left lan... still need to validate traffic is going through my lan interface) *On Azure, create an inbound rule on NSG allowing my tunnel *On Azure, create a route table, tunnel next hop = pfsense (associate to the subnet)