Its a tun client. But I can access ressources through my VPN tunnel from external. I set the pull-noroute option and also disable gateway monitoring of the VPN interface. But it doesn't changed anything.

tcp dump was showing dns requests from the firewall where using the openvpn ip and across the networks their respective network address. Even though I had allowed bind to answer to the openvpn ip it still didn't work. There doesn't seem to be an option to let bind specifically listen on the openvpn interface, but even adding this by hand didn't work. I have now solved it by putting NAT on hybrid and forcing the lan ip to be used when requesting port 53 over the vpn. This works, but is not really elegant….

The best solution is probably OpenVPN assigned interfaces so you can put rules specific to each VPN endpoint on their own firewall rules tabs. You could just block source any dest LAN net and dest This firewall (self). Otherwise you probably want to block traffic from both the tunnel endpoint (in case they assign an interface and outbound NAT) so that would have to be static in a CSO, and the remote network(s), in both cases with destination LAN net and probably This firewall (self).

as there are no GCM cyphers available in the current implementation of openvpn, the performance gain is minimal. its confirmed to be in openvpn-2.4, no clue when that will be released. https://community.openvpn.net/openvpn/ticket/301 openvpn uses the openssl library, that library automagically uses aes-ni if available. https://forum.pfsense.org/index.php?topic=94553.0

I've decided to create a second VPN for users that need to connect from a device not owned by our company, and therefore not controlled by our security apps. This VPN uses udp/1195 There are a couple of places this can be problematic certificate wise. I would suggest that the 2nd OpenVPN server needs it's own certificate. As long as the new Cert. is created using the same CA used for the first server, you should be OK with your current setup. You may need to enable "Allow Duplicate-cn" if you're trying to connect to both servers using the same client (that may or may not sense in your setup). You might want to go so far as to create a new CA as well as a new server Cert for the second instance. If you do, you'll need dedicated client certs for the 2nd server. In many scenarios, that's a good thing (if only for enforcing separation of who's connecting and from where).

I cant be bothered to read a zillion lines of text. assign an interface to ovpn if you havent already. activate route-no-pull checkbox. If the checkbox is not there due to the ancient release you are running: enter it in adv field. If 1&2 dont help then post a screenshot of the routing table. Veel plezier.  ;)

Maybe its just me but so are you vpn into a dod facility here? How is a cert, and user name and password not enough?  Is your goal to discourage use of the vpn?  Then sure add as many hoops you want to actually get in and do some work.. So for someone to get into your vpn with a typical 2 factor setup they need the cert (so device cert installed on) and the username and password.  Now you want to also have 3 method… That do be honest just another link in the chain that can fail.. There is security, and then there is just making something so difficult to use that users don't use it or they find ways to bypass it... Which defeats the purpose of the security in the first place.  Screw vpn into work on my files, I will just take them with me so I don't have to jump through the ring of fire to get to my stuff..

We found the solution. The websockets didn't have a route back to the AWS instance after the initial request was made.  To solve this we added the appropriate CIDR to IPv4 Remote Networks (tunnel Settings under the OpenVPN Client).

what about the widget on the dashboard?  What exactly are you looking to monitor about vpn users? [image: openvpnwidget.png] [image: openvpnwidget.png_thumb]

I forgot to say, that it works now with the config from Tutorial 2. This is the tutorial from pfsense  ;) https://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_(SSL)

ok … thanks for the info. I also thought about the fact that pfSense is not my default gateway. Because its currently "only" a test, I do not want to modify anything on the current LIVE environment. At the moment, only a Broadband connection with about 6MBit is dirrectly attached to pfSense. Our main broadband connection at the moment with 50 MBit will stay also in future as our main, but then also directly attached to pfSense. Plan is to have the 6Mbit as Fallback. With this planned environment, pfSense will become the default gateway ... ;-) Regards Torsten

I run udp 1194 and tcp 443..  443 is going to be open if they allow internet access ;)  While it also allows you to bounce the vpn connection off a proxy if they are doing that too. It might not be the place blocks udp 1194 on purpose, they might just be allowing the known ports for typical internet access.  So maybe they only allow dns, http/https, etc.. Try your udp connection, if doesn't work then just fall back to tcp over 443.

My toughts exactly - Clean sheets with backup. Cheers mate.

Just for the records: after rebooting the box the VPN works now. Thanks all for their help!

Sure, ctrl-click the auth servers on the server config and it will try them in the order it shows in the list.

I have the same issue with the VPN. And same config. Can you recommend the VPN provider?

You must have missed the direction on that page that tells you to create the file. From their page: Execute the following: echo "username" > /etc/openvpn-passwd.txt; echo "password" >> /etc/openvpn-passwd.txt Though on pfSense 2.2.x you don't need to do that or use their "auth-user-pass /etc/openvpn-password.txt;" line in advanced options. If you fill in the username/password boxes in the pfSense GUI, omit both of those things: don't make that /etc/openvpn-passwd.txt file and remove that auth-user-pass line from advanced options.

Use the viscosity client if you don't want to run as admin on windows.  https://www.sparklabs.com/viscosity/ Its not free..