For anyone wondering what to copy-paste into this field, its the key mentioned in this section of the pfbook Click Save. Click pencil to edit the new server instance Find the TLS Authentication box Select all of the text inside Copy the text to the clipboard Save this to a file or paste it into a text editor such as Notepad temporarily The book never mentions when to use this key, but this is the one to put on the client TLS Authentication and not those that we exported from the certificates management. cheers

The AES-NI checkbox in the GUI enables AES-NI for AES 128/192/256 CBC via cryptodev. That means that for each block of data to encrypt, the openssl library will issue an ioctl to send that block to the kernel, suffering a context switch penalty. Since the computation being performed is exactly the same as what openssl would do without cryptodev (and in that case, without the context switch) it is necessarily slower; there is no advantage at all in enabling AES-NI via cryptodev. You do not see a penalty for GCM modes because those are not implemented in cryptodev and so openssl continues to use its internal routines. So why does the AES-NI kernel module exist at all? If you are using ipsec, which does all of its encryption in the kernel, then you need the AES-NI kernel module to let the ipsec module to use AES-NI–and in that case it's a performance gain because everything is happening in-kernel. Ideally, pfsense would enable a configuration in which you can load aesni.ko for ipsec without loading cryptodev, so you can get the benefits without the drawbacks. So when would you ever want cryptodev? The /dev/crypto interface is only worth using with external crypto processors, like the old via padlock or the hifn cards (though you're generally much better off just throwing out such hardware and buying something new if you care at all about crypto performance; the crypto accelerator on the old alix boards, for example, was about as fast as a new raspberry pi or an APU1 without hardware crypto, and an order of magnitude slower than an APU2). In theory it might also have a benefit for quick assist, but I think that's implemented in openssl in a way that avoids using /dev/crypto. There's been speculation over the years that cryptodev might help improve cpu utilization, but I haven't seen results on modern hardware where any speculative gain outweighs the performance penalty of the context switching overhead.

Partial work around or fix depend on your use case: If you have another physical NIC, assign it as an interface and make it active then bridge this new interface to your OpenVPN interface, then physically connect it to a switch port in your network that has been correctly set with with the PVID of the VLAN your trying to connect to. Remembering to add a FW rule for this interface to allow traffic. You can test correct set-up by temporary setting your new interface to DHCP (it should be assigned an IP from your range in your VLAN) Now when using  your OpenVPN client you are bridged in and can access the subnet and GW, and in our case upstream IPSEC connections. Where it falls short is the new interface is treated as a WAN, when enabling "Redirect Gateway" packet exiting are not being NAT'ed when they exit the GW I looked at outbound NAT but it appears to be not affecting it.

@jimp: There is not enough information to say. Is pfSense the OpenVPN client? Or server? Is x.x.x.x an IP address on pfSense, or a remote system? How is the OpenVPN instance configured (which interface is it using, etc)? pfSense is the OpenVPN server, x.x.x.x is the WAN address of pfSense. OpenVPN is configured on the WAN interface. Since originally starting this thread, I've made configuration changes, probably correcting errors.  Now OpenVPN seems to be working correctly and I have not been able to duplicate the condition about which I originally posted.

I'm not an expert and am just winging it, but here goes Export your signing, server and user certificates. Export users if you can. Import them on the new router. I don't know if you can export an openvpn config. If not, copy down the settings for each and recreate them on the new router. add firewall entries. Or, recreate new certificates and servers and users on the new router. I just did it for two openvpn servers and 6 users. t took about an hour including the time I needed to remember how to do it. Use the wizards. Pass out new config files.

Pfff that's hard to read, can't you give a screenshot? Also not knowing your topology (what alias or description is representing what?) isn't helping either  ::) Anyway, at first glance I see here 4 rules where you exit all traffic directly to a gateway (that means without using the route table) and the last one has no filter (source). IPv4 *  Bxbox IP  *  *  *  WAN_DHCP  none      Bypass IPvanish Bxbox IPv4 *  WiiU  *  *  *  WAN_DHCP  none      Bypass IPvanish WiiU      IPv4 *  FilesPlayOn  *  *  *  WAN_DHCP  none      Bypass IPvanish FilesPlayOn IPv4 *  *  *  *  *  IPVANISH_VPNV4  none      Route Lan Traffic through IPVANISH As you cannot set an openvpn as a gateway (iirc), this isn't the s2s-vpn we are talking about (?). So my first guess would be that your icmp would also match that last rule, and would be sent to that gateway? If these assumptions are correct, you could simply add an entry (before that line "Route Lan Traffic through IPVANISH") where you allow LAN subnet (or even more filtered) to the remote subnet and don't specifiy a gateway (so you'll be using the route table)….

You need outbound NAT rules that match whatever the tunnel network is on the VPN the clients connect to. No idea from the screen shots if that is the case. The comments there say "LAN" https://doc.pfsense.org/index.php/Outbound_NAT You can determine if you are having a DNS issue by pinging something by IP address. https://doc.pfsense.org/index.php/Connectivity_Troubleshooting

Thanks. I got it to work using the latest OpenVPN installer (in place of the PFsense downloaded client) and using the TAP driver installer. I'm pretty sure I had it connecting correctly running as a user, but when I uninstalled/deleted all software and did a reinstall (to ensure I have a working method for client installations) it will only get routes when running as an admin. Anyway this is an OpenVPN problem so I will use their forums for troubleshooting. Thanks for the help.

Okay I've solved my issue thanks to packet capture. My configurations that I posted were perfectly fine and that was the answer I was looking for but instead of getting that help people wanted to play semantics with my words which was completely irrelevant of the question that I asked. In any case I am good now and for anyone trying to set up an Out of Band Management network please follow the configurations that I've posted because they work.

Thanks for the explanation, Clients don't use ns-cert-type server but they have remote-cert-tls server. As OpenVPN server is working just fine even with this "Server: No" certificate, I'll keep it but in the mean time I'm a bit less ignorant now :)

Fixed or worked around.. They are completely different ;) Source natting would not be a fix to me..  That would be a work around.  To me the proper fix for your issues would be correctly setting the firewall rules on your devices to accept the traffic you want to accept.  Or make the choice that devices on network X behind pfsense do not need a software firewall because they trust all the devices on their same network, and devices that are hostile or not trusted are firewall at pfsense. To a nas.  it should have a gateway set if that was your issue.  Or if firewall - same thing goes.  Tricking something into thinking a connection is from the same local lan as it to get around firewall rules and or lack of gateway is a work around if you ask me. Either way glad I could be of help, but if you went the source nat method.  I would would evaluate if that is the best long term fix vs stop gap workaround until proper setup can be used, etc.

@semprini: I was under the impression that username + password + cert = successful login, and username + password + wrong-cert = failed login. Got to the server settings and check "Strict User-CN Matching". Then it should behave the way you want.

As Jimp suggested Im gonna post logs and related data on the thread I previouosly opened for this: https://forum.pfsense.org/index.php?topic=116670.0 Thx

Good catch on the 172.168 helper!!!  I missed that.

@marvosa: … per your screen shots... you currently do not have any clients to export.  You will see client configs available for export after you've added users to PFsense (System -> User Manager -> Users). [image: 5.png] [image: 5.png_thumb]

Hi viragomann, Thanks for your reply. It works, there are no DNS leaks anymore :) !