you guys were spot on! much appreciated !

@sos: I've reset my pfSense setup back to factory default, and just re-set up my openVPN server using the wizard, before setting any other services or firewall rules up. Glad to report that all is working, using my android phone and linux clients, via a 3G connection. As I carefully rebuild the rest of my configs, I'll keep checking functionality and may retrospectively be able to figure out what caused the issue in my case. Perhaps there was some stale firewall rule or state. Will report back if I find anything, but in the meantime, thanks for all the suggestions. Yesterday, I did the same: reset to factory defaults -> start new configuration with openvpn-server first and now it works ??? After setting up the ovpn-server, I reconfigured all (nat-)rules, snort, webproxy, vpn-clients, outgoing vpn-failover and wan-failover and did a connection test after every single step, without any errors. Now the configuration is exactly the same as before and openvpn-server is reachable. So I have no idea what the problem might have been.

you'd need to script a marcro to write the config (examples can be found in the wiki link i posted before) i posted some examples for someone who wished to change settings to captive-portal here: https://forum.pfsense.org/index.php?topic=121762.msg673072#msg673072 its not all that difficult but will need some experimenting.

We've been watching it. It's on pfSense 2.4 snapshots now and we're looking over what it's added that can be brought in. Already have a few good reports of speed improvement with AES-NI and AES-GCM in OpenVPN

It runs as root because otherwise it can't fully manipulate the routing table or take all of the actions expected by up/down scripts. We do plan on working around this in the future but it is still a way off. If you are worried about OpenVPN running open to the world, use a TLS key to protect OpenVPN (you might already be doing this).

For some reason the wizard created a user cert, not a server cert, on the first pass.  I went through the wizard a second time and it created the server cert the second time.  That was what was missing.

You need to use policy based routing for that, but first, you need to create new interfaces and bind your tunnels to those interfaces: Interfaces -> (assign) Once that is done, it will create new gateways which can then be used in your LAN firewall rules. For example, if you want a client with an IP of 10.0.0.1 to be routed over a certain interface, you'd create a new LAN rule above your any/any, change the source to 10.0.01: [image: 2017-01-01%2011_26_13-pfsense.gilbert.home%20-%20Firewall_%20Rules_%20Edit_zpshbibdsy0.png] then in the "Extra Options" section, click the "Display Advanced" button, scroll down to the bottom and change the Gateway: [image: 2017-01-01%2011_29_43-pfsense.gilbert.home%20-%20Firewall_%20Rules_%20Edit_zpsc1ttifpn.png] Now all internet traffic sourced from 10.0.0.1 will be routed over the tunnel assigned to that particular gateway. *** The one gotcha that I've read is that you need to bounce the tunnels after the interfaces are assigned or traffic will not be routed properly.  So, Status -> Services and restart the service for each tunnel you assigned to your interfaces***

OP, this is a common question.  The others have already mentioned it, but at a high level, what you have to do is: Push the LAN subnet of site B to your remote access clients on site A Add a return route for site A's remote access tunnel network to site B's side of the site-to-site tunnel… i.e. if site A's tunnel network is 10.0.0.0/24, you would add 10.0.0.0/24 to the IPv4 Remote network(s) field in site B's config.

nvdstruis, the "redirect-gateway def1" directive is the equivalent of the following option in the GUI: [image: 2016-12-31%2005_37_02-pfsense.gilbert.home%20-%20VPN_%20OpenVPN_%20Servers_%20Edit_zpsaxbi9pdk.png] You will find it in your OpenVPN config under the Tunnel Settings section.

nvdstruis, it's a site-to-site tunnel, so that setting is moot. mrgenie, post your server1.conf and client1.conf Also, post a network map, so we can visualize how things are connected and what subnets are where.

It's working fine for me still. I've removed all single rules and have LAN subnet working. I also have multiple vpns up and running so I can funnel torrents down a specific one

I have both tap and tun servers. I used tap until I found out tun could do most of the same things if configured properly. My tap guide was similar to the one you linked to. If you can get to the lan (for example in file explorer \my_file_server) then you should be able to get to the router. Try 192.168.1.1 from a browser window. I have two tun servers. 1 is for private browsing only over public wifi. It uses a auto logon file for convenience. The 2nd uses 2 passwords and a different user id. In both cases, the certs must match the user id.  The user id is not obvious because I renamed files in the config directory. The idea for the 2nd one is that the lan should be harder to get to just in case. tap is more full service but tun does the job and is easier to set up. the lan oriented tun server config is the same except for a couple of settings on the main server page. I used the wizard because it provides all the detail work automatically. Edit: the tap guide I used. It worked. https://hardforum.com/threads/pfsense-2-0-1-openvpn-configuration-guide.1663797/ for tun: Uncheck redirect gateway Enter the local network into the box recheck redirect gateway (this allows you to access the lan and route through the home network) check enable netbios over tcp/ip For node type I have p - I'm not quite sure what it does but things worked better with this setting. I also added dns servers and checked force dns cache update accessing lan resources differs a little too. With tap it's \my_file_server in file explorer. With tun it's \192.168.1.156 for example. At least for me. one big difference is that tap will not work with android without the google play app which allows it. The cost is about $10. It works great. remote desktop over the local lan works perfectly with both tap and tun.

there are plenty of people running pfsense on xen.. If recall there might be some issues with offloading checksums?  Pretty sure there is a sticky on pfsense on xen.,

I was having the same difficulties trying to get pfSense working with NordVPN; the NordVPN guide is not that helpful! After a lot of searching i found a video on you tube by a guy called VMNerd.  This guy has produced an outstanding tutorial (based on the PIA VPN service) that helped me setup my system perfectly; you just need to download the certificates and get the DNS Server IPs from the NordVPN website: https://www.youtube.com/watch?v=ybcc-OBi7kQ

It uses the auth username as the common name for overrides. The usernames are case sensitive, so make sure the user is typing it in all lower case or that you have an override set matching the case of the username.

@Derelict: Just set the local and remote networks. Let pfSense do all the route / route push config. Thanks I found those options when I chose SSL/TLS instead of SSL/TLS+Remote Auth.

@someuser123: you can just change your setting by using, AES-256-CBC SHA-256 on port 1197 using PIA Strong Certificate https://www.privateinternetaccess.com/openvpn/openvpn-strong.zip Got it! Thanks!