@Pippin: with openvpn 2.4 and AES GCM on AES-NI hardware Even without AES-NI capable hardware it will improve I would think. It'll improve, but the difference won't be as dramatic as for the AES-NI hardware (because you're not replacing a software MAC with a hardware-assisted MAC, you're replacing one software MAC with a somewhat more efficient software MAC.) And really I'm using AES-NI as a more familiar shortcut here, the real differentiator is the PCLMULQDQ operations, which are only on CPUs with AES-NI, but there are AES-NI CPUs (like the avotons/rangeleys) which lack PCLMULQDQ and aren't as efficient for AES-GCM on an instructions-per-byte basis.

It's working now, I can ping the vps, and reach it throught 10.0.8.3 from my LAN :) Dunno what I did…just uploaded the config again, restarted, and suddenly it worked.

I already thought I could edit the firewall rules, indeed I've done the following:  first, a rule to allow any -> 192.168.0.0/16.  second, a rule to block any -> any. Like this, I can only access private resources but not the company's internet. But there's a problem, which is that, if I don't check "use this connection only for resources in its network" on the openvpn client (I'm using Ubuntu for in this example", the connection to internet at my home is no longer working. I wonder if there's a way to enforce this, otherwise I must explain to every von user that they need to check this box in order not to receive a new gateway for their internet connection.

Set up a second vpn client to connect to the other server and add both client gateways to a gateway group.

Thanks a lot.

Or I kind of see what you mean. (I think) My windows server 2012 is the dhcp server and it is on 255.255.255.0 subnet. I need to somehow change the subnet that my dhcp server is on (thus changing what it hands out to the clients)?

Thanks for your suggestions. I'll look into both options (I don't use a Radius server today however).  every client might not be huge problem and worthwhile if it works. I don't think I can fix the authentication server though. AD is case insensitive by definition and design as far as I know, when it comes to user login names. "OpenVPN doesn't have a concept of names being case insensitive": But nevertheless, strict "User-CN Matching" does not bother about case, while common name matching in client overrides does, so in that sense it is not consistently handled it seems.. Thanks!

put .200 & .201 in an alias rule1: PASS / proto: any src: myalias dst: any gw: WAN rule2: PASS / proto: any src: any dst: any gw: TGINTERFACE

Or you can just NAT packets from VPN to local subnet, that way you will not have a problem with asymmetrical routing, but, depending on number of VPN users and services they will access in your LAN, you can have from almost zero problems (for web services for ex.) to totally non-working (services which really doesn't like to be NATed, like SMB or NFS).

@Avides: Thats what i am afraid of. Default Firewall Rule uses the gatewaygroup. That rule apply for outbound connections from clients on your LAN, not for OpenVPN server which reside on firewall host itself. @Avides: Whats the best way to solve that problem? Define a firewall rule with the Remote Subnets and no gateway set? I do not understand what you mean here. @Avides: Do i need to enable default gateway switching for that case? It doesn't failback, AFAIR. You can try to search forum for some script solutions for your case, it is not unique. Also, you can just make a cron job to automatically reboot outpost firewalls everyday.

Answering my own question. I had 2 OVPN servers, each with different port config's running. This didn't work for me.  Disabling one of the server config's allowed 443/udp to work very well on an iPhone over a cell connection. I haven't tried this yet from a wifi connection outside of my home.

Definitely a client error. Completely uninstall OpenVPN and the tap adapter from the client and then download the most recent release from the OpenVPN site and try that.

Off course this is possible. pfSense is a firewall, that's its primary job. How to do depends on whether you want to restrict access to a particular user or to all vpn users. If all users should be restricted modify the default allow any to any rule on OpenVPN interface (assuming you have used the wizard for setup) and change the destination to "single host or alias" and enter the host you want to permit access to the vpn users. If you want to restrict only certain users you have to configure client specific overrides at first to assign static IPs to these users and then use these IPs as source in the firewall rules.

Nevermind. Found it. DHCP Service on that Interface lets you specify all that.

My point was how you would access your machine would be via your normal wan IP from the public internet. I would not go through some vpn tunnel you have already set up with some vpn provider.. I would go direct to your wan IP.  But would just vpn in via a vpn server you run on pfsense not some client to some vpn service.

I ran into the same issue a while back and solved it using the instructions from the user Efonne in this post: https://forum.pfsense.org/index.php?topic=43507.msg225465#msg225465

@iorx: By using NAT on the the routed OpenVPN connection, all client OpenVPN clients will originate from the the same, accepted IP, address. It's a solution, but I would like to see that each client poses with a unique IP (They've got some medical software which backtracks the clients IP and connects back to the client) You can use outbound NAT to translate a whole subnet. So you can get a unique IP for each client as well. E.g. the VPN tunnel network is 10.10.10.224/27, outbound NAT can translate it to 1.1.1.224/27. To wit 10.10.10.228 will be translated to 1.1.1.228 , 10.10.10.229 to 1.1.1.229 and so on. What's the problem with this???