A server certificate has this attribute:

Netscape Cert Type:
                SSL Server

The following extensions are non standard, Netscape specific and largely obsolete. Their use in new applications is discouraged.

idk.

See Also: man x509v3_config

I am not 100% sure exactly what needs that to be present, but it's not pfSense. Maybe strongswan and openvpn.

You will probably find it easier to keep the certificates on pfSense so you can use the client export utility but there is no requirement to do so.

You do have to have the CA certificate installed on the firewall so openvpn can validate client certificates against it but you don't need the private key there unless you are going to generate/sign client certificates there.

You will need to import the certificate and key parts as the server cert but they do not have to be generated on pfSense.

Fixed it, I had an old firewall rule from something I was experimenting with that was messing it all up. Works great as you suggested I configure it, thank you!

If anyone's interested I was able to figure out the DNS leak issue and patch it by reading this thread: https://forum.pfsense.org/index.php?topic=66305.15

Pfsense 2.3.2-p1

@jimp:

It shouldn't matter if you stopped/killed it. When you delete a client it is automatically stopped and removed.

So nothing shows up at all under VPN > OpenVPN on the Clients tab now? There has to be something there or the status page couldn't see an entry to print in that way.

VPN > OpenVPN > Clients is compleltly empyt no clients there. I will take a closer look when I get home.

Thanks for the support!
After your advice routing was ok, but clients that are behind pfsense respond only to the ping…
no http, no ssh, nothing!!!!
I thought it was some sort of firewall rule, but the problem was that pfsense is on a VM (kvm on very old proxmox1.9):
solved with this
https://doc.pfsense.org/index.php/VirtIO_Driver_Support

Tanks

@vtulin:

@jimp:

On 2.3.3 we now have an option "No Preference and Adaptive Compression Disabled" which helps when dealing with picky clients.

Which will remove accurance of this option in config?
Thank you for response.

When this option is selected, "comp-lzo" is not in the config, and it adds "comp-noadapt" to disable adaptive compression.

OpenVPN can be picky in how the client and server interact across versions and when LZO is not compiled in.

If you have no compression options in the configuration at all, it still enables it with adaptive compression because that's the current OpenVPN default (it wasn't always). And if you use "comp-lzo no" the far side won't understand that if it does not have LZO compiled in.

Yes, correct. The outbound NAT translate the packets source IP from origin VPN clients address to the FW2s LAN IP. So when the packets reach your LAN host, it seems the come from FW2 and it will response to FW2 where the destination address of the packets is translated to the VPN clients IP.
We've discussed this yesterday here: https://forum.pfsense.org/index.php?topic=120328.0

To use the same VPN tunnel subnet for both connections is definitively not a good idea. But that doesn't matter if you do NAT.

Access from a VPN1 client to the FW2 management interface can also be enabled by an outbound NAT rule at FW1. Here you just need to enter the FW2s LAN address at destination.

Firewall rules are generally used to block connections coming into the firewall on an interface.

If you want to stop hosts on LAN from making certain connections, then you place those block rules on LAN.

If you want to block connections coming in from remote OpenVPN sites, you put those rules on OpenVPN.

If you want to block connections going to a remote OpenVPN site, then either block them on the incoming interface (like LAN) or block them at the remote side inbound on OpenVPN. They are the ones "locking their door" against incoming connections.

It's possible to block in the outbound direction using floating rules.

If you think about the security aspects of what the firewall is supposed to be doing, this is really the only model that makes any sense.

https://doc.pfsense.org/index.php/Firewall_Rule_Basics

https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

Thanks so much viragomann for the explanation and kpa for the solution. It works as expected now.  :)

You have to set Remote Networks on each side if you use shared key.

The new CSS is more adept at hiding fields when they are not appropriate.

Even if you could set them they would not work.

Yes, thanks.

Completely blew past that setting/working now

NVM I figure it out.

This is a lab VM inside my LAN so bogus IPs but same concept. http://imgur.com/a/nP8jc  Nat and Rules tabs.

Have it setup like this in lab environment:
OpenVPN (server) >> pfSense >> OpenVPN (client)

Server and Client are Ubuntu. Is that what you were looking for?

I don't see that with Viscosity.

That was it. Thank you very much.

Upgrade your OpenVPN client export package again. There was an issue in the posted version temporarily for a few hours.

Are both pfSense boxes the default gateways within their networks?