Yeah its funny how some of these auditors don't actually understand what they are auditing ;)  Ok MFA is a requirement, we are using MFA already.. How many factors you want ;)

Should we have the uses submit a DNA sample everytime they auth? ROFL  They you would have 3, cert they have, password they know and their dna something they are..

Glad you got it sorted.. Your users would of prob had a fit with many a help desk call having t add the OTP auth along with their password, etc.

Thanks Viragomann I appreciate it this concludes my 2 week search for the masquarade or outbound NAT as u call it in pfsense.
When I did that and logged to mikrotik from my iphone the ip was that of pfsense therefore I can see all 10.0 networks on the miktrotik.
Thanks again I hope I can help others who experience issues in this transition from PPTP to Openvpn.I had no idea that the interface address meant the pfsense IP so I was putting my ip as a /32 subnet and didnt work.Also I used source nat openvpn interface instead of LAN so it was 2 mistakes I did.
Now all that remains is to fix the 2 broken packages that remain on the menus after the upgrade and make me nuts!!!!nut and BandwidthD that return 404 error.
Yes I know I should have uninstalled them before the upgrade but who reads the fine print right?Especially in Greece!

openvpnNAT.PNG
openvpnNAT.PNG_thumb

I would gently suggest you try this setup using PKI.
My experience has been SSL/TLS gives you a more robust and flexible setup, especially if you need to expand later on.

You can probably keep your existing server-client setups, just create a new CA on the server and use that to create individual certificates for:

You can enable auto-TLS on the server and use that key for an extra layer of security.

The clients will need a copy of the CA cert (not the private key part) and their respective certificates (created in 2)  ).

It sounds a little daunting, but once you have one done the rest will fall in line pretty simply.

If you post back, we can hep along the way.

Perfect - you fixed the PBX issue for me!  Zoiper works well!

Only two other issues for me seem to be related to external web traffic.

If I am browsing facebook or reddit it works fine on:  Wifi or cell service.  If I log into the VPN, the web isnt loading anymore.

It seems like I am good for internal things on my network (for the most part) Root Explorer on Android is having a hard time browsing SMB folders on my freenas box over VPN but works fine on wifi.

I just checked this morning at the cpu usage and as written about above, the two OpenVPN instances are using loads of cpu time.
See screesnhot.

Any ideas on this?

cpu_usage.png
cpu_usage.png_thumb

Any idea? Should I change to gre over ipsec?

@divsys:

Yah, the full screen shot has a few other sections (like Topology for one) that might affect things.

The other things to try are a full reboot of the server box or (if that's too onerous) search for the running server process and explicitly kill it.
Worth it just to make sure you're on a level playing field as far as previous attempts go.

You can up the server's verbosity so you should be able to see if the CSO is getting applied when the client connects.
Similarly the client logs may show what's trying to apply if you up the logging level.

Are the clients just typical Win, android, iPhone, or something else?

Attached SS's of the Server and CSO's.  When I get home later I can troubleshoot further.  And yes the client I'm testing with is android phone.

Server.jpg
Server.jpg_thumb
CSO.jpg
CSO.jpg_thumb

@Derelict:

Is something not working?

No, I just want to understand the settings before I implement them. I've had to Restore-To-Default once because of the major update to Snort, and me not understanding settings.

The openvpn wizard does not create a port forward, it does create a rule on your wan for the port you use for that vpn instance.

How would a port forward to your pfsense lan IP allow for scanning of your "machines"  even if you did create the forward..

Heeeeeelp :'(

Can I add a question?

If I want to set up multiple client sites, do I need separate server entries on the server firewall?

Thanks,

"SSL3_GET_CLIENT_CERTIFICATE:**no certificate returned[b/]"

Seems kind of heard to validate if there is no cert presented.**

I assume NAT is not possible, because I run in transparent mode/bridged?

The original issue here is fixed in 2.3.1, the config upgrade will now appropriately set your topology to stay the same as it was previously. 2.3.1 also has the latest OpenVPN 2.3.11, though I don't see anything between 2.3.10 and 2.3.11 that'd be relevant.
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23

@divsys:

The two issues that immediately come to mind:

The ports you use on pfSense for the two different OpenVPN servers must be different and have the appropriate Firewall rules enabled.
You can use both 1194 and 11394 for the two different servers, but you must have firewall rules for both.

The certificate you used for the 2nd OpenVPN server should be different than the 1st (you say that it was - good), but the CA used for that certificate must be the same as the CA used for the Client's certificate.  In addition, the Client's certificate should be of Type "User" NOT "Server".

Your log error message indicated that something was trying to connect (that's good) but failed to handled key negotiation (not so good).

Hi divsys,
Thanks for your help :-)

It isn't the first proposition because i created 2 rules on Wan interface  (1 for 1194 in UDP and 1 for 11394 in UDP too..) and i add a rule to allow any traffic in OpenVPN interface.

The certificate for the 2nd OpenVPN server it's an other certificat than the 1st.
I created a CA different from the 1st and from this new CA, i created an internal certificate type "Server".
I use this internal certificat in the openServer at option "Server certificat".

But if the certificat isn't good, how is it possible that the openVPN works when i try from INSIDE of the infrastrcture ? Oo'
when i look my openVPN client config, i see the IP Wan from my pfsense. And when i try openVPN with my internet connection shared by my mobile phone to my laptop, it doesn't work  :'(

My purpose it's to use OpenVPN with just  login/password+OTP without any client certificat.

EDIT: the problem has been solved. a little problem with virtual IP…  ::)

It was a switching problem at the server side lan  :o

That link is to openvpn access server, not the community edition that is installed to pfsense.

If they are authing to your AD, why don't you just lock out the AD account.  I think that is your typical AD out of the box setup, so many failed and locked.

This is still not working