I cant be bothered to read a zillion lines of text.

assign an interface to ovpn if you havent already. activate route-no-pull checkbox. If the checkbox is not there due to the ancient release you are running: enter it in adv field.

If 1&2 dont help then post a screenshot of the routing table.

Veel plezier.  ;)

Maybe its just me but so are you vpn into a dod facility here? How is a cert, and user name and password not enough?  Is your goal to discourage use of the vpn?  Then sure add as many hoops you want to actually get in and do some work..

So for someone to get into your vpn with a typical 2 factor setup they need the cert (so device cert installed on) and the username and password.  Now you want to also have 3 method… That do be honest just another link in the chain that can fail..

There is security, and then there is just making something so difficult to use that users don't use it or they find ways to bypass it... Which defeats the purpose of the security in the first place.  Screw vpn into work on my files, I will just take them with me so I don't have to jump through the ring of fire to get to my stuff..

We found the solution. The websockets didn't have a route back to the AWS instance after the initial request was made.  To solve this we added the appropriate CIDR to IPv4 Remote Networks (tunnel Settings under the OpenVPN Client).

what about the widget on the dashboard?  What exactly are you looking to monitor about vpn users?

openvpnwidget.png
openvpnwidget.png_thumb

I forgot to say, that it works now with the config from Tutorial 2.

This is the tutorial from pfsense  ;)

https://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_(SSL)

ok … thanks for the info. I also thought about the fact that pfSense is not my default gateway. Because its currently "only" a test, I do not want to modify anything on the current LIVE environment. At the moment, only a Broadband connection with about 6MBit is dirrectly attached to pfSense. Our main broadband connection at the moment with 50 MBit will stay also in future as our main, but then also directly attached to pfSense. Plan is to have the 6Mbit as Fallback. With this planned environment, pfSense will become the default gateway ... ;-)

Regards Torsten

I run udp 1194 and tcp 443..  443 is going to be open if they allow internet access ;)  While it also allows you to bounce the vpn connection off a proxy if they are doing that too.

It might not be the place blocks udp 1194 on purpose, they might just be allowing the known ports for typical internet access.  So maybe they only allow dns, http/https, etc..

Try your udp connection, if doesn't work then just fall back to tcp over 443.

My toughts exactly - Clean sheets with backup. Cheers mate.

Just for the records: after rebooting the box the VPN works now.

Thanks all for their help!

Sure, ctrl-click the auth servers on the server config and it will try them in the order it shows in the list.

I have the same issue with the VPN. And same config.
Can you recommend the VPN provider?

You must have missed the direction on that page that tells you to create the file.

From their page:

Execute the following: echo "username" > /etc/openvpn-passwd.txt; echo "password" >> /etc/openvpn-passwd.txt

Though on pfSense 2.2.x you don't need to do that or use their "auth-user-pass /etc/openvpn-password.txt;" line in advanced options.

If you fill in the username/password boxes in the pfSense GUI, omit both of those things: don't make that /etc/openvpn-passwd.txt file and remove that auth-user-pass line from advanced options.

Use the viscosity client if you don't want to run as admin on windows.  https://www.sparklabs.com/viscosity/

Its not free..

Haha, no big complaints. Just that their pipe is huge and SMB performance is just so small comparatively.

In any case, BranchCache is out simply because we're not looking to put in servers out there (not yet anyway) and we're running Win7 Pro (not enterprise or ultimate unfortunately.)

Looks like Riverbed or the eventual Win10 upgrade will help us. No worries there as they still remote in generally but it would just be nice if they had a bit more available bandwidth in that area for when they're working locally.

Thanks for all the help mate- glad to see we're about where we can be, all things considered.

Hey everyone,

just in case it helps someone in the future ; I found the solution, which was in a detail I forgot to tell about ; it's a vmware installation.

My set-up was OK, the TAP VPN was up, and it was forwarding L2 trafic, however the vmware host simply discards any packat with a mac "not from the guest", which makes it impossible to have something like an ARP-proxy (or Layer2 vpn) on a vmware guest
Solution is to allow "promiscuous" on the vswitch (altough I don't need promisc mode at all, I just need less paranoid enforcement of the MAC filtering)

I tried disabling the other MAC-related option, but it did not work. Only works when allowing "promisc".

Hopefully this helps someone someday

Did you ever get this working?  This is incredibly similar to something I'm looking to do and have not had much luck with it.

I'll bring up the topic again because it really should be done and not just for this reason.

Thanks again for your time on this.  Much appreciated.