Without seeing a diagram of how this is all wired together, my first guess would be that there's an improper setup of an  internal firewall or configuration setting in the devices that don't work. When an external client connects via OpenVPN, it will appear to an internal device that it has an IP address outside the internal LAN. Some devices either fail to recognize or actively block those types of addresses. The other possibility is you've got something(s) wired wrong. Without a diagram, it's pretty hard to say.

so why would you not have put this in the original thread..  And in that thread you were talking about web access and port forwarding not from remove vpn client.. But yes your router to your "source" now removes your asymmetric routing problem. This is the original thread you are talking about is it not? https://forum.pfsense.org/index.php?topic=97861.0

Good news. More forum searching with a few different terms and I came across this post. https://forum.pfsense.org/index.php?topic=76735.15 This lead me to upgrading the older pfsense install I had at the remote location. After upgrading the tunnel came up and I tested more backups with my original way of using rsync. So far so good, I have transferred many gigabytes over this tunnel without any random crashes.

pfSense 2.2.x added the DNS resolver (Unbound) as an alternate DNS service to the original DNS forwarder. The resolver is definitely a more full featured DNS provider for pfSense and is now the default for new installs. Most of my systems are upgrades from older versions of pfSense so they typically use DNS forwarder, which is "simpler" but still adequate for my needs. You setup one or the other to work with your systems. As far as the solution I suggested, you can follow the same steps, just do the "Services->DNS Forwarder" pieces in "Services->DNS Resolver" instead. I would suggest you keep the Resolver as is and simply add the changes I suggested. You could mix and match the Forwarder vs Resolver across different sites, but there's little advantage and much confusion to be had going that route. As I said earlier, pick one or the other and configure as necessary.

I have had the same issues. There are a number of old threads on this.  I find I have to manyually kill the process from the command line and then it'll work.

Yeah.  That checkbox is only for clients connecting to the same OpenVPN server instance so your Mobile and site-to-site will be different.  You need to make sure everyone has the routes to the other VPN server clients and that all the rules are in place.

In general it should be possible to recreate the current Win-based OpenVPN server so that it performs the same way in pfSense. A critical piece of the transfer will be extracting the certificates used in the Windows setup and transferring them to pfSense. The other pieces of the puzzle should be fairly straightforward. Now having said all that, there isn't a simple "import" function that will do this. If you can describe your setup in more detail - a simple network diagram and description of what your trying to accomplish - would really help us help you. Who setup the original Windows installation?

Yes, if the port forwarding works correctly and the traffic is permitted the VPN connection will work well. I've had a similar setup for a time.

Thanks everyone for your help.  I have solved the problem. The reason it wasnt working is becuase i was putting a /30 network in the tunnel network, but using a /24 in the local network.  As soon as i changed this, it came up in openvpn status. Thank you everyone so much for your help.  Its communities that make products extra good, and this is one hell of a product!

Try to change over VPN servers interface to the specific VIP. If that works and you need it listening on more than this one resolve that with NAT port forwarding.

I just went into the cert manager and created a test CA and then a cert off that CA and no issues.  So yeah without some exact details of that your doing no way look into this. Please post a screenshot of your settings used to create your CA, and then the error your seeing [image: testcaandcert.png] [image: testcaandcert.png_thumb]

If you have a gold subscription, there is a Hangout video a did a couple months back walking through a basic HA setup, and there is also info in the book.

And… is the Windows firewall disabled there?

VM is OK. No IPsec problems with a VM. Start a new thread in the IPsec section for that with details for help with that.

Good work.  It really is amazing isnt it :)

I did make 2 open vpn servers on different ports and have each client connect to the separate one. I don't know if that is how it's supposed to be. The pfsense forums were down when I configured this the other day. Client 2 vpn config IPv4 Tunnel Network 192.168.22.0/24 IPv4 Remote Network 192.168.1.0/24,10.10.1.0/24 Client 1 vpn config IPv4 Tunnel Network 192.168.21.0/24 IPv4 Remote Network 192.168.1.0/24,10.10.2.0/24 Server vpn config client 1: IPv4 Tunnel Network 192.168.21.0/24 IPv4 Local Network/s 192.168.1.0/24 IPv4 Remote Network/s 10.10.1.0/24,10.10.2.0/24 client 2: IPv4 Tunnel Network 192.168.21.0/24 IPv4 Local Network/s 192.168.1.0/24 IPv4 Remote Network/s 10.10.2.0/24,10.10.1.0/24

The hub can't see the same subnet twice. To avoid the conflict, the remote sites have to do NAT. No way around it.