If there are pass rules on LAN, then the traffic is going to get out of the source end. But if you really disabled all OpenVPN rules on the remote end, then the traffic must be dropped on arrival at the remote pfSense. That should stop any intranet-based Skype connection from being set-up, and Skype should end up finding its way out to public internet Skype servers to make the connection. If you are just using the site-to-site OpenVPN for traffic to servers at other sites (like you say, using RDP, or file-shares or…) then you can make the rules on LAN to pass to just those remote server IPs and block to the rest of the remote intranet subnet/s. And similar rule/s on the OpenVPN incoming at the end for good measure. That should stop client-to-client stuff across the OpenVPN.

Solved! Thanks everyone for the great hints - especially CMB about the IPSec overlapping addresses. Prior to setting up OpenVPN, I had an IPSec tunnel working but wanted to try OpenVPN for data compression.  While I disabled the IPSec tunnel on my home router, it appears I forgot to disable it on the office router.  Thus, the remote router had a route back to my home network via the IPSec tunnel and not the OpenVPN tunnel. Appreciate all the good replies!

Fantastic, this is exactly what I was looking for. Thank you for the help!

@Tired2: I guess it translates all the IPs on the HQ subnet over to a different range maybe? Yes of course, that is the whole point… you point the remote site to the NATed ones, instead of the conflicting subnet.

Figured it out, went back in to OpenVPN settings and changed my DNS Servers to Goggle's Public DNS Servers 8.8.8.8 and 8.8.4.4 and restarted OpenVPN service just in case - Now working perfectly! So my initial DNS entry was my pfSense IP which had I thought about it, would have realized that won't work.

SOLVED

Sigh. Selecting three absolutely worst IP ranges is quite an unique achievement in itself. Hope you never ever need any roadwarriors stuff working on any of those.

I used this same configuration to set up a pfsense here using my pfsense in the USA as server. I'd bet you can use your certs and MTU settings etc from your current vpn and use the strongvpn set up instructions to get what you want.

@saytar: I know I had Private Internet Access setup on 2.1.5 fine, but after the upgrade my user id and password file was not carried over to 2.2.1. After I made a new file everything else worked. That is normal for changes made outside the GUI. You don't need the file any more after 2.2.  There are now a username/password fields in the client config GUI.  You can populate those and clear the auth-user-pass entry in the Advanced text area.

@doktornotor: The rules go on the OpenVPN tab. Not on LAN/OPT. Succulent comment…........just defined an answer to a question I had been contemplating about my extra interfaces and a build out on my home network....................... 8)

@kejianshi: I assume you are trying to setup some sort of gateway-failover by using 2 separate VPN tunnels? Not really. I want a vpn solution without modify the local network clients (install openvpn, update, configure, …). We life in germany and my girlfriend wants to use Netflix US (with his desktop or/and notebook). She can not configure openvpn and i think she dont need that ;) My idea is: If she want watch Netflix, she must only change her ip address. That is no problem for her. And I need a exit point in the netherlands and switzerland. I can use openvpn directly but than i must protect every pc against dns leaks and so on. That is the reason why i want manage the vpn clients at pfsense and "select the route" on the clients only with the ip address. @kejianshi: I'd advise using 2 separate openvpn services who don't assign same subnet ranges and don't use same gateways IPs. This is possible but then I have to pay two accounts. And this sucks a little bit.

I'm also interested in any write-ups from people who have gotten this to work. Thanks in advance!

Solved , i figure out that my ldap settings where wrong Thanks anyway :)

As said, the interface for incoming VPN connections can also be the LAN interface. So no further interface is necessary for your goal, just one. For openvpn server set up, the wizard will guide you through and there are also some tutorials in this forum and in the pfSense docs: https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server

No one has any clue?

@Pitchoun511: I have found nothing that resolve my problem I just went through the procedure in the thread I linked earlier on two 2.2.1 boxes and it worked fine, or rather well enough for me to get in and fix a problem preventing a remote host from routing out correctly. If you are still having problems, I suggest you look over that and then post some specifics of your config.

I see the same behavior on an Alix box we have.  The upgrade to 2.2.1 did nothing to fix this issue. OpenVPN settings: AES-128-CBC (128-bit) SHA1 (160 bit) I've checked the throughput via the command line (openssl commands), and I can set up ipsec tunnels and verify that the HIFN 7955 card is working - IPSEC I see great throughput, low CPU utilization. OpenVPN - 100% CPU at about 6Mbps of throughput. Something doesn't work correctly.

Perfect.  Thanks for the great explanation.