I just finished writing up a quick set up guide on a local forum of ours, please feel free to check it out:

http://mybroadband.co.za/vb/showthread.php/669041-Mini-Guide-Setup-free-VPN-(Froot-using-OpenVPN)-in-PfSense

Seems to be working fine on my side.

If you are using authentication against AD for OpenVPN, why do you touch the user manager? They do not need account entries there.

Make certificates directly under System > Cert Manager on the Certificates tab. Ignore the user manager.

In the advanced options for the gateways, adjust the latency thresholds higher so that they won't trigger so soon, and set the down time higher (30-60sec)

https://doc.pfsense.org/index.php/Gateway_Settings#Advanced_Options

As written, there is no Log on the server side … not one line (about this instance)

OK ... problem found ;) I've set the server to the WAN-Interface ... but he have to listen to a virtual ip on this interface ... so he tried to bind to the main ip instead of the virtual ip address.
I've changed the interface and one second later, the client was connected.

Anyway ... many thanks for your inputs ...
Kind regards

Yes, you can open your openvpn-port (normaly 1194) not only on the wan-interface, but on the lan2 interface too. Set the openvpn-server to listen on "any" interface.

Hi Heper!

Thanks for the response.
I looked at this great tutorial: https://forum.pfsense.org/index.php?topic=76015.0

The problem I had was that I was missing the NAT rules, did as suggested there and it all works great!

Problem #1 is your tunnel network is inside your LAN.

I have not seen anything that shows PFsense can be configured to do so, but you can always dump to a syslog and implement filters to show you what you want to see.

bump

It is a client from pfSense up to an internet-VPN service.

Advanced box:
remote-random
auth-user-pass
persist-key
persist-tun
tls-client
comp-lzo
verb 1

I have added link-mtu 1574;tun-mtu 1532; and restarted but I see the following in the log:

openvpn[4644]: /usr/local/sbin/ovpn-linkup ovpnc2 1500 1542 10.12.0.22 10.12.0.21 init

Thank you for your help

You should be able to just add an Outbound NAT rule on LAN, source "the VPN tunnel network", destination LAN net, NAT to LAN address.

The traffic from your client device should have a source IP in VPN tunnel network, so will match that NAT rule, be translated to LAN address, go to the switch/es and the switches can answer.

It is a shame that Windows does not have a concept of adding a drive letter mapping for a share that is available system-wide ("net use /systemwide" command). It is happy to let an administrator define drive letters for the real partitions on the local disks, and those are seen by all users, so it couldn't be that difficult to allow the same for network shares.

hi, thx all for time.

ok, i want only access internet from one pfsense box but also want two different ways how to connect from internet to LAN (two HW with openvpn server). I thing that i need some NAT rule and portforward rule. But from what you wrote, i thing that it is impossible..

@Derelict:

The wizard is for Remote Access (Road warrior) setups.  Not site-to-site.

Yep!  Figured that out now lol.

Got it going with the standard setup for site to site using just shared key.

Thanks guys - both sides ping!

firewalls on the lan-devices or gateway not correct on lan-devices?

I guess I'd suggest you get a set of working instructions for a bigger vpn provider that has very well tested instructions, like strongvpn, and apply thier instructions to pure VPN.  Substitute in purevpn credentials, IP etc.