Thanks Jimp, much cleaner :-).

You could probably do a job on this too.  It's a (very) basic perl script to identify user certs in a config.xml and dump them to separate files to make it easier to reintroduce a particular cert to the config.xml.  I'm putting it here in case it's useful to someone else.  It makes heavy assumptions about the config.xml structure and I don't know what quotemeta will do on a windows box so YMMV.  Written for clarity rather than efficiency.

#!/usr/bin/perl use strict; use warnings; ## pfSenseUserCertDumper.pl ## Script to pull out user certs from a pfsense config backup. ## use as follows: ## ## perl pfSenseUserCertDumper.pl config.xml ## ## Output will be of the form certref.certdescription.usercert ## No provision has been made for multiple arguments my $line; my $cachecontents; my $certrefid; my $certdesc; my $certdumpfile; my $certdumpcontents; my $isusercert; my $filename = $ARGV[0]; open FILE,"<$filename" or die "Cannot read the file $filename: $!\n"; while ($line = <file>) {     if ($certdumpcontents)     {       # We are capturing contents, so append       $certdumpcontents.=$line;         if ($line =~ m/\<refid\>(.*?)\<\/refid\>\n/)         {                 # Capture cert ref for dump filename                 $certrefid =  $1;         }         if ($line =~ m/\[CDATA\[(.*?)\]/)         {                 # Capture cert desc for dump filename, quotemeta to deal with                 # special characters                 $certdesc = quotemeta $1;         }         if ($line =~ m/\<type\>user\<\/type\>\n/)         {                 # Not interested in non-user certs.  Set flag if user cert.                 $isusercert=1;         }     }     if ($line =~ m/\<cert\>\n/)     {         # Start of a cert.  Start capturing.         $certdumpcontents.=$line;     }     if ($line =~ m/\<\/cert\>\n/ && $certdumpcontents)     {         # End of cert data.         if ($isusercert)                 {                         $certdumpfile=$certrefid.'.'.$certdesc.'.usercert';                         open CERTDUMPFILE, ">$certdumpfile";                         print CERTDUMPFILE "$certdumpcontents";                         close CERTDUMPFILE;                         # Job done, turn off isusercert flag                         undef $isusercert;                 }         # Clear assigned variables ahead of next cert.         undef $certdumpfile;         undef $certrefid;         undef $certdesc;         undef $certdumpcontents;     } }</cert\></type\></refid\></file>

Thanks again,

Simon

Give some details of your setup. It seems strange that the client is trying to connect to 172.16.0.10:2000 - a private IP address. Are you doing some internal testing or?
Where is the server listening?
How does the public internet reach that?
How did you setup the client?
…

What do you mean by "internal torrent client"?
I'd be interested in having a look at your scripting.

Any chance you could post it?

The new OpenVPN 2.3.5-I601, with OpenVPN Manager 0.0.3.6, is working fine for me on Windows 8.1

This problem was solved.

The problem was that my Pfsense was installed in a Proxmox VM, whe I disabled hardware checksum offload all begin to works fine.

Sorry I am NOOB… Is it any way to help me more... I need "barb wire" to guide me... ::)

So I followed your advice and some online tutorials and everything works great!

From a security standpoint, would there be a reason to add an interface to the OpenVPN servers and enable Snort on them? Or would that be an overkill?

Put rules on the irewall->Rules OpenVPN tab to allow only what you want, and the rest is blocked.
If you want to give general internet access through the OpenVPN, then it might be easiest to make a rule list like:
a) Allow to destination IP/ports that you want to open on your LAN.
b) Block to destination LANnet (block the rest of the LAN)
c) Allow all - let anything else in on the OpenVPN (internet in general)

Could be - I know there is a problem with replies going out pver the same interfaces they come in on.
I'm pretty excited about 2.2 once the bugs are worked out. 
A well threaded pfsense will make a huge difference.

Pretty sure that's this scenario.
https://redmine.pfsense.org/issues/3894

Good to know.

Good idea.  Abit trickier to configure though.

Thanks for the reply.

I did not change those settings as they did not make sense to me as I am no LDAP guru. I have now changed the settings to

User naming attribute = samAccountName
Group naming attribute = cn
Group member attribute = memberOf

and it works

Thanks!!!

Maybe you only have to allow traffic on the right ports on the EC2 instance… :P

staff

Set up branches of the network by adding another branch on Remote Network IPv4 / s field

Ie was as follows,

In branch A, put the remote network 192.168.1.0/24 Matrix and more affiliate network 192.168.2.0/24 B

Now when I am in the branch and request ping from B affiliate network until it reaches the address of the VPN tunnel on the side of the Matrix, and after that he can not forward,

What configuration is missing in the matrix or at the branch?

Or am I doing something wrong?

Thank you!