Give more information on what you want to achieve and what you have done so far, e.g.
a) Are you happy to be in "tun" mode where the remote client gets a tunnel IP address, and thus you access network shared folders by typing in the server name and folder name (you don't see general advertisements of shares on the LAN because you are not actually on the LAN)?
b) What IPs do you have for LAN and tunnel subnets?
c) What is in the Local Network/s field on the OpenVPN server?
d) What rule/s are on the OpenVPN tab?
e) Can you reach LAN devices by IP address?
…

I thought you could do this in the webGUI with Client Specific Overrides - for each client certificate, specify the various settings you want to give that client, like the tunnel network you want it to use (inside the overall tunnel). Give a /30 to each client and the resulting client IP address is fixed.

One more update.  We figured a workaround, for now.  Basically, we have defined the openvpn tunnel with all of our local subnets in the config.  Then, we tunnel those same subnets using ipsec.  This adds up to 50 or so phase 2 entries, but those are pretty static; we don't have to change them often.

Apparently, the ipsec tunnels take priority in the routing table over the OpenVPN ones.  This means that when we have to add a new route to the OpenVPN tunnel, and thus restart OpenVPN, traffic over the ipsec tunnels still flows and only the traffic to the customer sites (which is minimal, at least from the site that we're dealing with) is interrupted by the OpenVPN restart.

In your case, is this a client and not a server?

For servers, we do check for and display the routing table but that code doesn't exist for client display.

It may not be too difficult for someone to adapt that same code to work for the client side.

I'm not sure how IPcop stores the certificates and such, but you should be able to export everything from IPcop, then import the CA cert/key to pfSense, then the server cert/key and all the user cert/keys as well if you have them available.

When importing the CA, take care to set the serial number high enough that you don't get a collision between the serial for an old and a new certificate.

For the VPN server, you'll have to compare the GUI settings for each and set them up as close as you can.

Shared key is 1:1 – one server, one client only. The two clients will fight over which one is actually online/up.

If you want one server and multiple remotes then you'll need to use a site-to-site PKI/SSL setup which is a bit more complex. Otherwise, setup one server process for each remote node.

Thanks for the reply.  We ended up resolving the issue on Monday and it was indeed an issue with the phase2.  It was a problem with the route coming from the Cisco router and the Netgear.  Everything was good in pfSense, just had to get the configs right on the other ends.  We just had 1 thing on each crossed up.  Thanks guys!

I have same problem
Please some body help

We have links to Viscosity in a few places and we mention it in the book and other documentation. It's supported by our OpenVPN Client Export package so it's alright.

I think you made a typo in your /24

New PFSense Firewall  LANIP 10.0.2.254
LAN IP Range  10.0.0.1/24  - same range

10.0.2 is not the same network as 10.0.0 with a /24 – do you have say a /8 or a say a /22 which would put 10.0.0 on the same network as 10.0.2 ?

@phil.davis:

the issue i am having is that the client/profile i exported displays my IP address and i never saw a spot to use/enter my dynamic DNS name.

The dynamic DNS names should be in the "Host Name Resolution" field drop-down list on the Client Export page.

ohhh, i see them there, i just left it at the default option of 'interface IP address'

i switched it to the dynamic dns host name but it still says waiting for server on the phone app.  there must be something in the config it doesnt like or i missed a setting (i did put the new config on my phone).

And maybe you have an OpenVPN server on pfSense for clients to conect into your LAN. If you really want to allow the same certificate to be connect multiple times simultaneously then that is possible. See https://forum.pfsense.org/index.php/topic,71790.0.html

Post any other messages from the package installer GUI window. You haven't given much to go on  ;)

i probably meant garantie uptime between the tunnels

The guarantee is as good as the WAN link/s you have at each site and the ISP actually routing traffic.
In my experience, once you have the site-to-site link set up with OpenVPN server and client talking to each other, then it is rock-solid.
The times I get grief (connection going up-and-down) always turn out to be that a WAN connection is suffering significant packet loss.

If you really want multiple uses of the same certificate (and username) to be valid, then I think just go to the OpenVPN Server and check the box:
Duplicate Connections - Allow multiple concurrent connections from clients using the same Common Name.
NOTE: This is not generally recommended, but may be needed for some scenarios.

The security issue is that if the certificate is compromised, and you need to revoke it, then you have multiple client devices with that certificate installed - so they all stop working.

You can set static IP addresses (well, /30 blocks the way OpenVPN works by default) for users in the Client-Specific Override section and then setup rules based on those static IPs.

@phil.davis:

3 - I want the client to get the LAN IP address because it just one user who is going to use the VPN to access the LAN,  I believe Tun mode is already selected on my VPN configuration

For the client to get real LAN IP, you have to use tap mode.

But the tun mode should also work - if you want to keep trying to make tun mode work, then post the OpenVPN server settings. Somehow the client is not getting the route - until that is fixed it definitely won't work.

Dear Phil,
the below is the confi file of the VPN I used on the client laptop to connect to the office,
P.S I changed the external IP and log in name :

dev tun persist-tun persist-key cipher AES-128-CBC auth SHA1 tls-client client resolv-retry infinite remote XX.XXX.XX.X 1194 udp lport 0 verify-x509-name "HassVPN" name auth-user-pass pkcs12 pfSense-udp-1194-jjansen.p12 tls-auth pfSense-udp-1194-jjansen-tls.key 1 ns-cert-type server comp-lzo

Dear Philp,
i managed to fix the issue !
first i had to create a rule to allow the connection between the Lan and OPENVPN, like this it routed the connection from the virtual tunnel to the LAN

thank you so much for your help !