http://lmgtfy.com/?q=pfsense+openvpn+active+directory
1st hit, I did it yesterday and works great!

Phil, thanks for your reply.

I tried checking off that box and then I uninstalled then exported and reinstalled the Openvpn install from the gateway page. I am able to connect to the vpn but now I cannot ping or access anything on the office network and cannot access the internet.

It looks like a rule was added for openvpn when I enabled it that says to pass traffic from openvpn with any protocol, any source, and any destination. I am assuming that is what you meant when you said "make sure you have wider rules on the OpenVPN tab to allow traffic from the clients that has destination general internet IPs."

update*** I tried again and was able to ping the pfsense gateway and some pc's in the network but still cant get out to the internet.

Hi johnpoz

I was incorrect on this thread, you see I have issues with my pfsense openvpn client connected to Mullvad VPN provider, it connects successfully and I can see bytes and connection. But no internet access regardless of laptop or desktop etc.

Strange thing is if I wait 3-4 minutes it kicks in… and internet then works, this is why I thought it maybe some DNS issue.

If I disable openvpn client and just want normal internet that works straight away via my pfsense pc build...

I tried different DNS addresses thinking it was VPN dns servers not working right so tried public ones like opendns but no joy same error.

I checked the logs for errors and got some strange error which maybe related I posted a new thread here:

http://forum.pfsense.org/index.php/topic,71434.0.html

Since am very new to pfsense and only know the basics as you know its tricky  ! Any idea on this error ?

Thanks for the reply, gents.

Our network is pretty simple and flat.  Yes, our real LAN is behind the ISA server.  I'm using VMware vSphere to run both the ISA server and the pfSense box.  The VMware hosts all have a direct connection to our public router, and the pfSense box has a dedicated public IP adddress for WAN – it doesn't go through the ISA server.  I wanted to have our VPN users to be able to connect to the network, but I also wanted them to be subject to the rules of our MS ISA server (which is our current gateway) if they use the virtual machines on our network to go out.  I can't have VPN users using our network to surf kiddie porn externally, for instance.  When installing pfSense, I gave the LAN connection our ISA server as a gateway out of habit (I was and am still very new to pfSense) but it all seemed to work anyway, and like I said before, everything has been working great until I removed the LAN gateway.  My firewall rules - OpenVPN tab has a list of rules that direct specific IP addresses (users) to specific virtual machines, and this has worked well to control access to servers on our network by the VPN users.

It turned out that a misinterpretation of the UNIX timestamp expired the certificates prematurely. They had 10 years lifetime, but the date was misinterpreted as a date from the past. I created new certificates with 6 years instead of 10 of lifetime and everything works again.

In conclusion, avoid creating certificates with 10 years of expiry, make them with less.

found it!

http://forum.pfsense.org/index.php/topic,71078.0.html

troubleshooting a problem is never a waste of time, even if we spent time looking to what the problem was not.. Once we ruled those out as not the problem you get to what the goal was - find the source of the problem.

And you get the added bonus which is always good!
"I did learn some additional things while troubleshooting all of this. "

Let us know how it works out - and I run esxi 5.5 and my pfsense is VM..  With multiple segments on my esxi, etc.  So if you need any help in that area even though its not pfsense directly let me know - glad to help.

Fix was to use google or opendns DNS servers instead :)

Okay I solved it. Don't know how exactly! but let me tell if someone like me having issue with this.

What I have done:=>

1. In sever conf file, i have changed TCP into uDP and port into 2500. looks probably it was because port before was blocked or something like that.

But now another problem,, I cant browse anything from that VPN? Is this problem from Server-side or client-side pfsense?

Thank you  jimp … I will test it....

The OpenVPN config files look reasonable.
You do not mention firewall rules - what rules do you have to allow traffic into pfSense end OpenVPN? And same for Windows Server firewalling (however you do that using OpenVPN client on Windows Server).

I never did update this post…. everything is working well.
Thanks, jimp!

I had a full clean install Windows8 on an old HP laptop (from Vista days - worth $US40 to get rid of Vista. At some point it started intermittently refusing to connect to my home WiFi - a reboot would (usually) get it going again. After online upgrade to 8.1 I haven't had the problem again. Maybe some dodgy Windows Update in the Win8 series? that was fixed in 8.1? YMMV - mine certainly has.
But when the underlying connections are up, OpenVPN client has been doing its thing fine.

You have to put the subnet at the other end in IPv4 Remote Network/s field on both server and client - then it will make a route across the OpenVPN tunnel to the subnet at the other end.

Switched to using TCP instead of UDP and the tunnel came up OK.

The usual fix on Windows 8 is to uninstall both the OpenVPN client and the TAP driver and then install them again.

There are other weird things that can happen with OpenVPN on Windows 8 but thankfully I haven't hit any of them so far.
https://community.openvpn.net/openvpn/ticket/316

Step 13 here: http://www.vpntutorials.com/tutorials/openvpn-client-setup-tutorial-for-windows-8/

Until I set the client LAN to use MultiWAN by setting the Pass any any rule to use a gateway group.

That rule now pushes all traffic to the highest tier member interface(s) of the gateway group. The packets are not given to the normal routing table.
Add a rule above that to pass traffic with destination 172.22.81.0/24 and no gateway group. Then those packets will be passed to the ordinary routing, and will find their way through the OpenVPN tunnel.

I can fix this by adding:

Client OpenVPN:
IPv4 Remote Network/s: 172.22.81.0/24

I don't understand why that works for you - the client end OpenVPN routing settings should still end up just in the ordinary routing table and have the same issues as doing it in the server-end settings.

Hi jimp,

thanks for your reply. I went to the Diagnostics > Backup/Restore tab you told me, and made a diff between the current configuration and an older one about the time when I deleted the certificate in question. That helped me to locate the "" fragment with the certificates I need. I managed to import the certificate and private key, and to put them in revocation.

Guess that's it, I'm marking this topic solved. Thank you! :)

UPDATE: It appears that the user is able to connect despite that. Any clues why?

UPDATE2: I rechecked my settings again and found that I overlooked the "Peer Certificate Revocation List" in the "Cryptographic Settings" section of OpenVPN settings (VPN->OpenVPN->edit the network in question). It was set to "none" instead of my revocation list. Changed that and now revocation is working perfectly. Thank you again :)