@gcu_greyarea Ok danke schon mal für die Ausführliche Beschreibung der Möglichkeiten. Das muss ich mal testen mit einer Failover Group (noch nie was mit gemacht) , kann man denn nur eine machen? 2 .Das kann man natürlich machen dann kann man halt einer gewissen Gruppe eine feste IP zuweißen, und wenn sich der Tunnel neu aufbaut gibt's halt ne neue Exit IP für alle innerhalb des Alias. Das ließt sich so das man für eine vorgegebene Zeit einem Gateway zugeornet ist und der dann ein Zwangs Wechsel durchführt. Das werde ich mal testen was der daraus macht bei ein paar IP check Seiten.

You need to push the IPv6 /64 as a route. It needs to be distinct from the tunnel network. I assume you have more than a /64 to use? /48 or /56? Similar to how HE's TunnelBroker provides IPs, Unfortunately TunnelBroker does not work in this case because they Block CloudFlare (YES THEY FREAKING BLOCK CLOUDFLARE!!!). Based on my experiences with HE over the years, if they did in fact block these sources, they have a good reason for doing so.

It is likely that your VPN interface isn't enabled in pfSense. Open Interfaces and select the VPN interface that you added to System > Routing > Gateways and click the Enable box. Click Save. Navigate to Status > OpenVPN and restart the service. It should show a green check mark and show local, virtual, and remote host addresses.

In case this will help any one else, I've figured this out.... Here is a link on how to find the logs for NPS... https://social.technet.microsoft.com/Forums/windows/en-US/45aa3000-c32b-483b-8d6e-565b56b163fc/how-to-check-the-nps-logs-in-the-event-viewer?forum=winserverNAP Basically there are text file logs in c:\Windows\System32\LogFiles\In* , or you can check in Event Viewer under Diagnostics -> Event Viewer -> Custom Views -> Server Roles -> Network Policy. In my case, the problem users were set to "Deny Access" under the "Dial In" tab of the user properties in AD Users & Computers. Setting to Allow Access fixed it up. If you don't see the "Dial In" tab, this may be of help : https://support.microsoft.com/en-ca/help/975448/the-dial-in-tab-is-not-available-in-the-active-directory-users-and-com For me, I had to be on the server to get that tab, not accessing Active Directory Users and Computers on another PC. Hope this will help someone else. Thanks, Derelict for pointing me in the right direction!

СА на сервере - [image: 1533291195274-screenshot_3-resized.png] ВПН сервера (с 1195 портом это тот который сейчас нормально работает на старом пфенсе а с 1190 тот который не могу завести [image: 1533291279358-screenshot_1-resized.png] Клиент на новом пфенсе [image: 1533291418688-screenshot_2-resized.png]

Ok, final update. Eliminated everything that had to do with this VPN, interface, rules, etc. Started all over, following all the steps, and everything is working as it should, without the manual routes. By the way, if you run into the routing problem, you can change the "Gateway creation" to BOTH or to IPv4 ONLY and apply/save ont both server and client side(!) That creates the new route. Thanks all for your time and effort