Sonicwall is using 10.0.0.0/8 for its LAN network. That conflicts with the tunnel network that you have chosen. So the server pfSense will be confused about where 10.0.8.0/30 actually is. Either: I can't believe that your main office needs 10.0.0.0/8 for a LAN. If it just uses address like 10.1.1.* then make it 10.1.1.0/24 or even 10.1.0.0/16 - but that might be rather difficult for you to implement. Choose a tunnel network in different private IP space - for some reason you have already used the whole of 192.168.0.0/16 as the client end LAN? 172.16 is still possible, makeup a tunnel subnet like 172.16.42.0/30 At main office, Sonicwall will need a route to 192.168.0.0/16 through pfSense LAN IP 10.1.1.253 - this will allow systems on main office LAN to send packets to your client end using their default gateway (Sonicwall) which will redirect them to pfSense.

Make sure the "interface" of the OpenVPN client is selected as a CARP VIP on WAN and not "WAN".

From your description, it sounds like pfSense site A and pfSense site B have OpenVPN servers. But then you have the message: The logs on the pfsense at site A only mention " Inactivity timeout (--ping-restart), restarting " That is generated by a client when it tries to connect every minute. Give us a network map and details of what OpenVPN servers and clients are where.

it's a strange setup you have there. normally ALL devices in the network should have pfsense as their gateway. is there a good reason not todo this? i currently don't know why you have your AD as gateway? is your AD doing NAT ? Anyways, there are solution to your current problem. But fixing the gateway on the clients is the best option, hands down. If for whatever reason, you can't/won't change the gateway to pfsense on your LAN devices, let me know and i'll try to explain how you can try to circumvent your network issues. (clue: NAT your lan-subnet over the VPN)

@jimp: Sure that works fine. OpenVPN doesn't check the source IP of the traffic, only that the keys and/or certificates match. You can restrict access to the VPN process with firewall rules if you wish. Most limitations of dynamic IPs can be sidestepped with Dynamic DNS if you want to still be somewhat strict. any place to find some documentation to do this? I cant get the clients behinde the home pfsense to get ip from the DHCP server on office.

Okay, logging is turned on and everything is passed. logs: pass Oct 6 14:47:32 LAN 10.0.11.107 10.0.0.2 ICMP the routes look way better now on the pfsense: IPv4 Destination Gateway Flags Refs Use Mtu Netif Expire default 85.126.29.201 UGS 0 38 1500 em1 10.0.0.0/24 10.0.1.5 UGS 0 36 1500 ovpnc1 10.0.1.0/24 10.0.1.5 UGS 0 0 1500 ovpnc1 10.0.1.5 link#10 UH 0 0 1500 ovpnc1 10.0.1.6 link#10 UHS 0 0 16384 lo0 10.0.10.0/24 link#3 U 0 0 1500 em2 10.0.10.11 link#3 UHS 0 0 16384 lo0 10.0.11.0/24 link#1 U 0 3994 1500 em0 10.0.11.11 link#1 UHS 0 0 16384 lo0 85.126.29.200/29 link#2 U 0 174 1500 em1 85.126.29.203 link#2 UHS 0 0 16384 lo0 127.0.0.1 link#7 UH 0 33 16384 lo0 but I still have no connection to 10.0.0.0/24; though pinging 10.0.1.6 works

Ah…yeah, so I see that one firewall I'm using RADIUS for OpenVPN on doesn't work with client-connect defined. This seems like a bug - is there a workaround? Is it a known issue? Edit - I could just call my script from the attributes script...though I'm looking for something clean. Meaning, I get all the environment variables, etc.

Use a /30 for your tunnel instead of a /24. I had this same problem initially. For some reason, your client and server are not picking the same set of IPs for their tunnel endpoints. Your client thinks the server is at 10.1.2.9 when it's actually at 10.1.2.1. Your server thinks the client is at 10.1.2.2 when it's actually at 10.1.2.10. If you set the mask to /30 they will have no other choice than for the server to be at 10.1.2.1 and client to be 10.1.2.2.

Hey everyone, Here's a little update.  First of all, I have seen this issue on numerous Win7 64-bit clients.  I have seen it on at least 2-3 PC's at my work, and even my PC's at home.  OpenVPN acts very strange when you try to remove it sometimes.  What I ended up doing was downloading the client from another source and just using my own config file.  That seemed to do the trick. Thanks for your suggestions.

Hi jimp, I have tried this VPN connection on both internal and external networks and receive the same error message.  We have multiple WAN lines, each with a different WAN IP address, as well as some hotspots that are completely unrelated to our infrastructure. 1. I changed the clocks on my boxes to reflect accurate times. 2. How do I verify that I have a mismatched key or not?  I'm almost positive I created the keys properly through the cert manager and downloading the corresponding Client Export. 3. See first part of my response. Thanks for your assistance.

I'm beginning to think the OpenVpn rules are auto-created as a "catch all" approach and are not user configurable, at least not through the WebConfigurator.

Yeah I did thanks. I've posted a new thread here with a YouTube video of my question. :) http://forum.pfsense.org/index.php/topic,67352.0.html

The ones under Hosts should be the public key from the other Hosts you are connecting too, not the same as the public key you configured on that box. (for security all hosts should use different public/private keys)

I use OpenVPN Client Export Utility package, and check the box for "Management Interface OpenVPNManager". You have to then install it from a Win7 admin account, but then mere mortals can use OpenVPN Manager to make their connections. So that is also an option that works for me.

Thanks phill Adding the route as per your suggestion worked perfectly Thanks again

You must use a different tunnel network for every OpenVPN instance. Post more details of your shared-key client and road-warrior server and we can try and spot the conflict.

Never mind all, turned out to be some weird problem updating between my server and my DDNS service. All solved now and thanks!

@kejianshi: Guess you didn't like the OpenvpnAS idea? I'm glad its working well for you. kejianshi, Thanks for recommendation. I will try it eventually. I just couldn't see my self changing existing infrastructure. Again thank you!