I'm having the same problem… "Authenticate/Decrypt packet error: packet HMAC authentication failed" and I've reviewed and re-input the keys a couple of times. I  believe this may be related to the recent reset of all of the PIA keys/ports/ciphers due to the Russian activity. Does anyone have a 'how-to' that includes the most recent changes? TIA.

@johnpoz: So you want to use tap vs tun?  Why exactly do you feel you need to be on the same network as your remote location?  Are you trying to broadcast for something, use multicast? what?  There really is very few things that would justify "bridging" your openvpn connection. my directv box wont let me do lots of things unless it thinks im on the same network.  It is on my home /24 network, using a /24 bitmask, and my VPN network is a smaller /29 network part of the same /24 network, but outside of what would be the same /29 that the directv box would be on if i left its IP the same but put its netmask to /29.  Was thinking that pfSense would proxy arp to the directv box in place of my VPN client but it apparently isnt happening. Hoping that by having a layer2 VPN here it would work.

Thanks I worked it you a few days ago. The pig time on the default VPN ping was to long and showing the gateway down. I changed the monitor address to the server public address instead of the VPN address and all is good now. Thanks, SImon

Nice, but indeed, not 100% sure and don`t want to clutter :) Server: Remote access SSL/TLS+User Auth In config file of server I see for example: server 192.168.168.0 255.255.255.0 tls-server I think: "server…...." already includes "tls-server" so no need for the latter. When exporting a client config  I see similar in the *.ovpn: client tls-client Again I think: "client" already includes "tls-client" so no need for the latter. Thanks.

Thank a lot viragomann To get this to work - I ended up providing domain name (factory.local) to my remote office DHCP clients so those client PCs can resolve short (NetBIOS) names as well as FQDN for our local domain. I typed Main-Office DNS server IP (10.0.1.20) on the top of the list in General->Setup for Remote-Office pfSence machine (as you suggested) So now Remote Office client PCs can join the Main Office domain and listed in AD-DNS with 10.0.5.x addresses :) I did not use DNS-Forwarder… do I really have to use DNS-Forwarder ? I think AD-Client PCs are better left with their "natural" AD-DNS server for name resolution... Question: We have an extra subnet in Main Office (10.0.3.0/24) used for IP-Phones… Is it possible to connect that subnet through our VPN connection ? We need to install a few IP-Phones in the Remote-Office location ? I tried adding extra gateways and static routes at pfSence - nothing works... Please advise  :)

Anyone have any advice on my problem? At this stage even after deleting all VPN related settings, rebooting and then re-configuring I end up with the same error. My next option is to reinstall PFSense on a new USB. Though I feel that if this is an option to address the problem there is something significantly wrong.

+1 You could even create a specific VLAN interface (even without configuring it on switch) just for this sole purpose, just make sure everyone have access to this interface/vlan.

Ok i have added this 192.168.50.0/24,192.168.1.0/24,192.168.0.0/24,192.168.60.0/24,192.168.61.0/24 You are a legend.  How stupid do i feel.  yes adding the tunnel networks to the remote networks allows connection. Thanks so much.  i suppose learning never hurt anyone :) Mat

Yes, that is clear to me now. I got confused by two things: 1. In CSO "NOTE: Remember to add these subnets to the IPv4 Remote Networks list on the corresponding OpenVPN server settings." 2. In Server "Inter-client communication" 2 should not be ticked as one cannot control "who can see who" if ticked.

Hello! Thank you for the reply, I have a dynamic public IP, but I have something similar to DynDNS meaning I have an domain name to my IP (which updates automatically when the IP changes. Best regards Tobias

@firemogle: Really, if I can get port 6881 and 6882 going from VPN to one IP I think I would be set. Thanks again, Are you talking about connections outbound to destination ports 6881 and 6882 or connections from the internet to 6881 and 6882 being forwarded to your host? The latter is trivial. Just make the destination ports on the rules that policy route to the VPN 6881 - 6882 instead of any. I don't know if you need TCP or UDP or both. TCP probably. But I don't think bittorrent works this way. To get ports from the internet forwarded to your host, first PIA has to listen on those ports and know to forward the connections to you. You have to have an OpenVPN assigned interface and port forward those ports to your inside host. Then you have to be sure those ports are allowed into your firewall on OpenVPN assigned interface rules - normal auto-generated by the NAT rule are OK here. If you're talking about making something like the attached show Open, this is what you want.  

Probably so. Especially if that service wants to be < 1024 port. ;)

@Pippin: I know OpenVPN has a built in internal packet filter that would allow firewalling client-to-client connections Here I'm confusing tun and tap. In case of tap above is true. With a pf_plugin_module for OpenVPN one could setup a scheme for who can talk to who. 1. Does allowing "Inter-client communication" in "Servers–>Edit server" set the client-to-client option in server config? 2. If so, then this cannot be firewalled? Yes, I just checked this, it does set client-to-client in server config and to my knowledge it cannot be firewalled. Is that true also for pfSense? If so, then maybe this should be stated under the tick box/help. It would mean, if one wants to firewall client-to-client communication, do not tick this box.

got it working.  turns out for some reason restarting the box once changes applied fixes it.  What i had done was right but reboot need for some reason. Thanks All Mat