Many thanks for your replies.

I just see this recently posted here: https://forum.pfsense.org/index.php?topic=118196.0 Will try that and post back if it does not work. Thanks. Tom. EDIT: That worked perfectly for me. I did just need to also disable the default LAN rule.

When you test from your inside host it is connecting out WAN so that is the IP address it will be testing. You need to create a rule on LAN that policy routes that test traffic out OPT1 so that is the interface the test is done on.

That worked perfectly. Thank you so much.

That makes sense.  I notice, however, that some of the warnings have a source IP that is internal to my network.  How would one explain that?

Ah, shared key.  ok.

Hi iorx, The OpenVPN road warrior can go to all the LAN where it is connected to as well as all the Ipsec tunnels. Where I have a problem is that the OpenVPN road warrior cannot go to other OpenVPN site-to-sites… Regards, Carlos

I found the solution to my problem. I went through a clean install, but there was no change in the issue of the OpenVPN client disconnecting.  I finally tried changing from UDP to TCP for OpenVPN.  This resolved the issue.  I believe it is due to poor line quality from my ISP and TCP dealing with the errors better.

I don't really want to see your asci art.. Post up your setting in your gui.. Where is the one that works… So your trying to use the same port on both of them?? lport 1194

If you guys could share your OpenVPN Client config screens, that would be great.  I've been configuring it and I'm being jerked around by an AUTH_FAILED error, when I know for a fact that the user/pass are correct because I can connect with those creds when using their app on Windows. Edit:  Bizarre.  My creds work just fine when using the VyprVPN app.  When using their .ovpn file with OpenVPN, I can't authenticate with those same creds.  That explains why I couldn't connect via pfSense.  Time to see what's up with the VyprVPN folks.

Why are you bridging if the subnets are different? You have given the two sides no way to reach each other. There is no tunnel network on the VPN for them to use as a gateway, and they have no subnets in common. Routing requires both sides to have an address in a common subnet. It can't push nor use routes because there is nowhere for them to go. Usually in a bridge scenario the LANs are the same subnet. From the look of your network layout, you don't need nor want a bridge. You could use tap but there is no advantage in this scenario. Remove the bridge components and follow this to setup the VPN using SSL/TLS like you have started: https://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_(SSL)

There is no way to accomplish what you're after. We get that request fairly often but we have not implemented it because we consider it to be a security problem. OpenVPN gives you multiple factors of authentication: TLS Key, User Certificate, plus Username and Password. Allowing someone who has obtained the username and password to easily obtain the other factors weakens the overall security of the VPN.

Use www.torproject.org

Aug 31 14:11:39  openvpn  50596  FreeBSD ifconfig failed: external program exited with error status: 1 That means the IP address it's trying to use for the tunnel network is already in use – either on another interface or it's in the routing table somehow (e.g. from quagga). Figure out what is conflicting and fix that, and your problem will go away. If it's quagga, disable redistribution and acceptance of 192.168.12.1/32 for example.

Yes, you can do this. But connections are only accepted by the master. After a failover to the other box, the client has to reconnect, but OpenVPN clients do these automatically.