@Fr0ntSight: It is a 64bit machine 64bit machine != 64bit OS. @tjgertge: I'm having the same issue as well.  Have you found any resolution? The resolution is to NOT try to install 64bit applications on 32bit OS.

1. Use "tun", that is for routing between different subnets at each site. "tap" is for bridging, when you want the same subnet everywhere and broadcast traffic to go across the OpenVPN and be seen everywhere. 2. You don't need to change any NAT. NAT is not needed between the subnets on your private intranet - they can route happily to each other across the secure OpenVPN links. The internet traffic at each office goes straight out the office WAN/s and the automatic outbound NAT takes care of it. (If, one day, you want to send internet traffic from a branch office across the OpenVPN to the main office, then out to the internet, then you have to mess with manual NAT) 3. Each office has a LAN subnet, and each OpenVPN link is a subnet - this is the "Tunnel Subnet". Technically the tunnel subnet for a single site-to-site connection can be just 4 addresses (a "/30"). But it is much easier on the brain to give it a "/24". e.g. Main Office - 10.77.0.0/24 Branch 1 - 10.77.1.0/24 Branch 2 - 10.77.2.0/24 OpenVPN Tunnel Main to Branch 1 - 10.78.1.0/24 OpenVPN Tunnel Main to Branch 2 - 10.78.2.0/24 Make up 10.n.n.0/24 numbers to your liking. 4. The OpenVPN client keeps trying every 60 seconds, forever until it gets a response. In my experience, OpenVPN is very good at reestablishing itself after 1 end has gone away and come back again. If you need Branch 1 and Branch 2 to talk to each other, then make another OpenVPN site-to-site between the 2. Then if Main office is down, branch 1 and 2 can still communicate. Note: It is possible to route from branch 1 to branch 2 via main office, but in this 3 office triangle it is simple to add the 3rd OpenVPN link.

Ok, site to site, PFsense on both ends, forget the iroute.  I don't see a route to the 192.168.10.x/24 network on your server…. that's why you can't get to the client-side.  Although, I do see a route to the 192.168.194.0/24 network.... which looks like the LAN on the client-side.... are you sure the client is on the 192.168.10.0/24 network?  Might want to double check... cause it doesn't look like it. Post your server1.conf and client1.conf. On the client-side, it looks like you're double NATing, so you'll have to either remove it or keep your static route in place (someone correct me if I'm wrong)

"TLS key negotiation failed to occur within 60 seconds" just means that it can't reach the server, or the server rejected it. Check the server log for OpenVPN and you may find the answer, or at least more info we can use to help. If that log shows nothing, then it is either a connectivity issue or a firewall rule issue.

@phil.davis: On his end, assign an interface to the OpenVPN site-to-site link. Leave the IPv4 type as "none" (the system will organise the existing IP of the OpenVPN link…). Then a gateway should appear that goes to the other end of the site-to-site link. Add a firewall rile on his LAN selecting the relevant source IP, destination all, and in the advanced section select the gateway for the site-to-site link. At your end you probably need to: a) make sure the OpenVPN link has a pass rule allowing the special source IP, destination any. b) NAT the traffic from him heading to the internet (automatic outbound NAT is only going to do it for traffic from your LAN to WAN) Others, what have I forgotten? This did the trick! Makes sense now. I think I was making it out to be a little more complex than it turned out to be. Thanks for the info!

galgier, v1.5.5 is a version of OpenVPN Access Server, which PFsense does not use.

Glad it's working.  It looks like you're using split tunnel, so my thought was it had to be on the client end, but you're also double NATing and using port 443 instead of 1194… that probably has something to do with it. Also, I'm curious to know why you're pushing out google DNS with a split tunnel deployment.

Thanks for the reply.  I ended up figuring out that a UAC permission was blocking the installation. FYI for anyone else running into this problem that has all UAC's turned on, disable only these two: User Account Control: Detect application installations and prompt for elevation User Account Control: Only elevate executables that are signed and validated I'm not sure exactly which one did the trick because even after forcing policy updates it still took a while for some replication, but I know for a fact that with these two disabled I am now able to install any application. Justin

started over from scratch and got it to work by making sure all of my port forwarding worked before I configured openvpn access.

OK, update on this. Applied all windows updates (there were about 80) and now it seems to work. Would be good/interessting to know wich KB that did solve this (if any? magical things have happened before). Will try on another client when possible.

I don't know what you have now as your office router, but if it is not pfSense already, then I would replace it with pfSense. Then you have 1 router that can do it all easily. If you put a separate pfSense router in your office LAN somewhere, then you will have to add static route/s to your office router telling it about the pfSense and what subnets are reached through that. Also, I would change 192.168.0.0/24 at home to some other less popular private subnet - e.g. use something in 10.0.0.0/8. That will avoid pain when you take your laptop to a cafe that uses 192.168.0.0/24 and try to VPN back home.

Thank you for your feedback :)

Hi, just to make sure what you have: You have one WAN connection and one (or more) LAN connections? Some traffic from LAN to the internet should go through the VPN and other should go through your origin WAN, right? It could be usefull to see your firewall LAN rules and if you have really PortForwarding enabled then the firewall rules on your WAN interface - at least for the PortForwarding rule.

I deactivate the windows firewall and the AVAST firewall. Best regards Thierry

@NOYB: Does not prevent account from WebConfigurator login.  Just restricts access to WebConfigurator pages. Check cmb's post…  that was exactly my point.... don't put them in group that has access. Only works for OpenVPN connection access. You can put those rules on any interface. Not difficult to find the changed and non disclosed WebConfigurator port. So, change it and install firewall rules to harden access.  Not difficult to keep people out with firewall rules.