The only thing I can think of is those password fields were somehow populated. Try setting the VPN to Peer to Peer (SSL/TLS) That should expose the username and password fields. Clear them out and set it back to Peer to Peer (Shared Key) and save. Might work.

Routing table is empty. I’ll try and grab some screenshot. Config and firewall is just from the wizard.

@derelict said in Windows OpenVPN Clients: One thing I would try - sort of a shot in the dark - would be changing the CN for Gil_Mobile to Mobile_Gil. I thought I'd give it a try, but has pobably added to the confusion a bit. CN: "Gil" fails always (as per previous) CN: "Gil_Mobile" works; but it fails on the first attempt if "Mobile_Gil" has just previously connected CN: Mobile_Gil works; but it fails on the first attempt if "Gil_Mobile" has just previously connected The error message from the first attempt on the OpenVPN Server: Feb 5 21:29:23 openvpn 43450 Gil_Mobile/101.191.59.43:31448 SIGTERM[soft,delayed-exit] received, client-instance exiting Feb 5 21:29:17 openvpn 43450 Gil_Mobile/101.191.59.43:31448 SENT CONTROL [Mobile_Gil]: 'AUTH_FAILED' (status=1) Feb 5 21:29:17 openvpn 43450 Gil_Mobile/101.191.59.43:31448 Delayed exit in 5 seconds Feb 5 21:29:17 openvpn 43450 Gil_Mobile/101.191.59.43:31448 PUSH: Received control message: 'PUSH_REQUEST' Feb 5 21:29:16 openvpn user 'Mobile_Gil' authenticated Feb 5 21:29:16 openvpn 43450 Gil_Mobile/101.191.59.43:31448 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Feb 5 21:29:16 openvpn 43450 Gil_Mobile/101.191.59.43:31448 TLS: tls_multi_process: untrusted session promoted to semi-trusted Feb 5 21:29:16 openvpn 43450 Gil_Mobile/101.191.59.43:31448 TLS: move_session: dest=TM_ACTIVE src=TM_UNTRUSTED reinit_src=1 Feb 5 21:29:16 openvpn 43450 Gil_Mobile/101.191.59.43:31448 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo' Feb 5 21:29:16 openvpn 43450 Gil_Mobile/101.191.59.43:31448 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1570', remote='link-mtu 1569' Feb 5 21:29:16 openvpn 43450 Gil_Mobile/101.191.59.43:31448 TLS Auth Error: Auth Username/Password verification failed for peer Feb 5 21:29:16 openvpn 43450 Gil_Mobile/101.191.59.43:31448 TLS Auth Error: username attempted to change from 'Gil_Mobile' to 'Mobile_Gil' -- tunnel disabled I think I'm chasing my tail without some better tools and more understanding of the Microsoft Certificate Storage. I am using the openVPN GUI v11.10.0.0 from OpenVPN Technologies Inc. Not sure if there is an alternate app to test with. @derelict said in Windows OpenVPN Clients: Also there might be some logging that can be turned up on the client that will display what it is doing in that cryptoapicert cal I don't see any additional logging options available.

@f8dhb Hey Show the client settings (file client.ovpn) Certificates only need to be deleted For example, it might look like this dev tun persist-tun persist-key cipher AES-128-CBC ncp-ciphers AES-128-GCM:AES-256-GCM auth SHA256 tls-client client resolv-retry infinite remote XXX.XXX.XXX.XXX 1194 udp verify-x509-name "aaaa.bbbb.local" name remote-cert-tls server compress mssfix 1360 <ca> -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- -----END PRIVATE KEY----- </key> <tls-crypt> -----BEGIN OpenVPN Static key V1----- -----END OpenVPN Static key V1----- </tls-crypt>

Probably not.

Maybe I have found a solution for me. OpenVPN error messages are still there: Jan 27 13:09:38 php-fpm 47087 /rc.newwanip: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '[1548594578] unbound[17890:0] error: can't bind socket: Address already in use for 127.0.0.1 port 953 [1548594578] unbound[17890:0] error: cannot open control interface 127.0.0.1 953 [1548594578] unbound[17890:0] fatal error: could not open ports' Jan 27 12:41:03 openvpn 97238 ERROR: FreeBSD route add command failed: external program exited with error status: 1 Feb 2 18:56:11 openvpn 47315 PUSH: Received control message: 'PUSH_REPLY,topology subnet,redirect-gateway def1,sndbuf 131072,rcvbuf 131072,comp-lzo adaptive,route-gateway 10.3.2.3,redirect-gateway ipv6,route-ipv6 2000::/3,ping 10,ping-restart 60,dhcp-option DNS 95.211.146.77,dhcp-option DNS 37.48.94.55,ifconfig-ipv6 fdbf:1d37:bbe0:0:48:18:0:f1/112 fdbf:1d37:bbe0:0:48:18:0:1,ifconfig 10.3.2.241 255.255.255.0,peer-id 0' Feb 2 18:56:11 openvpn 47315 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS]) Feb 2 18:56:11 openvpn 47315 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS]) Feb 2 18:56:11 openvpn 47315 Options error: option 'route-ipv6' cannot be used in this context ([PUSH-OPTIONS]) Feb 2 18:56:11 openvpn 47315 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS]) Feb 2 18:56:11 openvpn 47315 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS]) I do not have the full speed, but it works with these NAT rules: [image: 1549135810481-nat-resized.png] Why do i need this localhost rules for OpenVPN? Do I need more rules like these? browse "System: General Setup" specify desired third-party DNS servers on WAN_DHCP [x] Do not use the DNS Forwarder as a DNS server for the firewall browse "Services: DNS Forwarder" [ ] Enable DNS forwarder browse "System: Advanced: Networking" [ ] Allow IPv6 [x] Prefer to use IPv4 even if IPv6 is available browse "System: Advanced: Miscellaneous" [x] Skip rules when gateway is down [x] Enable gateway monitoring debug logging

If you can exchange traffic with other hosts on that remote network and not THAT particular host, check for a firewall on THAT host. Check the gateway settings on THAT host. Packet capture on the interface THAT host is connected to for icmp traffic to THAT host IP address and try to ping it. Look at the capture. Are echo requests sent to THAT host captured? Are there replies? No? Check THAT host for the reason.

Hi @pfsmooth , If these addresses are all internal, why redact them? It only prevents observers from being able to accurately assess your configuration. What do your firewall rules look like on the OpenVPN interface? If you are trying to reach multiple LANs from VPN client, are all of the networks you are trying to access listed in the Local Networks field under the OpenVPN server instance? Or do you have the setting "Redirect IPv4 Gateway" enabled? The more information you can provide, including the unredacted internal addresses of the devices involved, the better it will help others be able to understand and provide suggestions to resolve your problem. Thank you, -James

Found Ubuntu manual setup and found this Line: Remember that you will use append @usenetserver at the end of your username (ex. username@usenetserver). so no ".com" and it worked. thank you for the Info

Yeah! I was missing those. Had an idea that CSO should be enough. Gave it a try. server pfsense: Config: Remote Access added route statement for the remote subnet in custom options local networks: local subnet, remote subnet (peer to peer server should have this, still trying to figure out why the remote subnet should be here, but according the pf-guide-doc it should, and it works as intended) CSO: remote networks: remote subnet Question here: In the CSO i got a Local Network field. Does this have effect on this kind of config? remote pfsense: Config: Peer to peer tunnel network: empty remote network: empty (in peer to peer config these are configured at time of connect, true for this scenario too?) But, no, can't pass traffic LAN to LAN.

It could be turned into a GUI option, but thus far nobody has taken the time to do it. We'd also have to locate and warn against the possible negative side effects of doing that.

Depending on your OpenVPN RAS setup the route is pushed to the Client, no need for manual steps. -Rico

Some months ago because of VORACLE I disabled compression completely, for testing only for my RAS Servers first...with a HUGE negative impact for my Users. e.g. working with MS Office files from SMB shares and saving them, took 5 to 10 times longer with compression off. Back to lz4-v2 now... -Rico

So the "maximum temperature allowed at the processor die" for that processor is 105C. (https://ark.intel.com/products/85212/Intel-Core-i5-5200U-Processor-3M-Cache-up-to-2-70-GHz-). Of course, you don't want to get too near that, but 54C is perfectly fine. I'd keep an eye on it in the summer for sure; I think as a rule of thumb it'd good to keep it at or below around 65C. I only say that because I think a lot of BIOSes use that as their default "thermal warning" value.

Glad you have it working now. -Rico

This is the alias list: [image: ub8T6ai.png]