I switched to Shard Secret mode and now it's working just fine.

@jeffwcollins: No worries at all, remember there are a TON of actual network engineers that couldn't get this far either. Ha!  Thanks, I'm trying :) In my opinion, for what its worth, there are ways to get around it but they get pretty complicated in the long term with sustainment in mind, meaning that there is no easy way to get this working with the configurations that are currently in place. So, we'll be having a bunch of client appliances out at in the field (~20-40) so I'd really like to keep this as simple as possible.  I'm keeping my fingers crossed that we don't run into more locations that happen to use the same network addressing. Out of curiosity, Whats keeping you from changing the IP Scope of your site, instead of asking the remote office to change theirs? The problematic network is our server VLAN :(  So, we've got DCs, VMs, etc that are all hosted on that network, so changing that isn't really an option.  We're actually blocking the client from accessing our server network as we want to limit outside access, but we want to be able to run scheduled tasks and do performance monitoring from that network to the clients in the field. *To offer some transparency, one thing that could be considered is running a one-to-one nat across the VPN, but it could make sustainment a bit tedious in the long run.  Just providing that as a possible fix for your problem. Yeah, like I mentioned above, simplicity is ideal, especially when we're having to maintain a lot of these appliances.  It looks like the easiest approach might be to see if the hosting site is willing to put us on a different network.  We could care less what it is as long as it gives us access to the Internet. thanks!

You should set your vpn client to not pull routes and then route the devices you want to go to your vpn via policy routing. [image: dontpullroutes.png] [image: dontpullroutes.png_thumb]

Its probably your TLS session being denied.  What logs are you getting on the OpenVPN Server side?

Please search before posting: https://forum.pfsense.org/index.php?topic=132534.msg728642#msg728642 And take it easy with the exclamation points.

That fixed it… But looks like there is some IPv6 issues along with dnssec for netgate.com.. Might want to look into that ;) Looks like you have IPv6 glue - but no AAAA records to match up. ns1.netgate.com (2610:160:11:3:0:0:0:6) ns2.netgate.com (2610:1c1:3:0:0:0:0:108) I am showing these IPv6 glue entries..

It definitely was something on pfSense. Since I ran out of time I had to replace both of them with something else. Changed nothing else and it instantly worked. Pretty unsatisfying though. Really would have wanted to know what exactly was causing the problem. Also very unfortunate that paid support by incident is no longer available. Definitely would have been willing to pay for support for that but with the new contracts only system it would have cost me almost $2000 /:

Ensure that pfSense is the default gateway on the hosts behind. you have a firewall rule set on the OpenVPN interface which allow the access. the destination hosts system firewalls do not block the access.

Dear All, Can you please guide how to configure Site to Multi site VPN Connection. I have Site A (Head Office) +Site B (Water Factory) +Site C ( Steel Factory) + Site D ( Crusher Factory). I have Static ip and dyndns accounts with me Regards kiruba

Hello everyone, any thoughts on this issue? I've spent hours already but nothing works unfortunately.

@bimmerdriver: I'm trying to set up Mullvad using pfsense 2.4 beta. Their guide (https://www.mullvad.net/guides/using-pfsense-mullvad/) is somewhat vague and is for an earlier version of pfsense. It's working for ipv4 but not for ipv6. Can I ask, did you deviate from the guide at all? I have tried to setup mullvad on my pfsense box following that guide and it doesn't seem to be working at all. I am relatively new to this so any help would be greatly appreciated as you seem to have it working for IPV4, which is all I need at the moment.

Hi, I solved it! I had made it more complicated than it should have been! :D I followed the documentation and set up another server on another port. A peer-to-peer server then you could specify "client" network and then the routing got solved by itself. It works flawless now :-) I just love pfsense more every day :P Thanks for your concern and fast answers! :-)

Hi whosmatt, Thank you very much for the help! Actually the CentOS server is one of my openvpn- clients since  it is behind firewall I have no control on. I have used  sudo systemctl enable openvpn@pfSense-TCP… and it is working perfect. I am using TCP since it is thru ssh- tunnel. I rebooted it several times and it is starting automatically after the start of my kvm. I am actually thinking to change the kvm with oVirt. Do you have any experience with it? Best Regards, agrozdanov

I'm no expert either but I do have a similar setup, a single PC routed over my VPN with all other traffic going over the WAN. I don't see why you couldn't do the same but just specify a /24 instead of single host. Firewall / Rules / LAN Create new Rule Action: Pass Source: Set your 10.0.20.0/24 network Advanced Options - Gateway: Select your VPN Save. Move the new rule above the "Default allow LAN to any" rule. Click "Save" then "Apply" and restart your VPN service. If this is off track please give some more details. -Chris

I was testing on the PFSense Console that's why it was not working. I tested on a computer connected to the LAN of the PFSense and the traffic is being routed however the Load Balacing is not working as expected, most of the traffic is leaving from the first OpenVPN Client. EDIT: I tested with a download accelerator downloading a file on a web server hosted on the "House 1" and it uses all the bandwith from both WAN's. I guess my problem is solved then. If someone knows some ways to improve or tweak feel free to post.