If you're not getting anything in the OpenVPN logs, nothing is reaching that system. Given CARP failover or a reboot fixes temporarily, either an IP or MAC conflict is almost certainly the cause. MAC conflict where some other system has the same VHID as that CARP IP (or VRRP VRID, same virtual MAC scheme).

@LAR I also have recently setup pfSense with PIA and been wanting to use stronger encryption. I found a note about changing the port to 1196 to get AES-128-CBC to work (SHA only, not SHA256).  Which is the most I've been able to get beyond the weak defaults.  I tried other ports to try to get AES-256-CBC, but no luck. Unfortunately after much digging I found a few obscure forum posts that indicated that to get SHA256, or a cert higher than 2048, you need to use PIA's patched client. (Anyone that has more or different info, would be appreciated.) This should just be a matter of changing standard client settings, and should not need a special patched client.  So I'm a bit disappointed with PIA and their default to weak encryption and the need for a  patched client to get what should be common high encryption standards to work with common OpenVPN clients.

Are you accessing them from the same location? IE are the mac and the pc on the same network attempting to reach the VPN server. Is the mac being pushed the proper route to get to your remote IP range? I use Viscosity everyday connecting to multiple installs of PFsense without issue, it does work well once it is setup properly.

I figured it out. Missed one small thing the whole time. You MUST use DNS Forwarder (I tried dns resolver but had no luck, and in the domain overrides section there is no source ip), so what I did was on kenansville.local pfsense, I added host override of realestate.kenansville.local to 192.168.2.2 and under domain override I added kenansville.local with ip 192.168.2.1@192.168.1.1 and that works perfectly :) I hope it doesn't mess up any resolving of pc's on the kenansville network though. I have no way to test that at this moment. Not sure why there was a DNS request time out in this nslookup but here is the report below: Here is a current nslookup and ping: C:\Windows\system32>nslookup realestate Server:  router.kenansville.local Address:  192.168.1.1 DNS request timed out.     timeout was 2 seconds. Name:    realestate.kenansville.local Address:  192.168.2.2 C:\Windows\system32>ping realestate Pinging realestate.kenansville.local [192.168.2.2] with 32 bytes of data: Reply from 192.168.2.2: bytes=32 time=103ms TTL=126 Reply from 192.168.2.2: bytes=32 time=106ms TTL=126 Reply from 192.168.2.2: bytes=32 time=113ms TTL=126 Reply from 192.168.2.2: bytes=32 time=109ms TTL=126 Ping statistics for 192.168.2.2:     Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds:     Minimum = 103ms, Maximum = 113ms, Average = 107ms

fill in a gateway in the AP's settings. if you are using a home-router as AP, then you most likely can not fill in a gateway for its lan-interface  :(

Welcome to pfSense. The fact that you get "handshake failed" means the client is at least trying to connect which is a good sign. In order to help you with your setup, we'll need more information about your setup: What type of OpenVPN connection are you using - site to site or remote access ? What type of authentication are you using - PKI, PKI + Auth, Shared Key? What device is trying to connect as a client?

I found that my log needed a reset, so now when this happens the next time I will hopefully get some useful info and see whats the problem is. Perhaps I need you guys again…

Hi, anybody have any further ideas? This is still not working, but I cannot find the issue. All settings look fine.

@Viragomann: Thanks for your reply. Forgot about Winblows firewall. I just punched a hole in it and it works. I was only using this machine to test the connection before setting it up on my remote machine. Thanks again.

Hi everyone. acriollo can you help me setting up an OpenVPN Server in pfsense and a Mikrotik OpenVPN Client? I can't get mine working… Thanks in advance.

Hi, The way I got this working was via another FreeBSD instance and creating a separate curl-package with cares-support (https://github.com/Yubico/yubico-pam/issues/55 - is in fact my post). However, this is not at all good, since every update of pfSense breaks the package, and you need to reinstall the precompiled port. This is why I tweeted pfsense a while back urging them to ship pfSense with cURL-cares (https://twitter.com/ict_sec/status/648418038807724032). I just jotted down a few notes to help me remember what I did on a separate FreeBSD instance to get it working, with the guidance from http://mjslabs.com/yubihow.html. mv /usr/ports /usr/ports.bak pkg install subversion svn checkout https://svn0.eu.FreeBSD.org/ports/head /usr/ports make config make install pkg create /usr/ports/ftp/curl Transfer the newly created .txz file to the pfsense machine and install with pkg add curl-XXXX.txz

Honestly I've never run into the key length issue on "modern" clients. I have used no less that 2048 bit for certificates and DH parameters for at least the last five years without issue. I would make sure your certificates are correct, that has always been the biggest "hassle" for me in setting up OpenVPN links. After doing a little hunting on the OpenVPN site, I do see reference to a similar problem with a DD-WRT router and an iOS client, but that was on a much older version of the OpenVPN client.  Might be worth a check to make sure the iOS client app is fully up to date or perhaps even an uninstall/reinstall.

Hi There, I've resolved this by changing the gateway from existing to pfsense IP which then will clients to communicate pfsense as the gateway. Now, I'm able to access the said network. Thanks!

Let me replicate to ensure I've got your intention well. You have a pfSense box running an OpenVPN server and Windows and CentOS should connect to it and be able to communicate together? And now your challenge is to setup VPN client in CentOS? Do you use NetworkManager for your connections?

Yup the resolver has access list.. and remote networks would have to be allowed..

@johnpoz: So what is this corp firewall?  I ask because to be honest end pointing a vpn connection behind the edge is normally a bad idea, and just complicates the setup. I would suggest if you want to use openvpn to provide road warrior access that you swap out your corp firewall (it doesn't support vpn?) with pfsense and setup the vpn as it should be setup on the edge device. Hi there! the firewall is a dell sonicwall which does not support more then one ssl-vpn client at a time… which brings us to same question on how to achieve that. forumers had written that they have had or have same setup but none writes on how to actually achieve that. please advice!

Probably you're right with "That's widely documented", as you are in that theme and an admin here. I did'nt find anything about that anyway. Maybe you can point me to a good place to start reading about? Even if pfSense is not for beginners, there are lot's of things where I feel the documentation is not comprehensive enough. To have that "InterfaceAdress" at that dropdown at least is missleading. As I can't imagine where someone can use that intentional than. If I have one VPN it will do, but adding a second VPN will break the outbound-NAT for the first one. So it should recommended that you better not use "InterfaceAdress" there, because this can cause Problems later, when you allready forgot the Outbound-NAT-Rules depending to the first VPN are affected than.