Use a /30 for your tunnel instead of a /24. I had this same problem initially. For some reason, your client and server are not picking the same set of IPs for their tunnel endpoints. Your client thinks the server is at 10.1.2.9 when it's actually at 10.1.2.1. Your server thinks the client is at 10.1.2.2 when it's actually at 10.1.2.10. If you set the mask to /30 they will have no other choice than for the server to be at 10.1.2.1 and client to be 10.1.2.2.

Hey everyone, Here's a little update.  First of all, I have seen this issue on numerous Win7 64-bit clients.  I have seen it on at least 2-3 PC's at my work, and even my PC's at home.  OpenVPN acts very strange when you try to remove it sometimes.  What I ended up doing was downloading the client from another source and just using my own config file.  That seemed to do the trick. Thanks for your suggestions.

Hi jimp, I have tried this VPN connection on both internal and external networks and receive the same error message.  We have multiple WAN lines, each with a different WAN IP address, as well as some hotspots that are completely unrelated to our infrastructure. 1. I changed the clocks on my boxes to reflect accurate times. 2. How do I verify that I have a mismatched key or not?  I'm almost positive I created the keys properly through the cert manager and downloading the corresponding Client Export. 3. See first part of my response. Thanks for your assistance.

I'm beginning to think the OpenVpn rules are auto-created as a "catch all" approach and are not user configurable, at least not through the WebConfigurator.

Yeah I did thanks. I've posted a new thread here with a YouTube video of my question. :) http://forum.pfsense.org/index.php/topic,67352.0.html

The ones under Hosts should be the public key from the other Hosts you are connecting too, not the same as the public key you configured on that box. (for security all hosts should use different public/private keys)

I use OpenVPN Client Export Utility package, and check the box for "Management Interface OpenVPNManager". You have to then install it from a Win7 admin account, but then mere mortals can use OpenVPN Manager to make their connections. So that is also an option that works for me.

Thanks phill Adding the route as per your suggestion worked perfectly Thanks again

You must use a different tunnel network for every OpenVPN instance. Post more details of your shared-key client and road-warrior server and we can try and spot the conflict.

Never mind all, turned out to be some weird problem updating between my server and my DDNS service. All solved now and thanks!

@kejianshi: Guess you didn't like the OpenvpnAS idea? I'm glad its working well for you. kejianshi, Thanks for recommendation. I will try it eventually. I just couldn't see my self changing existing infrastructure. Again thank you!

Yo, I did a test with 2.1-RELEASE  (amd64) and Windows Server 2012(Not R2) set up as AD,DNS and NAP. I followed the instructions on this site: https://doc.pfsense.org/index.php/OpenVPN_with_RADIUS_via_Active_Directory I followed all the topics in the guide up to "Change the cryptoapicert SUBJ " I did not do this step or any step following it(if you dont cound connecting the client to the server). I used my own names and IP adresses etc and I ignored any setting that was new for version 2.1. I shared a folder on my Windows Server 2012 and was able to access it with my testaccount from a Windows 7 Enterprise 64-bit using the exported OpenVPN client. Do you know if radius still only support unencrypted(PAP) communication with the NAP server? Using Captive Portal and NAP you can select at least MS-CHAPv2. I know this isnt entierly secure ether but hey, better than nothing I think. Im new to using OpenVPN and I tried this in a virtual test environment. Im gonna play around with the settings to see what happens and see if Im able to do this without having to manually create certs for each user in pfsense. Anyway, hope this  helps and let me know of your progress!  :) /erik

I stopped using netbios over TCP - I realized its just not needed for me, but my VPNs support it and WINs supports it for the one subnet I wanted to use it for.  For it to work on one subnet and not multiple subnet, you don't need to do all that much.  Just Set up SAMBA on a system somethere in the LAN on a static IP, set it to be master, set WINs option to yes, set OS level high, like 35 or higher.  It should sync up with everything on the network without any fuss.  I also set mine to not require passwords because passwords on shares can be a pain.

Probably the biggest obstacle I see to really simple VPN is that not all OSs honour "push" from openvpn.  When they don't, you need to enter the command on the client side rather than "pushing" to client from the server.  PITA.

So apparently for what I needed I was able to install the avahi package and set it up using both the remote site search domain and the local search domain and now everything shows up with bonjour! Anyone know how to pass on the NetBIOS stuff through the tunnel to the other end?  For example I don't see windows boxes on my mac from the client network… I only the bonjour devices like the macs and printers... Thanks anyone in advance! Matt

Need to change all those 192.168.1.0 / 24 LAN subnets to something not on 192.168.1.x  and make them all different from each other. like site A  192.168.52.0 site B  192.168.53.0 site C 192.168.54.0 Thats to start. Then do the same thing with the VPN tunnels - Make each different: 10.0.6.0  10.0.7.0  10.0.8.0 would be OK Then do whatever else phil.davis says.

In the client configurat that is located on your MAC (its just a file that probably ends with .ovpn) there is a bunch of commands. Try adding: route 192.168.1.0 255.255.255.0 incase for some reason its not getting pushed from pfsense. But you really really need to change your LAN IP ASAP to something off…  like 192.168.39.1/24 and your Openvpn IPs also to something off like 10.x.x.0/24 (the Xs would be a random number between 10 and 200) Right now its way to probable that you will have IP conflicts because 192.168.1.x is way too common.

This is what I get for not reading. https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting Interface Selection Be sure that your rules are on the proper interface. Imagine yourself sitting inside of your pfSense box. Sure, it's a little crowded in there, but this might help. Imagine packets flying at you from the different networks that your pfSense box ties together. You will place the rules on the interface they hit you from. If a packet is going from the LAN to the pfSense box, then out to the Internet, the rules still go on the LAN. If a packet is coming from the Internet, to the pfSense box, the rule goes on the WAN interface. thanks for your help

There was another guy on another thread having same issue, so I posted your thread there.