@shshs said in Unable to work over multiple concurrent connections for the same client account: But to restrict a VPN user access in a firewall you have to explicitly assign the IP address to its connection, so the IP remains the same each time the user connects to VPN. And to do this you have to specify subnet per user in CSO. Not a single IP, but a subnet, since you have a net30 topology. As mentioned above you may set here at least a /29 subnet to realize two client connections from the same user, a /28 for four and so on. And you have to use exactly the same subnet in your filter rules source networks. It would be more clear if you post some screenshots of your OpenVPN server config and the CSOs and filter rules. Since I have separate VPN servers (not CSO!) for achieving different permissions to multiple user groups, I use the tunnel subnets in my filter rules. And I asked you if multiple OpenVPN servers may be an option for you. I've never run multiple connections with the client for which I've assigned a CSO.

@wrodriguez56 awesome! Might help someone else reading down the road.

In the OpenVPN client settings:- [image: 1565552195958-screenshot-2019-08-11-at-20.35.04.png] I bet if you were to look at Diagnostics -> Routes the default route is pointing to the VPN

I have fixed my site-to-site config. Unfortunately this was done by deleting the client and server config and recreating them. It now connects but Site B keeps its internet. Backup taken (just in case) and adding desireable tweaks, like adding an interface so the traffic graph is drawn on the homepage. If it breaks again I will restore the backup. If I figure out a change that stops internet access for Site-B again, I will post here. Thanks to both who tried to help. Much appreciated.

As I understand it if you enable auth-nocache you will always be prompted for the password when you renegotiate. Else it will enter it for you. Most people only hit this problem when they use multi-factor authentication because OpenVPN cannot renegotiate because it doesn't have access to the multi-factor. I would leave it as the default (no auth-nocache) and leave the renegotiation at the default as well.

What details you need? maybe i can provide it for. please thanks

Thanks. I did not specify it because when I installed my first AP, I didn't have to. Networking is not my area and I learned a lot from you guys here. Installing PfSense forced me to have more hand-on experience on networking.

Thanks John, I didn't realize that. I wonder if he will have to reissue configs for his other users though, or if switching TLS modes is transparent.

@Udbytossen said in Cannot Connect to VPN: TLS Error: tls-crypt unwrapping failed from [AF_INET]109.57.149.202:1194 Something hitting your box from that 109 address where the TLS didn't auth.. Your IP having a /29 mask doesn't have anything to do with listening on the correct address. Also not sure why your having your clients source port be 1194?

@baumkuchen With TAP you have the equivalent of an Ethernet switch or bridge. There's nothing to configure. I have never set up a TAP adapter on anything, so I can't help with that.

if i remember correctly windows server need tcp and udp 464 to change the password, do you hve it open?

same issue

Most sites cannot be policy routed with a simple DNS Alias because they resolve to many addresses and they load content from many different domain names. No way adding, say, netflix.com is going to work for you.

appreciate your help/replies. i need to trace back through all that i setup and find where i mis-configured these VPNs and then post back further questions then if warranted. until then ...