Yes, I use SSL/TLS (+ user auth) for my OpenVPN instances. Thank you for your advice, that was it. So the lesson learned - you need to have a separate CA for a new OpenVPN instance.  :) I created a new CA, then both server and user certificates, assigned them to the 1195 OpenVPN instance and my user respectively. Then finally in Client Export Utility I could select a new entry in the  Remote Access Server drop-down and my user was under this new server. Yes! Exported files had the correct name (with 1195) and worked as expected on my laptop. I only had to correct a few small bugs in my firewall rules.

PFSense is currently running version 2.3.4 and it says there is the option to upgrade to version 2.4.1 I am a little reluctant to do this as it could potentially lead to other issues (especially after reading through some of the problems others have had after doing the same) and it is only affecting one person. There is an option on the 'Certificate Export' page to use the 'Old Windows Installer' ver 2.3.14, as this is also a 2.3 release (as the server), could trying this potentially 'fix' the issue? I will give this a go. It should be noted that several users have been using the 2.4.1 client, as issued by the Client Export page, with no problems.

error=unsupported certificate purpose Generate a new server certificate and re-export the client configuration.

It restarts the openvpn daemon and adds all the routes again. It is possible that route existed due to something else adding it and when you started the client with that route there it could not add it for itself. Then it was subsequently removed. Or something. Impossible to know without seeing that event actually occur.

Thank you for your answer, we have found the error was on the IP dresses of the WAN thank you

Yes, I bounced the tunnel. Didn’t help at all. Then I manually restarted the vpn client. The changed IP was reflected on the web interface. But the result still the same, no traffic is flowing. For now, no clue at all

Awesome.  Enable SMB on your Linux file server.  You will have it all.  I've never needed something as dedicated as a large NAS.  They seem to be resource hungry. I do all my sharing out of a linux box with only SMB and SSH enabled and a script to mount the drives on boot.  Nothing amazing.  Yours will no doubt be much more feature-rich and many people likely require such beasts.

I wasn't sure if you were saying I needed to modify the Firewall->Rules->WAN rule for that VPN connection or modify the default OpenVPN rule to change the default gateway, I changed the OpenVPN rule and success.  Thanks! I didn't actually want Site 3 to be able to access anything on the Site 2 LAN

Yes, I have created VLAN interfaces for the corresponding subnets and I have created an interface for my VPN. DNS resolver is setup to do all DNS queries through NordVPN's DNS. Everything works correctly except the 10.0.1.0/24 subnet which I've designated to route through the VPN via NAT. It cannot leave my LAN. These are my NAT settings: https://imgur.com/a/LwdD1

Looks like that was it. The box with 10.0.0.118 was provided by out external supplier and when first connecting it to our network, they chose "public network" (for whatever reason). I changed it to "home network" and I can ping it now as well as connect to RDP. I can sure tune the Win 7 firewall in advanced settings but it is good for now. Gateway is okay, the PC got its IP from our DHCP server. Thank you, guys!  :)

If you don't want to use "Duplicate Connection" and you've different CNs you can also set up "client specific overrides" for each cert to get different IPs, but that's more of work. Ok, I will just keep duplicate connections enabled. Have you installed the openvpn-client-export package? Yes I have. It does show one configuration per user, but the other certificate i made does not show up there. Also I am now unable to access the servers from my phone (android, Openvpn for android) through the VPN, not sure what happened there as the only thing i have changed is enabling duplicate connections. I tried disabling duplicate connections but no change. I can still connect to them from my laptop though, I'm guessing for some reason the routes are not being added to my phone. Update: Well my phone is working fine on my home wifi, I guess it has something to do with the cell network…

That was it. I create another P2 for site 30 and now VPN clients have access to both sites. Thanks for the help.

@visi0n: hi john have you tried obfsproxy? i temporarily enabled the FBSD repo and installed obfsproxy & deps however i still get an error about argparse. configargparse did get installed along with py27. latest obfsproxy commit shows py-argparse should no longer be a dep in 0.2.13 (https://www.freshports.org/security/obfsproxy/) I'm versed on many things but py isnt in my skillbook, i'm stuck as I cant use my openvpn without wrapping through obfsproxy :( Do you have any tips? google didnt get me any further Traceback (most recent call last):   File "/usr/local/bin/obfsproxy", line 6, in <module>from pkg_resources import load_entry_point   File "/usr/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 3019, in <module>@_call_aside   File "/usr/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 3003, in _call_aside     f(*args, **kwargs)   File "/usr/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 3032, in _initialize_master_working_set     working_set = WorkingSet._build_master()   File "/usr/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 655, in _build_master     ws.require(__requires__)   File "/usr/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 963, in require     needed = self.resolve(parse_requirements(requirements))   File "/usr/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 849, in resolve     raise DistributionNotFound(req, requirers) pkg_resources.DistributionNotFound: The 'argparse' distribution was not found and is required by obfsproxy</module></module> do I have the same problem? did you solve it?

I tried that biased on my understanding of the options presented by pfsense GUI. I was unable to make it work….. Now that I think about it i may have entered it in Site A's Config. I will try again tomorrow.

You may also do both with an access server. Look here: https://doc.pfsense.org/index.php/OpenVPN_multi_purpose_single_server The routing for the site-to-site can be set by client specific override.

Looks like the client doesn't reach the server. Ensure that the server listens on WAN address or you've forwarded port 1194 to the address it is listening. Also ensure the incoming packets are allowed by firewall rules.

Same exact issue I am having, fails to delete old dynamic routes.  Update version 2.4.1 may of fixed this issue, can anyone confirm? https://forum.pfsense.org/index.php?topic=138608.0