If you have a TLS authentication key configured on the server, you need the same key on the client.  If not, you don't. pfSense stores the TLS authentication key as clientX.tls-auth and serverX.tls-auth. This is used in the server using tls-auth /var/etc/openvpn/server2.tls-auth 0 I guess if your CentOS config is doing something similar, you'll find the key in there.  If you don't need a tls-auth key to connect via CLI, I guess your walkthrough didn't configure TLS Authentication and you need to turn it off in the client's GUI. Why not just use pfSense as your OpenVPN server?

If your VPN is set to user auth, that's what it's going to use. I've never done this but on 2.1.5 I'd use Remote Access ( SSL/TLS ).

It's working. I've spent many hours on that and what helped was a pfSense reboot :) I also followed this tutorial: http://www.derman.com/blogs/OpenVPN-Firewall-Setup

Thanks Jimp, much cleaner :-). You could probably do a job on this too.  It's a (very) basic perl script to identify user certs in a config.xml and dump them to separate files to make it easier to reintroduce a particular cert to the config.xml.  I'm putting it here in case it's useful to someone else.  It makes heavy assumptions about the config.xml structure and I don't know what quotemeta will do on a windows box so YMMV.  Written for clarity rather than efficiency. #!/usr/bin/perl use strict; use warnings; ## pfSenseUserCertDumper.pl ## Script to pull out user certs from a pfsense config backup. ## use as follows: ## ## perl pfSenseUserCertDumper.pl config.xml ## ## Output will be of the form certref.certdescription.usercert ## No provision has been made for multiple arguments my $line; my $cachecontents; my $certrefid; my $certdesc; my $certdumpfile; my $certdumpcontents; my $isusercert; my $filename = $ARGV[0]; open FILE,"<$filename" or die "Cannot read the file $filename: $!\n"; while ($line = <file>) {     if ($certdumpcontents)     {       # We are capturing contents, so append       $certdumpcontents.=$line;         if ($line =~ m/\<refid\>(.*?)\<\/refid\>\n/)         {                 # Capture cert ref for dump filename                 $certrefid =  $1;         }         if ($line =~ m/\[CDATA\[(.*?)\]/)         {                 # Capture cert desc for dump filename, quotemeta to deal with                 # special characters                 $certdesc = quotemeta $1;         }         if ($line =~ m/\<type\>user\<\/type\>\n/)         {                 # Not interested in non-user certs.  Set flag if user cert.                 $isusercert=1;         }     }     if ($line =~ m/\<cert\>\n/)     {         # Start of a cert.  Start capturing.         $certdumpcontents.=$line;     }     if ($line =~ m/\<\/cert\>\n/ && $certdumpcontents)     {         # End of cert data.         if ($isusercert)                 {                         $certdumpfile=$certrefid.'.'.$certdesc.'.usercert';                         open CERTDUMPFILE, ">$certdumpfile";                         print CERTDUMPFILE "$certdumpcontents";                         close CERTDUMPFILE;                         # Job done, turn off isusercert flag                         undef $isusercert;                 }         # Clear assigned variables ahead of next cert.         undef $certdumpfile;         undef $certrefid;         undef $certdesc;         undef $certdumpcontents;     } }</cert\></type\></refid\></file> Thanks again, Simon

Give some details of your setup. It seems strange that the client is trying to connect to 172.16.0.10:2000 - a private IP address. Are you doing some internal testing or? Where is the server listening? How does the public internet reach that? How did you setup the client? …

What do you mean by "internal torrent client"? I'd be interested in having a look at your scripting. Any chance you could post it?

The new OpenVPN 2.3.5-I601, with OpenVPN Manager 0.0.3.6, is working fine for me on Windows 8.1

This problem was solved. The problem was that my Pfsense was installed in a Proxmox VM, whe I disabled hardware checksum offload all begin to works fine.

Sorry I am NOOB… Is it any way to help me more... I need "barb wire" to guide me... ::)

So I followed your advice and some online tutorials and everything works great! From a security standpoint, would there be a reason to add an interface to the OpenVPN servers and enable Snort on them? Or would that be an overkill?

Put rules on the irewall->Rules OpenVPN tab to allow only what you want, and the rest is blocked. If you want to give general internet access through the OpenVPN, then it might be easiest to make a rule list like: a) Allow to destination IP/ports that you want to open on your LAN. b) Block to destination LANnet (block the rest of the LAN) c) Allow all - let anything else in on the OpenVPN (internet in general)

Could be - I know there is a problem with replies going out pver the same interfaces they come in on. I'm pretty excited about 2.2 once the bugs are worked out.  A well threaded pfsense will make a huge difference.

Pretty sure that's this scenario. https://redmine.pfsense.org/issues/3894

Good to know.