Well since your using ALL the 192.168 space.. your tunnel would have to be using something out of the 172.16/12 space or the 10/8 space..

Why would you be using such a large network? Do you have some 65K clients on this network?

Set your local network to be something realistic.. How many clients do you have? And then use a tunnel network that is not inside that space.

Say for example 192.168.0/24 or 192.168.0/23 if you had say some 500 devices on your network. Then use something other for your tunnel, say 192.168.2/24

From memory,
With regards to SHA1 being broken, this is not the case in OpenVPN.
This is because of the way it is used (HMAC-SHA1).
Add to that the key that changes hourly by default (--reneg-sec).
If one would be able to break through OpenVPN's layered security (if setup that way) one could get one hour of data.

yea I honestly have tried all that, I think its an issue with pia and openvpn certs. I've seen many people just do a complete reinstall and get openvpn working first then adding pia/pfblocker to see where the problem starts, I'm going to do that.

Thanks for your help!

Got it! Thanks so much for your help.

I've changed a dozen settings in the last couple of days so it's hard for me to say exactly what did it. The last thing I did before it started working was actually to uncheck the box that says "Force all client-generated IPv4 traffic through the tunnel." And now when I go back in, it shows checked again... hmmm.

In any case, it's working now and I hopefully won't ever have to do any troubleshooting ;) Thank you again for taking the time to help me.

Ah I didn't see that.

I prefer the docs. The videos are nice but too much blah blah blah. I can watch an hour-long video and try to hunt down the meat by skipping around, or blast through a text guide in 10 minutes. That's not to say that I don't like or appreciate the videos. On topics that I have little knowledge in, they're extremely helpful and I watch the whole thing. But when I just need the quick & dirty particular steps, the guide is best for me.

They would be in the xml when you backup "all"

If all you want to do on the restore is the certs and info, you would have to manipulate the xml and then restore it..

That's exactly what I have done. I was looking for an easier way to administer for CSO users with multiple devices (iPhone and iPad). When sharing the cert didn't work, I assigned a new username/cert for each device. It's workable but cumbersome when users have a PC, iPhone, iPad, and possibly an Android device.

I connect remotely to a 100/100 link and it's very smooth.

How did you configure your OpenVPN server? Did you follow the wizard or use a guide or change any non-default settings, for example?

@shshs said in Unable to work over multiple concurrent connections for the same client account:

But to restrict a VPN user access in a firewall you have to explicitly assign the IP address to its connection, so the IP remains the same each time the user connects to VPN. And to do this you have to specify subnet per user in CSO.

Not a single IP, but a subnet, since you have a net30 topology. As mentioned above you may set here at least a /29 subnet to realize two client connections from the same user, a /28 for four and so on.
And you have to use exactly the same subnet in your filter rules source networks.
It would be more clear if you post some screenshots of your OpenVPN server config and the CSOs and filter rules.

Since I have separate VPN servers (not CSO!) for achieving different permissions to multiple user groups, I use the tunnel subnets in my filter rules.
And I asked you if multiple OpenVPN servers may be an option for you.
I've never run multiple connections with the client for which I've assigned a CSO.

@wrodriguez56 awesome!

Might help someone else reading down the road. 🙂

In the OpenVPN client settings:-

Screenshot 2019-08-11 at 20.35.04.png

I bet if you were to look at Diagnostics -> Routes the default route is pointing to the VPN

I have fixed my site-to-site config. Unfortunately this was done by deleting the client and server config and recreating them. It now connects but Site B keeps its internet. Backup taken (just in case) and adding desireable tweaks, like adding an interface so the traffic graph is drawn on the homepage. If it breaks again I will restore the backup.

If I figure out a change that stops internet access for Site-B again, I will post here.

Thanks to both who tried to help. Much appreciated.

As I understand it if you enable auth-nocache you will always be prompted for the password when you renegotiate. Else it will enter it for you.

Most people only hit this problem when they use multi-factor authentication because OpenVPN cannot renegotiate because it doesn't have access to the multi-factor.

I would leave it as the default (no auth-nocache) and leave the renegotiation at the default as well.

What details you need? maybe i can provide it for. please thanks

Thanks. I did not specify it because when I installed my first AP, I didn't have to.

Networking is not my area and I learned a lot from you guys here. Installing PfSense forced me to have more hand-on experience on networking.

Thanks John, I didn't realize that. I wonder if he will have to reissue configs for his other users though, or if switching TLS modes is transparent.

@Udbytossen said in Cannot Connect to VPN:

TLS Error: tls-crypt unwrapping failed from [AF_INET]109.57.149.202:1194

Something hitting your box from that 109 address where the TLS didn't auth..

Your IP having a /29 mask doesn't have anything to do with listening on the correct address.

Also not sure why your having your clients source port be 1194?

@baumkuchen

With TAP you have the equivalent of an Ethernet switch or bridge. There's nothing to configure.

I have never set up a TAP adapter on anything, so I can't help with that.