Yes.

Fairly advanced OpenVPN concept though.

You have to assign an interface to the OpenVPN client instance at Site A and be sure that the port-forwarded traffic does not match the firewall rules on the Site A side's OpenVPN tab and only matches a firewall rule on the assigned interface tab at Site A. This gets reply-to working there preventing the reply traffic from the port-forward target host from being routed out the default gateway at Site A and routing back through the tunnel instead.

I am not certain this specific use case was covered but you might do well to watch this:

https://www.youtube.com/watch?v=ku-fNfJJV7w

@philw Thanks. I also currently have a fully working OpenWRT (LEDE) setup. This does the job very well. But, there are certain little things that can be annoying (for me at least). So I am wanting to replicate all my existing LEDE setttings with pfsense and will be comparing which I like better.

After setting this up, and installed this router in the remote side, after several days of testing I notice that there was a 50% decrease on internet speed, so I had to route just the traffic for my primary side, and leaving the remote side with his own uplink for internet.

From primary side to secundary, there is a distance of 30kms, and both have uplinks of 100/100 Mbps.

Here is the issue described:

https://forum.netgate.com/topic/133011/solved-loss-of-internet-speed-while-on-vpn-from-site-to-site

So I had changed IPv4 remote network at remote side, just to route my primary side network, to avoid this situation.

I have also tested crypto accelerators in both sides but didnt had any change.

Thanks for the reply, after few hours someone else mentioned that /24 sometimes wont work so adding /30 did the trick

Thanks again

So you link to some openvpn installer script?? That has zero to do with pfsense.. Then you come back 5 days later and say fixed.

Completely pointless!!

Yes. You have to configure the vpn routes and firewall rules on all firewalls must allow the access.

Assuming there is a pfSense3 in front of office3 and the vpn connections are stie-to-site and the routes between 1-2 and 3-4 are already working, on pfsense1 add the office3 lan to the "remote networks" in the openvpn config and on pfsense3 add the office1 lan to the "remote networks".

Both endpoints, pfsense1 and 3 have to be the default gateways in the lans.

oooh ok and here I been using the windows vista and later as it said windows... ill give it a try and let you know when I get home
I really appreciate it

DNS not working. I can't access webpages. :(

Tired, going to bed and will resume tomorrow.

@jimp said in packet HMAC authentication failed on peer-to-peer (shared key):

Are you certain both systems are using the exact same shared key? That's the easiest way to get that error.

I'm waiting to get the file from the client, but last time I checked (2 weeks ago when we first brought it online) they were the same.

EDIT: Checked and both are identical.

I understand your testing of rfc1918 as "internet" I even stated such..

I am not complicating anything... You put up a drawing with

client rfc1918 --- internet --- made up public IP..

How are they suppose to talk to each other if on the same L2?

Yes if your test shows you can connected through your router to pfsense, then yes if you put actual public IP on it - you should be able to get to it from the internet.

You probably can't afford me.. :)

This is actually pretty simple after you get the actual tunnel up..

First-
IPv4 Remote network(s)
Box 1 LAN 192.168.10.0/24 use 192.168.20.0/24 for this option

Box 2 LAN 192.168.20.0/24 use 192.168.10.0/24 for this option

Go to (yourpfsenseip)/firewall_rules.php?if=openvpn

What do your firewall rules look like?

It sounds like your pfSense machine is behind another router, because as you state, 192.168.2.2 is a non-routable RFC1918 address. Assuming you have access to the router in front of it, you'd need to use its public WAN IP instead, and configure appropriate port forwarding to the pfSense machine.

@biggsy thank you very very much

Yes it is always better to have pfsense wan right on the public vs behind a NAT. But in the export util just set what your public is or what some fqdn points to your public is.

0_1531826149533_vpnexportname.png

No errors.
but in system \ certificate no cetificats go back

Won't work out very well.

I made setup choices, and have constraints like "a router in front of a router".
I'm also using a IPv6 network from he.net, so my OpenVPN exposes also an IPv6 to the connected clients.
I decided not to use user and password : the certs on both sides, client and server, will do the authentication.

You have to make up your list with what you want, and then you feed Google with "pfsense setup openvpn" and you choose a recent how-to and you follow the step-by-step.

Install also the vpn-client-export package.

For what it's worth :
0_1531817261542_FireShot Capture 005 - pfsense.brit-h_ - https___pfsense.brit-hotel-fumel.net_vpn_openvpn_server.php.png

Well, looks like i resolved it! It was the logging level of the system. Now it's fast again...sorry for the unneccesary thread.

You should probably paste screen shots of what you have done and not a textual representation of what you think you have done. Screen shots of Diagnostics > Routes, the OpenVPN client and server, and the OpenVPN Firewall rules would be a good start.

Please be a little more specific, like instead of I can ping from 10.6.0.0/24 to 10.3.0.0/24 try I can ping from 10.6.0.101 to 10.3.0.62.

What is an OpenVPN foreign network ??