Not sure why images are not showing but if you right click and open in new page the links seem to be fine.

did you get tgis to work? im doing it slightly different. got A <ipsec>B <openvpn pki="">C and trying to access A from C. Added the P2 on A and B and pushed the routes on C and still can't get this to work. If you do let me know. Thanks</openvpn></ipsec>

The "bridge fix" package has not been necessary in many, many years. The changes added by the patch are included in any current version (or even somewhat older versions).

@Derelict: Something like this? https://www.infotechwerx.com/blog/Creating-pfSense-Connection-VPNBook This looks very interesting. I have some reading to do. Thx.

This is now working. Looks like it needed a reboot after I'd created the interface. Now to try and work out how to rotate the servers..

What I use as a kill switch is a firewall rule that blocks all traffic on the WAN interface.

Will do, thank you. I think I know what I am looking for. Can you give me an idea of what diagnostic to use to see what is happening or where that routing issue might be corrected? I'm not a newbie but I'm no where near a power user yet. Thanks.

Are the users sharing the users certificate? Each user should have a unique cert. If you want them to share the cert check "Duplicate Connection" in the server settings.

I switched to Shard Secret mode and now it's working just fine.

@jeffwcollins: No worries at all, remember there are a TON of actual network engineers that couldn't get this far either. Ha!  Thanks, I'm trying :) In my opinion, for what its worth, there are ways to get around it but they get pretty complicated in the long term with sustainment in mind, meaning that there is no easy way to get this working with the configurations that are currently in place. So, we'll be having a bunch of client appliances out at in the field (~20-40) so I'd really like to keep this as simple as possible.  I'm keeping my fingers crossed that we don't run into more locations that happen to use the same network addressing. Out of curiosity, Whats keeping you from changing the IP Scope of your site, instead of asking the remote office to change theirs? The problematic network is our server VLAN :(  So, we've got DCs, VMs, etc that are all hosted on that network, so changing that isn't really an option.  We're actually blocking the client from accessing our server network as we want to limit outside access, but we want to be able to run scheduled tasks and do performance monitoring from that network to the clients in the field. *To offer some transparency, one thing that could be considered is running a one-to-one nat across the VPN, but it could make sustainment a bit tedious in the long run.  Just providing that as a possible fix for your problem. Yeah, like I mentioned above, simplicity is ideal, especially when we're having to maintain a lot of these appliances.  It looks like the easiest approach might be to see if the hosting site is willing to put us on a different network.  We could care less what it is as long as it gives us access to the Internet. thanks!

You should set your vpn client to not pull routes and then route the devices you want to go to your vpn via policy routing. [image: dontpullroutes.png] [image: dontpullroutes.png_thumb]

Its probably your TLS session being denied.  What logs are you getting on the OpenVPN Server side?

Please search before posting: https://forum.pfsense.org/index.php?topic=132534.msg728642#msg728642 And take it easy with the exclamation points.

That fixed it… But looks like there is some IPv6 issues along with dnssec for netgate.com.. Might want to look into that ;) Looks like you have IPv6 glue - but no AAAA records to match up. ns1.netgate.com (2610:160:11:3:0:0:0:6) ns2.netgate.com (2610:1c1:3:0:0:0:0:108) I am showing these IPv6 glue entries..