Unfortunately it's not client firewalls either, I checked that. I can only think it's broken for me (or me that's broken!). I'm going to see if IPSEC works any better, or helps me diagnose the problem, but that's not looking good at the moment either. That's saying auth failed, when the pre-shared secret is definitely identical. I'm missing something obvious and daft clearly! Trawl the internet and docs read and re-read I guess. No Idea what is going on with openvpn and site-to-site, but I got IPSec working fairly quickly. So I'm happier with IPSec for site-to-site anyway - I can only think there is something broken with openvpn site to site with my setup somehow.

It is in the client exporter. Use the dynamic DNS name which should be available under Host Name Resolution if you are using pfSense to maintain the DynDNS record. If you are maintaining it some other way, use Other and enter the dyndns name there. You will probably also need to create a new OpenVPN server certificate with a CN AND a SAN of the dynamic DNS name, not an IP address.

Solved my DNS query refused by adding the correct ACL to the DNS Resolver for OpenVPN.  Funny how the UDP VPN connection worked without any ACL.

Oke so I have to put rules into the openvpn interface to stop guest users from connecting to the other local interfaces. I could then use a different openvpn server for myself. But then I need to use a different authentication too because else guest users can still access all openvpn servers. So I could use local user database for myself and freeradius for the guests openvpn server. Not exactly what I was hoping I could do but this way it may work. Thanks for clarifing the end point of openvpn tunnel.

Thank You @jimp!! I really appreciate all your help and prompt replies.

Hi Everyone! Im from Brazil and i have a some problem. My CA restart in 30 minutes. sent error in my client : "Thu May 18 17:43:19 2017 [server-certificado] Inactivity timeout (–ping-restart), restarting Thu May 18 17:43:19 2017 SIGUSR1[soft,ping-restart] received, process restarting Thu May 18 17:43:19 2017 Restart pause, 2 second(s) Thu May 18 17:43:21 2017 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info. Thu May 18 17:43:21 2017 Socket Buffers: R=[163840->131072] S=[163840->131072] "

Yes they can work that way so long as the Server Local Port is 443 and only the client's Server Port are 443 then it's talking about different things (source port vs destination port). The only way they would conflict is if you also set the Client's Local Port to 443 but you'd never want to do that.

@beremonavabi: By the "interface setting," you mean under VPN > OpenVPN > Clients? (see attached).  If so, mine's set to WAN, so I should be fine. Yeah that's what it means, and yours is A-OK if that's how it's set. @beremonavabi: Thanks for the reply.  I appreciate it (and assuming those are your videos on the Hangouts site, I find them very useful for trying to get a handle on this stuff). That's me… Thanks!

Related question for options to get OpenVPN to reconnect after service interruption: The issue that I just ran into is the OpenVPN client did not reconnect after a service outage, and it is at a remote location. The remote location is a residential location connected via cable modem/DHCP, and the current options are to cycle power to pfSense, or use a remote desktop support to control a PC at that location to access pfSense to restart the OpenVPN client.  Both of those options are viable, but I would prefer a self-healing option. For recovering from an OpenVPN service interruption, does it make ANY sense to have TWO openVPN connections between two pfSense firewalls, so that if one route does not restart itself after a service interruption, the other route will? (e.g, Site A client –> Site B server, AND Site A server <-- Site B client), or does this type of configuration just create more problems? The alternative I am planning is to use a PC configured as an OpenVPN client to both pfSense servers (it is already connected as an OpenVPN client to one for remote access), but I would need to set up dynamic DNS at the remote site because it gets its IP via DHCP from the cable modem provider.

@gjaltemba: You may want to set the Verbosity level to 5 under Advanced Configuration of the Openvpn client if you really want to check the log. Reset it when you are done. At Verbosity level 5 the line auth_user_pass_file = '/var/etc/openvpn/client1.up' is there. But now notice this error May 17 21:30:05 openvpn 79458 ERROR: FreeBSD route add command failed: external program exited with error status: 1

A couple of additional notes about my earlier posts.  First, I'm embarrassed about not being able to find the routing table in pfSense.  It's at: Diagnostics > Routes I thought it was Tables and my brain shut down even more when I didn't see what I expected. Second, I finally added the redirect-gateway command into the advanced options of my OpenVPN clients.  Everything seems to be working (hopefully, this "seems" is more accurate than my previous "seems").  My routing table now includes both 0.0.0.0/1 and 128.0.0.0/1 and both point to the x.x.x.1 address of my VPN Gateway Group's Tier 1 entry.  I assume it will switch to the address for the Tier 2 entry if the Group fails over.  Default is still there and still points to my WAN. And, finally, I guess the "Don't Pull Routes" box could be considered that GUI option to enable "redirect-gateway."  The trouble is that we don't know in advance what routes the provider will push if we leave that option un-checked.

About the AES-NI: I just checked, I guess I'm good to go if I'm going to use Intel's 7th gen CPU, now the question is… what speeds? i3 3.9Ghz dual core? i5 4.2Ghz quad-core? : The following processors support the AES-NI instruction set: Intel Westmere based processors, specifically: Intel Westmere-EP (Xeon 56xx) (a.k.a. Gulftown Xeon 5600-series DP server model) processors. Intel Clarkdale processors (except Core i3, Pentium and Celeron). Intel Arrandale processors (except Celeron, Pentium, Core i3, Core i5-4XXM). Intel Sandy Bridge processors: Desktop: all except Pentium, Celeron, Core i3.[5][6] Mobile: all Core i7 and Core i5. Several vendors have shipped BIOS configurations with the extension disabled;[7] a BIOS update is required to enable them.[8] Intel Ivy Bridge processors. All i5, i7, Xeon and i3-2115C[9] only. Intel Haswell processors (all except i3-4000m,[10] Pentium and Celeron). Intel Broadwell processors (all except Pentium and Celeron). Intel Silvermont/Airmont processors (all except Bay Trail-D and Bay Trail-M). Intel Skylake processors. Intel Kaby Lake processors.

Might have answered my own question here. Would it happen to be this option in the GUI under Advanced -> Networking Refer attached image.  

I nuked the install and started fresh.  It works just fine now.  Not sure what happened in the configuration that messed everything up, but it seem fine now.  I appreciate the help.

OpenVPN 2.4.x has its own service and the GUI controls the service – it does not need administrator rights. That works fine on Windows Vista and later. Thus, OpenVPNManager was removed because it no longer was necessary. That said, OpenVPN 2.4.x is not supported on XP. If you must still use XP, you're on your own there.  If you still need OpenVPNManager, you can install it yourself manually separate from the actual OpenVPN client.

Hi, this is the schema of network SITE01                                                                                SITE02 [FORTINET-FW]       ||                                                                    ||                                                                            ______ |          |                          (optical-fiber)                              |          | |LAN01|==[CISCO01]====== ======[CISCO02]==  | LAN02 | |          |                                                                            |            | |          |                                                                            |            | |(192.168.1.0/24)                                                            |(172.16.1.0/24) ||                                                                            |__| But when this SITE02 i execute tracert to mail server (mail.domain.com) this out to internet and down by the Fortinet is for this that i need install pfsense. Thanks for you help

A CA/Cert made with the Wizard should work and show up in the Cert Manager afterward. You can make them yourself, too, but using the Wizard is also fine. There is no specific requirement for the information you put in the CA/Cert so long as you respect the limitations for special characters in the current release. It should be unique but it can be generic. Meaning if you have multiple CA entries or multiple certificates, they should not have identical values for all fields as this can confuse many utilities which locate certificates by subject. The CA/Cert for OpenVPN are self-signed so they don't have to be verified beyond the certificate being made from the correct CA.