Well with Remote Networks not matching properly I would expect it not working, so put your main office network 10.11.0.0/16 there. Can you ping main office network clients from the remote side pfSense directly? -Rico

Perfect, thank you!!

@johnpoz said in Configure PIA (Private Internet Access) VPN on pfSense 2.4.4 only for specific hosts: kill switch Thanks!

So you just do Multiple Remote Statements? This would be the behavior then. Check out https://www.netgate.com/resources/videos/advanced-openvpn-on-pfsense-24.html which covers different Multi WAN tactics for OpenVPN (starting at 40:08min). I recommend you to watch the whole video tho. -Rico

noice

Hi, I figured it out my mistake and it's fix for good now. Thanks for the help. Have a nice week-end.

Anyone else has an idea? I'm out of ideas

If your routing and firewall rules allow it, it should just work. There are several variables to account for though, so we need more details. list itemPost your server1.conf and client1.conf. What are you allowing thru the tunnel? Post the firewall rules from the OpenVPN tab on both ends. Is the remote end using PFsense for DNS or something else? (e.g. AD, Infoblox, etc)

We found that trying to use CHAP failed every time without fail. Had to enable PAP to get this working.

There was a need to add route for specific traffic and change the OpenVPN settings to act as site to site VPN. It is now working. Thanks for your help @johnpoz @Rico

The only thing I can think of is those password fields were somehow populated. Try setting the VPN to Peer to Peer (SSL/TLS) That should expose the username and password fields. Clear them out and set it back to Peer to Peer (Shared Key) and save. Might work.

Routing table is empty. I’ll try and grab some screenshot. Config and firewall is just from the wizard.

@derelict said in Windows OpenVPN Clients: One thing I would try - sort of a shot in the dark - would be changing the CN for Gil_Mobile to Mobile_Gil. I thought I'd give it a try, but has pobably added to the confusion a bit. CN: "Gil" fails always (as per previous) CN: "Gil_Mobile" works; but it fails on the first attempt if "Mobile_Gil" has just previously connected CN: Mobile_Gil works; but it fails on the first attempt if "Gil_Mobile" has just previously connected The error message from the first attempt on the OpenVPN Server: Feb 5 21:29:23 openvpn 43450 Gil_Mobile/101.191.59.43:31448 SIGTERM[soft,delayed-exit] received, client-instance exiting Feb 5 21:29:17 openvpn 43450 Gil_Mobile/101.191.59.43:31448 SENT CONTROL [Mobile_Gil]: 'AUTH_FAILED' (status=1) Feb 5 21:29:17 openvpn 43450 Gil_Mobile/101.191.59.43:31448 Delayed exit in 5 seconds Feb 5 21:29:17 openvpn 43450 Gil_Mobile/101.191.59.43:31448 PUSH: Received control message: 'PUSH_REQUEST' Feb 5 21:29:16 openvpn user 'Mobile_Gil' authenticated Feb 5 21:29:16 openvpn 43450 Gil_Mobile/101.191.59.43:31448 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Feb 5 21:29:16 openvpn 43450 Gil_Mobile/101.191.59.43:31448 TLS: tls_multi_process: untrusted session promoted to semi-trusted Feb 5 21:29:16 openvpn 43450 Gil_Mobile/101.191.59.43:31448 TLS: move_session: dest=TM_ACTIVE src=TM_UNTRUSTED reinit_src=1 Feb 5 21:29:16 openvpn 43450 Gil_Mobile/101.191.59.43:31448 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo' Feb 5 21:29:16 openvpn 43450 Gil_Mobile/101.191.59.43:31448 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1570', remote='link-mtu 1569' Feb 5 21:29:16 openvpn 43450 Gil_Mobile/101.191.59.43:31448 TLS Auth Error: Auth Username/Password verification failed for peer Feb 5 21:29:16 openvpn 43450 Gil_Mobile/101.191.59.43:31448 TLS Auth Error: username attempted to change from 'Gil_Mobile' to 'Mobile_Gil' -- tunnel disabled I think I'm chasing my tail without some better tools and more understanding of the Microsoft Certificate Storage. I am using the openVPN GUI v11.10.0.0 from OpenVPN Technologies Inc. Not sure if there is an alternate app to test with. @derelict said in Windows OpenVPN Clients: Also there might be some logging that can be turned up on the client that will display what it is doing in that cryptoapicert cal I don't see any additional logging options available.

@f8dhb Hey Show the client settings (file client.ovpn) Certificates only need to be deleted For example, it might look like this dev tun persist-tun persist-key cipher AES-128-CBC ncp-ciphers AES-128-GCM:AES-256-GCM auth SHA256 tls-client client resolv-retry infinite remote XXX.XXX.XXX.XXX 1194 udp verify-x509-name "aaaa.bbbb.local" name remote-cert-tls server compress mssfix 1360 <ca> -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- -----END PRIVATE KEY----- </key> <tls-crypt> -----BEGIN OpenVPN Static key V1----- -----END OpenVPN Static key V1----- </tls-crypt>