Yes. You have to configure the vpn routes and firewall rules on all firewalls must allow the access. Assuming there is a pfSense3 in front of office3 and the vpn connections are stie-to-site and the routes between 1-2 and 3-4 are already working, on pfsense1 add the office3 lan to the "remote networks" in the openvpn config and on pfsense3 add the office1 lan to the "remote networks". Both endpoints, pfsense1 and 3 have to be the default gateways in the lans.

oooh ok and here I been using the windows vista and later as it said windows... ill give it a try and let you know when I get home I really appreciate it

DNS not working. I can't access webpages. :( Tired, going to bed and will resume tomorrow.

@jimp said in packet HMAC authentication failed on peer-to-peer (shared key): Are you certain both systems are using the exact same shared key? That's the easiest way to get that error. I'm waiting to get the file from the client, but last time I checked (2 weeks ago when we first brought it online) they were the same. EDIT: Checked and both are identical.

I understand your testing of rfc1918 as "internet" I even stated such.. I am not complicating anything... You put up a drawing with client rfc1918 --- internet --- made up public IP.. How are they suppose to talk to each other if on the same L2? Yes if your test shows you can connected through your router to pfsense, then yes if you put actual public IP on it - you should be able to get to it from the internet.

You probably can't afford me.. :) This is actually pretty simple after you get the actual tunnel up.. First- IPv4 Remote network(s) Box 1 LAN 192.168.10.0/24 use 192.168.20.0/24 for this option Box 2 LAN 192.168.20.0/24 use 192.168.10.0/24 for this option Go to (yourpfsenseip)/firewall_rules.php?if=openvpn What do your firewall rules look like?

It sounds like your pfSense machine is behind another router, because as you state, 192.168.2.2 is a non-routable RFC1918 address. Assuming you have access to the router in front of it, you'd need to use its public WAN IP instead, and configure appropriate port forwarding to the pfSense machine.

@biggsy thank you very very much

Yes it is always better to have pfsense wan right on the public vs behind a NAT. But in the export util just set what your public is or what some fqdn points to your public is. [image: 1531826139641-vpnexportname-resized.png]

No errors. but in system \ certificate no cetificats go back

Won't work out very well. I made setup choices, and have constraints like "a router in front of a router". I'm also using a IPv6 network from he.net, so my OpenVPN exposes also an IPv6 to the connected clients. I decided not to use user and password : the certs on both sides, client and server, will do the authentication. You have to make up your list with what you want, and then you feed Google with "pfsense setup openvpn" and you choose a recent how-to and you follow the step-by-step. Install also the vpn-client-export package. For what it's worth : [image: 1531817259139-fireshot-capture-005-pfsense.brit-h_-https___pfsense.brit-hotel-fumel.net_vpn_openvpn_server.php-resized.png]

Well, looks like i resolved it! It was the logging level of the system. Now it's fast again...sorry for the unneccesary thread.

You should probably paste screen shots of what you have done and not a textual representation of what you think you have done. Screen shots of Diagnostics > Routes, the OpenVPN client and server, and the OpenVPN Firewall rules would be a good start. Please be a little more specific, like instead of I can ping from 10.6.0.0/24 to 10.3.0.0/24 try I can ping from 10.6.0.101 to 10.3.0.62. What is an OpenVPN foreign network ??

I removed all the VPNs and walked through the process again, seems to be working now as it is an available gateway now.

@unknowneleven said in Difficulties on pfSense 2.4.3-p1 and OpenVPN on WAN TCP 443: Hi. I have been trying to make OpenVPN work on TCP 443 since the day one that I installed pfSense. I've managed to get it working in pretty much any port and protocol I've tried, except on TCP 443. I knew that it could conflict with the webConfigurator port, so from the beginning of the installation I changed it's port to 8443, and I've even checked on Sockets that there is indeed no other service binding or trying to bind on WAN:443, only OpenVPN. I've tried to connect on my phone and my notebook, but none will. Ironically, when I try to connect from inside my LAN, it works immediately. It only doesn't connect from outside my network. I've checked my firewall rule on the WAN interface, but it's as it should be. In fact, when I try to connect to the OpenVPN on TCP 443, appears a strange connection on Sockets, with question mark (?) identification on the WAN IP:443 and the other end IP:port. Basically, that tells me that it's not a problem in the end device, for it reaches the firewall. But it seems that pfSense, or OpenVPN, do not identify that connection as OpenVPN on TCP 443. I've tried everything I could find, even the port-share localhost 443. If someone can give me some light, I'll be forever grateful. Thanks. My setup: OpenVPN on WAN, to TCP 443. Firewall rule on WAN: pass TCP any to WAN address on HTTPS (443). Just remembering: OpenVPN works on any other port I tried. It doesn't work only in TCP 443 (though I never tried UDP 443). Also, I've got Dynamic DNS on the configuration, so the client is set to connect to the DDNS.

@aileron said in Route one subnet through VPN, another one through regular gateway?: These will be connected to the same physical interface. Doesn't work that way if your network is 192.168.0/24 you can not just add devices using 192.168.1/24 I would suggest you do some research on basic networking 101 before you start playing with policy routing. Change your lan network to /23 if you want to use both .0.x and .1.x addresses. Or put this .1/24 on its own vlan, etc. Then its very simple to policy route out any clients you want via your vpn. Just make sure to turn off default route from your vpn connection in pfsense and just policy route who you want to use or not use the vpn connection.

@stephenw10 Well you wont believe what it was, it was the WPAD, as site 1 has wpad i also have the proxy auto detect on site 2 i disable the auto detect and bam showing the real WAN ip for the websites. i guess no i have to see how i can disable that.

Is your Unbound service actually running- /status_services.php

The most-specific rules should generally be at the top to prevent something more general from matching first.

@wormuths np problem! good luck with it