Figured it out. You have to have a separate "user" cert and a separate "server" cert. Doh!

Ok, I think I get it now, It confused me when the VPN is added it appeared to 'cutoff' the normal traffic from LAN to WAN Dave.

Would need more info to offer more targeted troubleshooting help, but a few gotchas that I've seen and learned: Once you assign the tunnel to an interface, make sure you bounce the tunnel afterward If you're running a remote access server, edit the rules on your OpenVPN tab so the source address is explicit to your tunnel network. Otherwise, incoming traffic will match on the wrong interface. In other words, if there's an any/any rule on your OpenVPN tab, either remove it or modify it so the source address is explicit to the other services you are trying to run (e.g. a remote access server or another tunnel) Verify your Outbound NAT mode is in either Hybrid or Manual and that you have NAT mappings NAT'ing egress traffic to the PIA address on the PIA interface. Verify your port forwards are configured on the PIA interface and have a Destination Address of your PIA address Verify the policy routing rule on your LAN tab is configured with the correct source address, has the PIA gateway and is above your LANnet/any (or any/any) rule that would otherwise send the traffic out the default gateway.

Fixed. Thanks for pointing it out.

Yes, you are correct.

While i was testing out the exporting from pfsense 2.2.4 to 2.3.5 i got the certs working just when i connect i keep getting that auth failure, i even copy and pasted the password thinking i was going mad crazy. Pictures: pfSense 2.2.4 [image: 1528744936318-cfff7347-95d8-4806-84cc-308d34a310c8-image-resized.png] [image: 1528745213313-clipboarder.2018.06.11-resized.png] pfSense 2.3.5 [image: 1528745034722-clipboarder.2018.06.11-005-resized.png] [image: 1528745034637-clipboarder.2018.06.11-004-resized.png] [image: 1528745034553-clipboarder.2018.06.11-003-resized.png] Error: [image: 1528745151952-clipboarder.2018.06.11-006.png] Thank you

I guess your right, tried on my test enviroment 2 pfSense boxes both running 2.3.5 and the Site 2 was using its own WAN rather then using Site 1 WAN

No. I do not have Rogers. If you packet capture on WAN for port 443, attempt a connection, and it arrives, the ISP isn't filtering it. If it doesn't arrive they are or someone else is.

@grimm-spector Exactly, it will work just fine :)

Yeah not a big issue, when you need to install into something that wants to see a password you can just add it via openssl.. Was just curious - thanks. When your wanting your ios phone to connect to a eap-tls wifi network it wants a password. It will not take blank, and space doesn't work, etc. Not a big deal if doing a handful.

@derelict said in Alerts for Remote VPN Access Use / Attempted Unautorized Use: Graylog is free. Awesome, but pfSense is not a log server. It is a firewall. Thanks for passing this along - Do you use it? I'm wondering what you do (if your use case is similar - Home/Home Office-A few PCs, a couple of "Smart Devices/Media Players/IoT or similar) or are you running a large network. I would absolutely agree that it's not ideal as a log server and wouldn't work for a large setup. @gertjan said in Alerts for Remote VPN Access Use / Attempted Unautorized Use: When I inspected my "pfSense" logs - I'm using a remote (but local) log server, I do see lines like : 06-06-2018 12:00:12 Daemon.Notice 192.168.1.1 Jun 6 12:00:14 openvpn[32669]: 80.12.41.173:55353 [GertjaniPhone] Peer Connection Initiated with [AF_INET]80.12.41.173:55353 when I loggin with a VPN client on my VPN server (== pfSense). Scripting against the log file with tools like fail2ban (or whatever hand written shell script) and you have your notification mail. That's what I had in mind! As @Derelict : I'm not keeping the logs (+100 Kbytes every day) on pfSense. You have a FreeNAS system, so I guess you're close to a good solution. If you have a similar use case to me, what software are you using? This discussion has caused me to consider creating a log server on my FreeNAS. Certainly I have the capacity to do it, just worried the learning curve for these other tools may be too steep given my time constraints. Unless I have hardware issues FreeNAS is always running when the other PCs are running and analysis/monitoring is badly needed. I think for OpenVPN I will stick with a simple script on /var/log/openvpn.log - maybe a bit of python. OpenVPN might be running when FreeNAS is down, so I'd rather have this simple bit of monitoring locally.

*BUMP

@jegr Thank you. I will definitely consider your advice :)

@jimp said in TLS Error: Usually that means that some other client (not OpenVPN) hit the port. It might be a port scan, a monitoring probe, or a client that doesn't have the right TLS key for example. I think you are correct, as I just did a port scan, using one of the online tools, on port 1194 and the error appeared. Seems to confirm your thoughts. Thanks.

I used the VPN > OpenVPN > Wizards to create the entry in the Servers > OpenVPN Servers. I believe it also created the OpenVPN firewall rule. The OpenVPN firewall rule is an action: Pass, protocol: Any, source: Any, destination: Any. I thought maybe Suricata could be blocking the connection. I read a post that stated to use port 443 to bypass Suricata. I changed the OpenVPN Server to port 443 and the WAN firewall rule to action: Pass, protocol: UDP, source: Any, destination: WAN address, destination port range: 443, and I'm intermittently able to connect. I'm also observing when I am able to connect, and then I disconnect, and then try to reconnect, I'm having trouble reconnecting. Is there something else I may be missing by chance? Thank you.

@derelict GDG: problem writing to routing socket maybe here? A stupid question since it worked before without: do i have to bridge lan and "opt1 over opvns1"?

@derelict Yup, this was it. The routing even seems to work with my IPSEC tunnel still in place. If this was mentioned in the book, I must have read right over it!