If you use the client export package, you can click the option to export one of the old windows installers with the "-xp" suffix, and you can also check the "legacy client" option in the export package when making inline configurations. But the best thing to do is ditch XP.

I would try deactivating AES in System>Advanced>Miscellaneous, as the AES instructions are available to OpenSSL natively and don't need additional wrappers to be used.  This is mentioned in other threads.  You might also try using the AES-GCM encryption modes.  Another thing to try is using LZ4 compression and pushing it to all clients. I  am running with the settings I have mentioned under QEMU/KVM on AMD for remote access with SSL/TLS and User Auth, and for peer to peer tunnels, and it seems to serve me well. Cheers.

So, bit later than I wanted. But think I've discovered the problem lies with authentication. May 8 23:21:14 openvpn 65105 Authenticate/Decrypt packet error: packet HMAC authentication failed May 8 23:21:14 openvpn 65105 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:(remote site wan):7003 (via ::ffff:(pfsense wan address)%em0) May 8 23:21:16 openvpn 65105 Authenticate/Decrypt packet error: packet HMAC authentication failed May 8 23:21:16 openvpn 65105 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:(remote site wan):7003 (via ::ffff:(pfsense wan address)%em0) May 8 23:21:20 openvpn 65105 Authenticate/Decrypt packet error: packet HMAC authentication failed May 8 23:21:20 openvpn 65105 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:(remote site wan):7003 (via ::ffff:(pfsense wan address)%em0) May 8 23:21:28 openvpn 65105 Authenticate/Decrypt packet error: packet HMAC authentication failed May 8 23:21:28 openvpn 65105 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:(remote site wan):7003 (via ::ffff:(pfsense wan address)%em0) May 8 23:21:45 openvpn 65105 Authenticate/Decrypt packet error: packet HMAC authentication failed May 8 23:21:45 openvpn 65105 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:(remote site wan):7003 (via ::ffff:(pfsense wan address)%em0) Starts blasting en masse the moment I try to ping/navigate to anything on the LAN. Not sure how to rectify that, given my setup is identical (short of lan address) to how it was setup when it was working for two years.  Google-fu all points to configurations far more advanced than mine on Ubuntu servers or OpenWRT, not sure how to decipher and apply to mine.

Thank you for your advice i checked the settings and we have no client configuration running on this firewall. It only acts as a server. and the password policy also only affects spoecific users and not all.

Someone in the AirVPN forums pointed me to /var/etc/openvpn/client2.conf to see the configuration pfSense actually generated.  From that, it looks like I can answer at least some of my questions, above: cipher AES-256-CBC:  It looks like that is generated from the "Encryption Algorithm" menu item and put in the "daemon" area.  Oddly, AirVPN's .ovpn file specifies -CBC, but I specified -GCM.  It works, but that's probably because AirVPN does handle -GCM.  I wonder why their .ovpn specifies CBC instead of anything else? comp-lzo no:  That's generated by the "Compression" menu item and put in the "client" area.  Since Adaptive seems to give me no problems, I'll stick with that. dev tun:  This is an interesting one.  It looks like it's sort of generated by the "Device Mode" menu item and stuck right at the top in several ways.  The very first line in the file is: dev ovpnc2 I can't find anything in the OpenVPN manual about a straight "dev" option other than tun and tap.  I assume it's defining a label for the device ovpnc2 (for OpenVPN Configuration 2, or something).  Then, there's the two lines: dev-type tun dev-node /dev/tun2 I believe those are setting the equivalent of "dev tun" for this "ovpnc2" device. proto udp:  Hmmm.  It looks like this is generated by the "Protocol" menu item and put in the "daemon" area.  But, the option generated is "proto udp4" instead of "proto udp".  I vaguely recall seeing posts around here about udp vs udp4, so I'm going to have to do more research to see if that's correct.  EDIT:  I found a post on the OpenVPN forums talking about using "proto udp4" to work around the problem of "proto udp" trying to set up UDP on both IPv4 and IPv6.  If IPv6 is turned off (which it is on my system), then "proto udp4" is the thing to use.  Odd that they don't list it in the manual page. remote xxx.xxx.xxx.xxx.yy:  It looks like that's generated by the "Server host or address" and "Server port" menu item and put in the "client" area. verb 3:  It looks like that's generated by the "Verbosity level" menu item and added right at the top under that "dev ovpnc2" area. So, unless there's an issue with "proto udp" vs "proto udp4", it looks like I'm OK.

@Gertjan: Hi, As said somewhat earlier, it could be this, or, as proposed elsewhere, according Google, you have experiment a bit with "mssfix 1300". Hi, thank you for your reply. I already tried to play with the mssfix, but yet no success. I also read in another thread, that maybe the time on my machine or the VPN-Server might be out of time - so i changed the NTP Servers, but no success.

Thanks for your reply and sorry for rushing on the issue before properly search. The rule was not added at all at the first place, however I was able to fix it by adding manually and and correct the udp4 to udp on /tmp/rules.debug file and then running  pfctl -f /tmp/rules.debug So the firewall won't report the same notice.

Colleague advised "create interface for the PIA VPN" without specifying IP Address, just set the name. Did that & then adjusted the NAT rules to use PIA interface, & now it's all good. Nice. ;-)

I manged to resolve the original(!) problem (i.e. openvpn - >pfsense <- ipsec tunnel -> tp-link) by adding a P2 entry declaring the openvn network as local AND (!) on the TP-Link device added a new IPsec Policy (under IPsecVPN/IPsec) using the same IKE Policy as the Tunnel connecting the two LANs.

https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site

So to clarify your asking how to circumvent your schools policy and sneek a vpn connection through? While there are many ways to do that.. You really should check with your schools policy on such activity - if you have a legit reason to use a vpn from your schools network then they should give details on how to do that. While you might find some people here willing to help you circumvent.. Many here will not be willing to offer such help.. Good luck.

tun-mtu 1500;mssfix 1400;fragment 1300; Thanks axelf911, that worked for me. Now, I also connect into my pfSense Server via OpenVPN; and would like to be able to route back to the RV50. I have an identical config that allows me to route to another 4G OpenVPN device (H685-OpenWRT) - but I can't do it to the RV50. Do I have a mismatch?

@katinatez: Thank you so much!! have been struggling with PIA speeds. Tried just about every configuration but could not pass 45 Mb download with a 400/40 Mb internet plan. I have achieved  the best speeds so far with your config!! My question is if I want to use 128 encryption would the special config change to this? Thanks for your reply. This is running pfsense 2.4.3 for referrence for other users. explicit-exit-notify 2; ifconfig-nowarn; tls-client; persist-key; persist-tun; persist-remote-ip; remote-cert-tls server; auth-nocache; keysize 128; tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA; fast-io; sndbuf 524288; rcvbuf 524288 I have N3150 with AES-NI extensions and my ISP line is 100/20 Mbps. I need to actually say I didn't noticed any appreciable speed difference setting down AES-128-CBC. Your config looks good, just try it.

I found that the solution can also lie in the interface settings. https://forum.pfsense.org/index.php?topic=129871.0 In the OpenVPN Client Protocol dropdown, you probably have selected "UDP IPv4 and Ipv6 on all interfaces (multihome)". That ignores the selected interface. Select "UDP on IPv4 only" Also, make sure the OpenVPN interface is set to be the WAN CARP VIP, not the WAN IP. This fixed the problem on my end.

Hello, I finished installing openvpn and I did not exactly do it wrong, by chance I managed to solve it. May 2 15:13:15 openvpn 85741 Options error: –server directive network/netmask combination is invalid May 2 15:13:15 openvpn 85741 Use --help for more information. May 2 15:13:24 openvpn 3650 Options error: --server directive network/netmask combination is invalid May 2 15:13:24 openvpn 3650 Use --help for more information. obrigado, Rodrigo

So I managed to get this to work. I need to include some push directives on the server side that resized the send/receive buffers for clients. I now have a separate problem- although I'm getting line speed through the VPN, I'm now having an issue with web browsing from behind the VPN and I'm not sure why. Specifically, http/s traffic in general is anywhere from 2 to 3 times slower at certain instances than when I don't use a VPN. There doesn't appear to be any particular constancy to when it slows down. I have configured unbound to do DNS queries via Cloudflare. I've been using a browser addon called "Page Load Time" which breaks down the webpage stage loads. Accordingly, I'm usually spending most of my time in "Connect", "Request", and "Response."

Thanks for the feedback.