thanks viragomann it's all working now!!

where i can put the same parameters in pfsense

"VPN" is your vpn clients gateway?
If so it should work, when the client is connected.

Hi manny,

No, I didn't need to do anything peculiar for the double-nat. No custom routes or NAT settings required. Literally, the issue was the subnet mask, which took quite a while to figure out, but was an easy-fix.

Thanks!

I'm having the same problem… "Authenticate/Decrypt packet error: packet HMAC authentication failed"

and I've reviewed and re-input the keys a couple of times. I  believe this may be related to the recent reset of all of the PIA keys/ports/ciphers due to the Russian activity.

Does anyone have a 'how-to' that includes the most recent changes? TIA.

@johnpoz:

So you want to use tap vs tun?  Why exactly do you feel you need to be on the same network as your remote location?  Are you trying to broadcast for something, use multicast? what?  There really is very few things that would justify "bridging" your openvpn connection.

my directv box wont let me do lots of things unless it thinks im on the same network.  It is on my home /24 network, using a /24 bitmask, and my VPN network is a smaller /29 network part of the same /24 network, but outside of what would be the same /29 that the directv box would be on if i left its IP the same but put its netmask to /29.  Was thinking that pfSense would proxy arp to the directv box in place of my VPN client but it apparently isnt happening.

Hoping that by having a layer2 VPN here it would work.

Thanks I worked it you a few days ago. The pig time on the default VPN ping was to long and showing the gateway down. I changed the monitor address to the server public address instead of the VPN address and all is good now.

Thanks,
SImon

Nice, but indeed, not 100% sure and don`t want to clutter :)

Server:
Remote access SSL/TLS+User Auth
In config file of server I see for example:

I think:
"server…...." already includes "tls-server" so no need for the latter.

When exporting a client config  I see similar in the *.ovpn:

Again I think:
"client" already includes "tls-client" so no need for the latter.

Thanks.

Thank a lot viragomann

To get this to work - I ended up providing domain name (factory.local) to my remote office DHCP clients so those client PCs can resolve short (NetBIOS) names as well as FQDN for our local domain. I typed Main-Office DNS server IP (10.0.1.20) on the top of the list in General->Setup for Remote-Office pfSence machine (as you suggested)

So now Remote Office client PCs can join the Main Office domain and listed in AD-DNS with 10.0.5.x addresses :)

I did not use DNS-Forwarder… do I really have to use DNS-Forwarder ? I think AD-Client PCs are better left with their "natural" AD-DNS server for name resolution...

Question: We have an extra subnet in Main Office (10.0.3.0/24) used for IP-Phones… Is it possible to connect that subnet through our VPN connection ? We need to install a few IP-Phones in the Remote-Office location ?

I tried adding extra gateways and static routes at pfSence - nothing works... Please advise  :)

Anyone have any advice on my problem? At this stage even after deleting all VPN related settings, rebooting and then re-configuring I end up with the same error. My next option is to reinstall PFSense on a new USB. Though I feel that if this is an option to address the problem there is something significantly wrong.

+1
You could even create a specific VLAN interface (even without configuring it on switch) just for this sole purpose, just make sure everyone have access to this interface/vlan.

Ok i have added this

192.168.50.0/24,192.168.1.0/24,192.168.0.0/24,192.168.60.0/24,192.168.61.0/24

You are a legend.  How stupid do i feel.  yes adding the tunnel networks to the remote networks allows connection.

Thanks so much.  i suppose learning never hurt anyone :)

Mat

Yes, that is clear to me now.

I got confused by two things:
1. In CSO "NOTE: Remember to add these subnets to the IPv4 Remote Networks list on the corresponding OpenVPN server settings."
2. In Server "Inter-client communication"

2 should not be ticked as one cannot control "who can see who" if ticked.

Hello!

Thank you for the reply, I have a dynamic public IP, but I have something similar to DynDNS meaning I have an domain name to my IP (which updates automatically when the IP changes.

Best regards
Tobias