I figured it out. Missed one small thing the whole time. You MUST use DNS Forwarder (I tried dns resolver but had no luck, and in the domain overrides section there is no source ip), so what I did was on kenansville.local pfsense, I added host override of realestate.kenansville.local to 192.168.2.2 and under domain override I added kenansville.local with ip 192.168.2.1@192.168.1.1 and that works perfectly :) I hope it doesn't mess up any resolving of pc's on the kenansville network though. I have no way to test that at this moment. Not sure why there was a DNS request time out in this nslookup but here is the report below: Here is a current nslookup and ping: C:\Windows\system32>nslookup realestate Server:  router.kenansville.local Address:  192.168.1.1 DNS request timed out.     timeout was 2 seconds. Name:    realestate.kenansville.local Address:  192.168.2.2 C:\Windows\system32>ping realestate Pinging realestate.kenansville.local [192.168.2.2] with 32 bytes of data: Reply from 192.168.2.2: bytes=32 time=103ms TTL=126 Reply from 192.168.2.2: bytes=32 time=106ms TTL=126 Reply from 192.168.2.2: bytes=32 time=113ms TTL=126 Reply from 192.168.2.2: bytes=32 time=109ms TTL=126 Ping statistics for 192.168.2.2:     Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds:     Minimum = 103ms, Maximum = 113ms, Average = 107ms

fill in a gateway in the AP's settings. if you are using a home-router as AP, then you most likely can not fill in a gateway for its lan-interface  :(

Welcome to pfSense. The fact that you get "handshake failed" means the client is at least trying to connect which is a good sign. In order to help you with your setup, we'll need more information about your setup: What type of OpenVPN connection are you using - site to site or remote access ? What type of authentication are you using - PKI, PKI + Auth, Shared Key? What device is trying to connect as a client?

I found that my log needed a reset, so now when this happens the next time I will hopefully get some useful info and see whats the problem is. Perhaps I need you guys again…

Hi, anybody have any further ideas? This is still not working, but I cannot find the issue. All settings look fine.

@Viragomann: Thanks for your reply. Forgot about Winblows firewall. I just punched a hole in it and it works. I was only using this machine to test the connection before setting it up on my remote machine. Thanks again.

Hi everyone. acriollo can you help me setting up an OpenVPN Server in pfsense and a Mikrotik OpenVPN Client? I can't get mine working… Thanks in advance.

Hi, The way I got this working was via another FreeBSD instance and creating a separate curl-package with cares-support (https://github.com/Yubico/yubico-pam/issues/55 - is in fact my post). However, this is not at all good, since every update of pfSense breaks the package, and you need to reinstall the precompiled port. This is why I tweeted pfsense a while back urging them to ship pfSense with cURL-cares (https://twitter.com/ict_sec/status/648418038807724032). I just jotted down a few notes to help me remember what I did on a separate FreeBSD instance to get it working, with the guidance from http://mjslabs.com/yubihow.html. mv /usr/ports /usr/ports.bak pkg install subversion svn checkout https://svn0.eu.FreeBSD.org/ports/head /usr/ports make config make install pkg create /usr/ports/ftp/curl Transfer the newly created .txz file to the pfsense machine and install with pkg add curl-XXXX.txz

Honestly I've never run into the key length issue on "modern" clients. I have used no less that 2048 bit for certificates and DH parameters for at least the last five years without issue. I would make sure your certificates are correct, that has always been the biggest "hassle" for me in setting up OpenVPN links. After doing a little hunting on the OpenVPN site, I do see reference to a similar problem with a DD-WRT router and an iOS client, but that was on a much older version of the OpenVPN client.  Might be worth a check to make sure the iOS client app is fully up to date or perhaps even an uninstall/reinstall.

Hi There, I've resolved this by changing the gateway from existing to pfsense IP which then will clients to communicate pfsense as the gateway. Now, I'm able to access the said network. Thanks!

Let me replicate to ensure I've got your intention well. You have a pfSense box running an OpenVPN server and Windows and CentOS should connect to it and be able to communicate together? And now your challenge is to setup VPN client in CentOS? Do you use NetworkManager for your connections?

Yup the resolver has access list.. and remote networks would have to be allowed..

@johnpoz: So what is this corp firewall?  I ask because to be honest end pointing a vpn connection behind the edge is normally a bad idea, and just complicates the setup. I would suggest if you want to use openvpn to provide road warrior access that you swap out your corp firewall (it doesn't support vpn?) with pfsense and setup the vpn as it should be setup on the edge device. Hi there! the firewall is a dell sonicwall which does not support more then one ssl-vpn client at a time… which brings us to same question on how to achieve that. forumers had written that they have had or have same setup but none writes on how to actually achieve that. please advice!

Probably you're right with "That's widely documented", as you are in that theme and an admin here. I did'nt find anything about that anyway. Maybe you can point me to a good place to start reading about? Even if pfSense is not for beginners, there are lot's of things where I feel the documentation is not comprehensive enough. To have that "InterfaceAdress" at that dropdown at least is missleading. As I can't imagine where someone can use that intentional than. If I have one VPN it will do, but adding a second VPN will break the outbound-NAT for the first one. So it should recommended that you better not use "InterfaceAdress" there, because this can cause Problems later, when you allready forgot the Outbound-NAT-Rules depending to the first VPN are affected than.

No.  You add routes and iroutes to OpenVPN and it adds them to the routing table as necessary. I'm asking if you can renumber because it would be easier to do (and reduce your chance of a collision with another network) if you were to number your LANs something like: 172.26.48.0/24 172.26.49.0/24 172.26.50.0/24 172.26.51.0/24 172.26.52.0/24 Then, to every site, you would push a route to 172.26.48.0/28 Then, in your client-specific overrides on the main site, you would iroute the appropriate LAN network to the appropriate client. And on all your OpenVPN rule tabs, if you want everyone to be able to access everything, you would pass all traffic from 172.26.48.0/28

my client is set to 3 as well, server is set to 4.. let me set it down to 3 and reconnect. Ok just reconnected server set to 3 and still see it verify. Oct 22 14:28:22 openvpn[12190]: publicIP:63992 [johnpoz] Peer Connection Initiated with [AF_INET]publicIP:63992 Oct 22 14:28:22 openvpn[12190]: publicIP:63992 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Oct 22 14:28:22 openvpn[12190]: publicIP:63992 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Oct 22 14:28:22 openvpn[12190]: publicIP:63992 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Oct 22 14:28:22 openvpn[12190]: publicIP:63992 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Oct 22 14:28:22 openvpn[12190]: publicIP:63992 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Oct 22 14:28:21 openvpn[12190]: publicIP:63992 VERIFY OK: depth=0, C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpozsnipped, CN=johnpoz Oct 22 14:28:21 openvpn[12190]: publicIP:63992 VERIFY SCRIPT OK: depth=0, C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpozsnipped, CN=johnpoz Oct 22 14:28:21 openvpn[12190]: publicIP:63992 VERIFY OK: depth=1, C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpozsnipped, CN=openvpn Oct 22 14:28:21 openvpn[12190]: publicIP:63992 VERIFY SCRIPT OK: depth=1, C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpozsnipped, CN=openvpn Oct 22 14:28:17 openvpn[12190]: publicIP:63992 TLS: Initial packet from [AF_INET]publicIP:63992, sid=6f5a2a44 6d92e177 Oct 22 14:28:17 openvpn[12190]: TCP connection established with [AF_INET]publicIP:63992 client Thu Oct 22 14:28:17 2015 TLS: Initial packet from [AF_INET]10.56.226.130:8080, sid=ba339956 9c9fc85c Thu Oct 22 14:28:19 2015 VERIFY OK: depth=1, C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpozsnipped, CN=openvpn Thu Oct 22 14:28:19 2015 VERIFY OK: nsCertType=SERVER Thu Oct 22 14:28:19 2015 VERIFY X509NAME OK: C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpozsnipped, CN=pfsenseopenvpn Thu Oct 22 14:28:19 2015 VERIFY OK: depth=0, C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpozsnipped, CN=pfsenseopenvpn Thu Oct 22 14:28:22 2015 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Thu Oct 22 14:28:22 2015 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Oct 22 14:28:22 2015 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Thu Oct 22 14:28:22 2015 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Oct 22 14:28:22 2015 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Thu Oct 22 14:28:22 2015 [pfsenseopenvpn] Peer Connection Initiated with [AF_INET]10.56.226.130:8080

All you have to do is be able to identify the traffic.  Post your port config page. If you have an inbound port forward from PIA to you you don't need to do anything because the traffic is obviously coming in PIA. For outgoing ports, you will have to uncheck Use Random Ports then set a port or port range for outgoing connections. Then add those ports to the firewall rule that policy routes traffic to the VPN. If you set outgoing ports from 63001 to 63010 you would set your firewall rule like this: TCP/IP Version: IPv4 Protocol: TCP/UDP (unless you know it's one or the other) Source: Local Host IP This is one of the few times it's appropriate to do this, but click advanced Source port range: from: 63001 to: 63010 Destination: any Destination port range: from: any to: any Advanced Features Advanced options: mark the packet NO_WAN_EGRESS Gateway: YOURPIAVPNGW A better way to do it might be to add an IP alias to your torrent host and make Deluge use only that. No idea how to do that on your system, but Deluge appears to be able to select an interface for outgoing connections. It looks like mine (MAc) just prompts for an interface name. Might take some digging.