Glad it's working.  It looks like you're using split tunnel, so my thought was it had to be on the client end, but you're also double NATing and using port 443 instead of 1194… that probably has something to do with it.

Also, I'm curious to know why you're pushing out google DNS with a split tunnel deployment.

Thanks for the reply.  I ended up figuring out that a UAC permission was blocking the installation.

FYI for anyone else running into this problem that has all UAC's turned on, disable only these two:

User Account Control: Detect application installations and prompt for elevation
User Account Control: Only elevate executables that are signed and validated

I'm not sure exactly which one did the trick because even after forcing policy updates it still took a while for some replication, but I know for a fact that with these two disabled I am now able to install any application.

Justin

started over from scratch and got it to work by making sure all of my port forwarding worked before I configured openvpn access.

OK, update on this. Applied all windows updates (there were about 80) and now it seems to work.
Would be good/interessting to know wich KB that did solve this (if any? magical things have happened before).
Will try on another client when possible.

I don't know what you have now as your office router, but if it is not pfSense already, then I would replace it with pfSense. Then you have 1 router that can do it all easily.
If you put a separate pfSense router in your office LAN somewhere, then you will have to add static route/s to your office router telling it about the pfSense and what subnets are reached through that.
Also, I would change 192.168.0.0/24 at home to some other less popular private subnet - e.g. use something in 10.0.0.0/8. That will avoid pain when you take your laptop to a cafe that uses 192.168.0.0/24 and try to VPN back home.

Thank you for your feedback :)

Hi,

just to make sure what you have:

You have one WAN connection and one (or more) LAN connections?
Some traffic from LAN to the internet should go through the VPN and other should go through your origin WAN, right?

It could be usefull to see your firewall LAN rules and if you have really PortForwarding enabled then the firewall rules on your WAN interface - at least for the PortForwarding rule.

I deactivate the windows firewall and the AVAST firewall.

Best regards

Thierry

@NOYB:

Does not prevent account from WebConfigurator login.  Just restricts access to WebConfigurator pages.

Check cmb's post…  that was exactly my point.... don't put them in group that has access.

Only works for OpenVPN connection access.

You can put those rules on any interface.

Not difficult to find the changed and non disclosed WebConfigurator port.

So, change it and install firewall rules to harden access.  Not difficult to keep people out with firewall rules.

I was able to figure out a script to replicate the behavior that occurs when the save button is clicked on the client.  This is a little bash script for those who need to restart a client cleanly (i lose 1 ping during the restart).  Save this as a .sh file, chmod +x that file and add it to cron or trigger it however you would like.  I'd like to somehow trigger this by an Apinger Down event, but I don't know how to do that.  Can anyone help with that?

#Determine the PID of the running client (assumes there is only one) clientpid=$(pgrep -lf /openvpn/client | awk '{print $1}') #Collect path of openvpn and client openvpnpath=$(pgrep -lf /openvpn/client | awk '{print $2}') clientpath=$(pgrep -lf /openvpn/client | awk '{print $4}') #Kill client process kill $clientpid sleep 2 #Restart the Client $openvpnpath --config $clientpath

If both sites run PFsense, why are you doing Road Warrior and not Site to Site?

That looks like a certificate verification error, so something in the CA/Cert doesn't match or isn't right between the client and server, or it's invalid in some other way.

Never mind. Found it.

Anyone at all? Any opinions?

Thanks for coming back to me.

It's now fixed. The issue was laptop privileges, in the end. Once I ran OpenVPN as the administrator, then it worked fine.