[Solved] OpenVPN Issues with SlickVPN
- 
 Hi All, This is more of a PSA since I've been struggling to get OpenVPN working with SlickVPN (my VPN provider) for the last few days. The general tutorials out there are still valid, although they use an older version of pfSense (<2.4.4). For SlickVPN, the critical part is to make sure compression is setup right. Tunnel Settings > Compression: Omit Preference (Use OpenVPN Default). 
 I was using "No LZO Compression" before, which was wrong.Other settings I have that differ from the PIA config settings: - 
Custom Options 
 keepalive 10 120;
 remote-cert-tls server;
 redirect-gateway;
 link-mtu 1557;
- 
Cryptographic Settings 
 Encryption Algorithm: AES-256-CBC
 NCP Algorithms: AES-256-CBC
- 
CA Cert 
 https://www.slickvpn.com/tutorials/using-openvpn-with-ubuntu-mint-network-manager/
 Once the connection is established, you shouldn't see anything after Sep 17 02:02:03 pfSense openvpn[63732]: Initialization Sequence Completedin the OpenVPN logs.During my troubleshooting, I was getting various errors like these after "Initialization Sequence Completed" - Bad LZO decompression header byte: 42
- event_wait : Interrupted system call (code=4)
- MANAGEMENT: Client disconnected
- TCP/UDP: Closing socket
- TLS Error: TLS handshake failed
- Authenticate/Decrypt packet error: packet HMAC authentication failed
 
- 
- 
 Sorry to resurrect this thread, but can you share the actual config page for this? I keep getting TLS handshake failed, no matter what I do. Any help is greatly appreciated! 
- 
 I'm on 2.5 (upgraded from working 2.4.5p1) I imported both their CA the client certificate and set Data Encryption Algorithms to: 
 Encryption Algorithm: AES-256-CBC
 NCP Algorithms: AES-256-CBCThe Fallback Data Encryption Algorithm to: AES-256-CBCAuth digest algorithm to: SHA1 (160-bit)Allow compression: Decompress incoming, do not compress outgoing (Asymmetric)Compression: Disable Compression [Omit Preference]Topology: net30 - Isolated /30 network per clientPing settings set to: Inactive: 
 0Ping method: 
 keepaliveInterval: 
 15Timeout: 
 120Custom options: 
 remote-cert-tls server;I do have my default gateway set to my ISP, and I and set rules for the packets I want routed via the tunnel. I also tag the packets and added a floating rule looking for those tagged packets in case the tunnel is down,and drop them, since vpn traffic I want out the tunnel only and never routed via default gateway.