I recently had to fly out to Las Vegas when my mother passed. While I was out there, I tried to connect my personal laptop with my firewall using OpenVPN. It failed.
My configurations are unchanged since the last time I was able to get it to work, however that was circa 2019. I have found that I don't need to connect remotely nearly as often as I now am full-time working from home...And this is a good thing. Last time I used openvpn, it worked, however, that was before covid, since we have been working from home ever since, so I have not needed to use a tunnel. Unfortunately (fortunately, actually), that has been almost 6 1/2 years.
So when I got home, I started testing using the wifi connection in the house, which is on a DMZ on my pfsense firewall. By default, the DMZ only routes to the internet, so to get to the internal network, I still need a vpn connection.
So in messing with it on the wifi link, what I found is that when I have tls-auth turned on (0 on the server/firewall, 1 on the client/laptop), it will give me a constant P_CONTROL_HARD_RESET_CLIENT_V2 error, time out, reset...Lather, rinse, repeat. If I run tcpdump on the firewall side, I see packets incoming from the laptop, but no responses going back out. However, if I turn off tls-auth on both sides, it connects just fine.
I tried generating new tls keys and sharing the new key to both client and server, but neither the old key nor the new work.
The server end is running on pfsense 2.8.1-RELEASE, and the client is running on FreeBSD 15.0-RELEASE-p6 (though the behavior was also on -p5). I know I could whack everything and install OPNsense with wireguard and set up that infrastructure, but that is a future me problem, and is on the todo list.
For the time being, I am continuing to troubleshoot...