@KOM said in NordVPN Curiosity with 2.8.1: Also, I'm surprised that folks are still using OpenVPN when wireguard [ . . . ] Because they're not mutually exclusive. [ . . .] is easier to configure and faster. You know what they say about opinions...

@the-other Ok, I made a specific rule in the OpenVPN interface to allow any to both NAS servers. [image: 1761707110778-2cd0716f-d4f0-4e63-94e8-4fc93788fd6d-image.png] Here you can see me connecting to the VPN server with my iPhone and attempting to ping both the NAS servers. The traffic passes through the firewall but the ping fails to the Synology (200.4). [image: 1761707746508-eb97e248-fbd4-43cf-977c-31d87df234ce-image.png] [image: 1761707789724-efcea745-54b9-4460-a44a-e2fffc8c5644-image.png] I can, however, successfully ping the backup NAS (200.5) but I cannot connect to that one either with the File Explorer app. BTW, the backup NAS is an old Asus AC-RT86 router in AP mode with WiFi disabled and a SAMBA SSD in the USB port.

Posting here because I found this thread when troubleshooting the same error message, so maybe this helps someone else: In my case it was due to an asymmetric routing situation that had developed because of static routes defined within the OpenVPN "remote network" settings. I have a multiple WAN situation with failover gateway and failover VPNs defined through policy routing groups. The behavior I experienced was very similar to what you describe, which in my case was caused by return packets flowing across a different interface than the origin packets. The firewall couldn't see the return packets, and closed the state. I couldn't figure out why traffic was coming in on one interface but going out on another, despite setting up policy routing in the firewall. In my case the "aha" moment came from reading https://docs.netgate.com/pfsense/en/latest/troubleshooting/asymmetric-routing.html -- I removed the non-obvious static route in the OpenVPN settings and instantly resolved multiple issues.

So, poking around in docs, seems like maybe the weapon of choice here is the framed-pool RADIUS attribute. Look like you can assign distinct IP pools to clients using this attribute. Anyone know if this attribute is compatible with the FreeRADIUS package that is available for PFSense? Can OpenVPN use this attribute for assigning IP addresses to clients? Anyone done this successfully?

@SteveITS I agree 100%, I'm not complaining its working again and I have notes on it, when they do "maintenance" in the area again... Glad the onsite tech new something more than the support back at ISP office... Brian

@Gertjan I have allowed pfSense's DHCP to dole out the IP for the AP. I tried assigning an IP as you recommend but it didn't help. I've also ordered another AP to see if there is something about the software there that's causing the issue.

Well, if this is correct as far, you should be close to get it working. @Udbytossen said in Portforword through a VPN client: And under the firewall rule advanced setting I'm changing the gateway to Torguard instead of default But already mentioned, that this makes no sense at all. So edit the rule and set the gateway to default. Then go to the OpenVPN rule tab and remove or disable each pass rule. Done.

Is your pfSense configured to work over both IPv4 and IPv6? I assume you have IPv6 on your WAN. 4G & 5G phones are IPv6 and Android phones use 464XLAT to access IPv4 sites. This is effectively double NAT, which can mess things up. I don't know what iPhones use, but they'd have something similar. By sticking with IPv4, you are already breaking things. IPv6 is the future, so you'd better get used to it.

Certificates for authentication are fine being self-signed with whatever validity you assess is good for you. The VPN-endpoint (the public address) should have a real public certificate. The CA-chain for this ertificate is part of the profile, so there is a caveat that you must check the CA-chain for changes when you renew the public endpoint cert. This however can be considered a rare event in a sense, and usually you get heads up when roots (very rare) and/or intermediates (more likely but still rare) change. If the chain changes, you must provide new profiles to all users, which can be a PITA of not prepared.

Hello, I have the same problem on a pfsense box. I performed a fresh install on a VM on the same site with exactly the same configuration, and... no errors at all For your information, the log line refers to a return from a "write" call. write is the name of a function; it's a system call. https://man.freebsd.org/cgi/man.cgi?write(2) " The write() system call attempts to write nbytes of data to the object referenced by the descriptor fd from the buffer pointed to by buf. " https://man.freebsd.org/cgi/man.cgi?write(2) So, for the following, fd=6 is the file descriptor where we're trying to write, and code=13 is the error code retrieved just after the write call, which returned -1. " Upon successful completion, the number of bytes which were written is returned. Otherwise, a -1 is returned, and the global variable errno is Set to indicate the error. We learn that code 13 matches the description EACCES 13 Permission denied Either the process is not authorized to write to the file not helfull but : It's a permission issue; we're not supposed to be able to touch that from the web interface, I presume. Either it's a bug, or a third-party package is putting the problem in, etc. Contrary to what Google says, this has nothing to do with firewall rules.

@McMurphy Do you have an external BSD compatible cryptodev accelerator card or device outside of your AES-NI CPU? (These devices are extremely hard to find) If not why are you telling pfSense that you do? If you don't you should only use AES-NI CPU-based Acceleration only.

@ThaBozz No. OpenVPN just adds a route for the first client IP in the tunnel network to the system routing table. This just routes the traffic to the OpenVPN insctance. But the correct routing to the respective client IP is done inside OpenVPN. pfSense doesn't know at all, what happens there.

@chitchat Assuming the two VPN servers use all the same certs then it should be ok. In my case the single VPN server listens on Localhost. Then there's two port-forwards (one for each WAN) to the same VPN server. [image: 1759479867156-eed1a7f9-d88e-4da3-bb46-e723e73ed01e-image.png] [image: 1759479896297-6d8d4837-2ea9-43eb-95c0-08358cd644b3-image.png]