Update :
Look like it's the latency which impact the TCP VPN.
Wel, I cannot do to much things about it, so I will keep 2 VPN and when UDP is blocked, I will use the TCP.

@bob-dig Thank for your reply.

Currently my OpenVPN settings is here
45e6a85a-52bd-4dd6-a4f1-bd1e35d3a009-image.png
In the above photo, 192.168.160.0/24 IPv4 Local network which OpenVPN Client can access.
With this setting, I can connect to Nextcloud using nextcloud.mydomain now

@jimp I spent about 5 hours today trying to figure this one out. It's a shame the default setting is incorrect - no tutorial has mentioned this. Thanks.

I've set :

1b1768a4-d299-443e-9504-4bca4411a3ad-image.png

So, no surprise, I see in the logs the same thing :

2021-07-15 12:44:55.799700+02:00 openvpn 48505 GertjanHome/92.184.123.121:55566 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

I also saw the same thing on the client side - in the logs of my Phone..

Found. There was old certificates generated using easy-rsa before pfsense installation. And it was added to crl. New certificate was created with same serial and became revoked. I created new one and all works.

There is a bug in pfsense - it should check crl and show "revoked" for certs with revoked serial.

@ryu945 said in DNS Redirect over OpenVPN:

Why did I have to use subnet IPs instead?

I have not idea what you actually did.. You can for sure use specific IPs in the rules for source and destination..

Maybe you had the wrong IPs in source or destination, maybe there was a state already if you were trying to to block something..

Order of rules matter! Top down, first rule to trigger wins, no other rules are evaluated, etc.

@milliput said in Local printer, OpenVPN, remote server:

the server tech told me i need a bidirectional tunnel

What?? Sorry but that has zero to do with printing through rdp..

For the "server" to print to some printer on the clients network - yes you would need a site to site vpn setup where the server network knows how to get to the client network.. Never in 30 years in biz heard any one call such a thing a bidirectional tunnel ;) hehehe

But that is not what your doing.. Your printing to a local resource from your rdp client... There could be some issues with drivers on the server your rdping too.. But thought they fixed that in like windows server 2008, maybe r2 with easy print driver or something.. Been years and years since had to deal with such stuff.

But its not your "vpn" setup that is causing the problem that is for damn sure ;)

is this printer usb printer on the rdp client or a network printer on the clients network. Its possible vpn setup send all traffic down tunnel and not allow split tunnel. But didn't think openvpn did that out of the box even when using default gateway through the tunnel..

What exactly is the client using for the rdp client? Are they set to use the local printer resource like my pic?

site-to-site

So you have a site to setup setup with pfsense to this remote site where the server you rdp is?

@viragomann

The cisco router has a fixed "vpn" connection the corporate "intranet" (194.82.54.70), thats why I can only access it within the LAN through the gw 10.132.37.1.

I missed that about the outbound rule.
I have added it as an extra outbound rule with dest.194.82.54.70/32 .
I can now ping it from my vpn user.

Awesome.
Thank you for your great help, I really appreciate it.

@3lmar It turned out it was a totally different problem.
The solution is somehow related to pfsense, because I would not have found it without pfsense's package capture.
My windows 10 notebook on the OpenVPN was trying to connect via port 80, which seemed strange. I learned it did that, because the share wasn't on the same subnet.
The solution was to disable NetBIOS over TCP/IP: https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/direct-hosting-of-smb-over-tcpip

Sorry for having disturbed you.
Maybe this helps anybody else, who like me wouldn't expect a problem with windows pcs connecting to windows pcs.
I should have stayed with linux.

@johnpoz said in Strange VPN Kill Switch Problem:

https://forum.netgate.com/topic/67692/openvpn-kill-switch/6

That would be the other solution but is more prone to user error and I had to much open states with it if I recall correctly.

You can also combine both to be really secure. 😉

@bcruze said in PIA server changes:

@cobrahead said in PIA server changes:

@bcruze said in PIA server changes:

There is also that super helpful ping command

How can find PIA servers using the ping command? I am not trying to figure out which server I am using, I was looking for the entire list of servers, which used to be posted on their website.

i misread. i thought you meant by IP address
I apologize

It's all good. 😁

@dmallia said in VPN Speed:

@ryu945 said in VPN Speed:

What is your RAM usage?

I have 3GB assigned to pfsense and it stays at 2.45GB used (approx 82%). no changes when I test vpn speed.

The fact that such a slow speed has you use so much RAM makes me wonder if it is a RAM capacity issue. I know higher speeds need more RAM. That said, that does seem like a lot of RAM being used for that much speed. You can try giving it more RAM. I wonder if this is the issue because I have literally seen old wireless routers completely cut out when they try to pull bandwidth to fast. I assumed it was a lack of RAM to run the connection.

Also, what is your RAM speed?

For some reason, it is working now.

@jared_ said in Need help routing OpenVPN to another gateway on the LAN:

I have pfSense sitting on a network, the WAN interface is disabled and the LAN (192.168.1.0/24) has OpenVPN (172.16.100.0/24) server listening.

That's not the proper way to connect a VPN server. Youf LAN devices will send response packets to requests from VPN clients to the default gateway instead back to pfSense, since they don't have a proper route for these IPs.

If you want to run the VPN server behind a NAT router either

remove it from LAN and put it into transit network, connected to the router and add a static route for the VPN tunnel network to the router pointing to the VPN server and add static route for the LAN to the VPN server pointing to the router add a static route for the VPN tunnel network pointing to pfSense to each LAN device you want to have access do masquerading on pfSense Lan interface.

@marvosa
I'm sorry, but i don't know exactly what you mean.
If I want to make the WAN Network accessible trough VPN, where the OpenVPN Service is listen, this is currently not possible.
Other OpenVPN Implementations (e.g. untangle) add a direct route to the OpenVPN Server to solve the Problem. I think this should also be possible on PfSense, but i don't know how.. :(
If you need more information, i can provide them to you.

@peter_apiit said in Create OpenVPN client but encounter error:

https://protonvpn.com/support/pfsense-vpn-setup/

Did you asked proton for an update on their https://protonvpn.com/support/pfsense-vpn-setup/ ?
It's based on an old version of OpenVPN, probably the 2.4.x series.
The latest pfSense 2.5.2 uses the last (nearly) version of OpenVPN : 2.5.2 (version numbers are identical, this is purely a coincidence).
The 2.5.2 and 2.4.x (OpenVPN !) are nearly identical. But their are differences. The question is : what does Proton use ?

Btw : I'm not using proton myself.

edit : This is what I would do : if their 'client app' uses OpenVPN, and that clients logs, uses the client log and the it's opvn file - and compare these with the pfSense OpenVPN opvn file and OpenVPN client logs.

@bingo600 said in Open VPN Site to Site and Remote Clients Combination:

Dialin Client ip ranges
@viragomann

Thanks a lot for your advice guys; The dial in tunnel was not added to the Site 2 Site remote networks list, therefore could not be routed.

Thanks again