Solution Found It was a MTU issue and most frustratingly it came to me at random. There was no particular reason to it other than me going, "Huh. I've never thought of MTU." and did some Googling to find the right MTU for OpenVPN and found that the default 1500 was too much for my network and had to step it down to around 1160 which fixed all the issues I've had before. I'm sure the routing quirk on the host was a one-off, but finally the VPN works just like how I want it. TL;DR: Check if the MTU is too high.

@bob-dig Sorry, my error, and sincere apologies. I now realise that I was actually examining the wrong server config file in /var/etc/openvpn/ - I now have three separate OpenVPN Servers. Please ignore the post.

On OpenVPN 2.5.0 you don't pick an encryption algorithm, you pick a list of Data Ecnryption Algorithms and set a Fallback Data Encryption Algorithm for when cipher negotiation doesn't work.

@jkring See example: https://forum.netgate.com/topic/155824/cisco-avpair-acl-from-radius-to-openvpn-on-2-5-0/2

Something is restarting it, but you'll need to check through the other logs (e.g. system log, gateway log) to see what is triggering that.

@diablort666 said in OpenCPN: @viragomann La vpn se establece sin errores, si tengo habilitado el acceso remoto, haciendo pruebas no llego con ping a ningún equipo. Have to use a translater. See, what I wrote above. You can simply check that with pfSense, using the Ping tool in the Diagnostic menu. Do a ping to a computer with default options. I think, you will get responses. Then change the sourece to OpenVPN and try again. Do you still get a response?

@theskelly said in Client device running OpenVPN not connecting to LAN: so perhaps I'll make pfsense the client instead. Ttat's a very good decission.

If anyone else hits this, netgate support found I was using "openvpn" in the outbound NAT rules as the interface. Specifying this to the VPN Client interface resolved the issues.

We also needed to check the expiration date of pfSense certificates, my colleague wrote a Check_MK plug-in: https://github.com/ThomasKaiser/Check_MK/blob/master/agents/plugins/pfsense-certificate-expiration.sh

so after a bit of playing around i ended up figuring out how to get it working. i'm not the best with certs but here is a video for how to configure: https://www.youtube.com/watch?v=kHXRvdLpXmk steps: list itemBefore anything, follow the instructions on JumpCloud for setting up LDAP and binding a user to LDAP: https://support.jumpcloud.com/support/s/article/using-jumpclouds-ldap-as-a-service1 The following command outputs the certificate authority to the /tmp/ directory as jumpcloud.chain.pem. echo -n | openssl s_client -connect ldap.jumpcloud.com:636 -showcerts | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/jumpcloud.chain.pem Skip the first certificate of the chain. Add the next 3 certificates in the chain individually as Certificate Authorities in pfSense using the following settings: System > Cert. Manager > CAs tab > Add Descriptive name: JumpCloud CA (add a 1, 2, and 3 after each certificate) Method: Import an Existing Ceritifcate Authority Trust Store: check this box Randomize Serial: check this box Certificate Data: paste the single certificate here Save The following command outputs only the JumpCloud LDAP Server certificate to the /tmp/ directory as jumpcloud.ldap.pem echo -n | openssl s_client -connectldap.jumpcloud.com:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/jumpcloud.ldap.pem Add the Server Certificate to pfSense. System > Cert. Manager > Certificates tab > Add/Sign Method: Import an Existing Certificate Descriptive name: JumpCloud Server Certificate Certificate data: paste the certificate here Save If you don't have a JumpCloud account set up and bound to LDAP, you'll need to do that first. You can use your account or create a new user. There only needs to be one bound account but there can be multiple. In JumpCloud: Users > Select the user you'd like bound to LDAP > User Security Settings and Permissions > check the Enable as LDAP Bind DN box and Save user LDAP > Add a new LDAP server > Add the user groups or users Create the LDAP Server in pfSense NOTE: you can get YOUR_ORG_ID from JumpCloud's Settings page System > User Manager > Authentication Servers tab > Add LDAP Server Settings: Type: LDAP Hostname or IP Address: ldap.jumpcloud.com Port Value: 636 (SSL) Transport: SSL - Encrypted Peer Certificate Authority: JumpCloud LDAPS SSL Client Certificate Protocol Version: 3 Search Scope - Level: Entire Subtree Search Scope - Base DN: ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com Authentication Containers: ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com Extended Query: &(objectClass=inetOrgPerson)(uid=*) Bind Credentials - User DN: uid= ldap-binding user,ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com Bind Credentials - Password: ldap-binding-user's-password User Naming Attribute: uid Group Naming Attribute: cn Group Member Attribute: memberOf Group Object Class: groupOfNames Save Test the authentication in pfSense Diagnostics > Authentication > LDAP put in your user name and password and click Test You should see a green box indicating success Setting up OpenVPN: Type of Server: LDAP LDAP servers: Choose the JumpCloud LDAP server you created in the previous steps Certificate Authority: choose the OpenVPN authority you created earlier Certificate: Choose the OpenVPN certificate you created earlier Change any other settings to your liking and you're all set.

@viragomann said in Remote Clients as well as Peer to Peer VPN: e wizard to configure the additional access server. Thanks so much, much appreciated

@yobyot said in OpenVPN with laptop clients failing after pfSense Upgrade to 2.5.0: @eapperley This change worked for me, too. Is there a point release coming which will include this fix? Yes: https://redmine.pfsense.org/issues/4521#note-27

cgv

@viragomann Awesome, thanks so much for that, I really appreciate your help

@bcruze Thank you, made no difference in speed though. CPU is fine on the host as well.