post your firewall rules. you might have a PBR rule thats routing incorrectly.

i know how. PM me for contact info.

Updated package and checked, yup now using remote-cert-tls server

After many hours of trail and error finally figured it out changed port 25745 UDP and it worked, like they say "where there's a will there's a way"

^^^^ I get the same situation with Linux.  IPv4 works fine, with IPv6 I can ping only the local end of the tunnel. Has anyone managed to get OpenVPN to work with IPv6, on either Linux or Windows?

It's not there any more because it's no longer necessary. :-) OpenVPN 2.4 has a new Windows service/GUI setup that no longer requires administrator privileges to run.

Thank you.

This may or may not be the problem … Long ago I ran into the same problem with openvpn and DD-WRT. I had three client users created. If one were in use another PC could not use it at the same time. A different client user id had to be used. Try a different user profile for each actual user or each unique device. Then the same user profile will never try to sign on at the same time using another device. (I have a unique id for each device since the same physical person might try to sign on from multiple devices.)

Commercial VPNs provide pipes for lots of simultaneous users. Their gigabit connection might give you 5Mb if a boatload of users are on the same connection at the same time. Later on, you might get many multiples of that faster. StackSocial offers a lot of lifetime VPNs for relative pocket change. Through them, the cost is very low. Take a look. I purchased two since they were so low priced.

The verbosity was originally set to 3, then I set it to 5 for the attached log dump, then back down to 3. It didn't really give me much more insight into the issue. I've tried the two in Canada and then 2 in the US. Same issues. Even when the VPN is connected, I am unable to even do a ping test on that interface. Absolutely nothing will travel over it.

Thanks for your answers.  I got my VPN running with PureVPN, so I am learning as I go as well.

There is a small icon in the action center and it turns green when openvpn is connected. Got it and I can now connect. I see that while I get a different subnet for IPv4, I just get an IPv6 address in the same prefix in my home network.  This will cause problems as it will likely not be able to connect to anything on my local network.  I'll try changing it to a different prefix.

I've started having this issue with PIA. The service has been rock solid on my pfsense box for 5 months, and just in the past week or so, I noticed that the VPN connection does not stay up. It drops with this error after about 5 minutes consistently.

If your upload on pfsense is 10mbps, and a client connects to pfsense even if its internet is gig/gig - any traffic that pfsense would need to send to this client would be limited to 10mbps. So if your routing internet through this vpn for example, or trying to download a file from something on the other end of the vpn - your speedlimit would be the 10mbps of pfsense upload.

The network you are connecting from isn't also using 192.168.1.0/24 as its LAN is it? What you are trying to do "just works" for thousands if not hundreds of thousands if not millions of people. All day, every day, no days off. There is no trick to making it work except for figuring out what you did wrong. Step 1: Stop looking at 2.3.3_1 vs 2.3.3 as source of the problem. It is not there. Step 2: Stop looking at pfSense as the problem. When those two truths are accepted you will be on your way to finding whatever it is that you have configured incorrectly. UPDATE 1:  Upgrading a working configuration from 2.3.3 to 2.3.3_1 does not break the OpenVPN LAN access. UPDATE 2:  Changing an OpenVPN setting (i.e. SHA1 to SHA256) after upgrading breaks OpenVPN LAN access. You can't just change server settings without making the corresponding changes to the client configurations. And UPDATE 2 is more of a connect or can't connect scenario. Not a can or cannot access some resources scenario. Slow down, work a hop at a time, check DNS resolution and pings. Take packet captures if you have to and figure out where you sent your traffic the wrong way.

@Mr.: More questions: Local NAS = 192.168.3.A Remote NAS = 192.168.3.B Both have a different WAN-IP of course. Both NAS-ses first and aforemost function in the local LAN, of course. Only for off site backup does the NAS need to go outside on the internet. What kind of firewall rules do you need? The wiki is not very clear for me. It only says 'add rules', but there are no examples. So: 1. Add firewall rules on both WAN's to allow port 1194 -> don't you need a port forward too to send the incoming, remote, NAS (A) to the local NAS (B)? Or is this done by the "Firewall Rules : Don't forget to add rules to Firewall > Rules on the OpenVPN tab to allow traffic inside the tunnel" from the wiki (Client part)? 2. Or do you need a port forward AND that "Firewall Rules : Don't forget to add rules to Firewall > Rules on the OpenVPN tab to allow traffic inside the tunnel"? And what rule would that than be? 3. In the local Synology, I have to enter an IP of the remote machine to backup to. Is that the external IP of the remote site, or the internal IP of the remote NAS? (The latter will go wrong, since both Synologies have the same IP on their local LAN). 4. If .3. is the external IP of the remote site, how then will the local NAS find the remote NAS in it's own local LAN? Is that a port forward on the remote site too, or??? Many questions :-[ [/quote] I just found this tutorial, it seems clear: https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_OpenVPN-connection_in_PfSense_2.1 However, still: 1. How do I send the local NAS (A) to the remote NAS (B), especially if they both have the same IP? Example: local NAS 192.168.3.12, remote NAS on external LAN also 192.168.3.12. 2. In the above link, there are no rules on the client part to send the client out to external server(?) 3. I'm still lost as into the Synology: A. if I tell it there to connect to 192.168.3.12 (meaning: the remote one), it will of course go to the local one - and complain, because it is 192.168.3.12 itself on this LAN. B. If I give it the external IP, then, when arriving at the remote WAN, where there is WAN-firewall rule to allow it in, how, from there on, does it travel to the 192.168.3.12 in the remote LAN: I need a rule for that, don't I? Portfward rule? OpenVPN-rule? (client or server?). C. And how do I deal with dynamic DNS in this matter? The IP's are SOHO, so semi-static. Can I enter dynDNS-names in the VPN-config fields, or doesn't that work? Thank you,

Hi, Each client have a distinct CN and Cert. The lan subnet behind each client is in Client Specific Overrides "IPv4 Remote Network/s" section. I also tried to enter in the "Advanced Section" of CSO the command: "route x.x.x.x 255.255.255.0", where x.x.x.x is the client lan subnet without success. Tia, Jorge Mota

alright, here is what you do. Firewall -> Alias Under IP -> ADD give it a name, and description if you want. Type -> URL (IPs) add as many urls as you like. either host.domain.ext or just domain.ext (www.google.com, google.com) save and go to firewall->Rules add a rule on your LAN interface, action pass, whichever sources you want, destination 'single host or alias' and use the alias you created above. go to advanced options, choose gateway ->Wan or whatever you have it called. save. then drag the rule ABOVE your VPN routing rule. save again and apply changes. you are now routing traffic to specific url/domains out your WAN instead of VPN. :)

Hi ahhh Squid! Fair enough, its unusual it would ignore you predefined rules, considering it would have to use a DNS Server of Sorts to deal with the traffic to begin with. I set Satic DNS on both the PFSense Box & my DNS Server running on Windows Server 2008 just incase. And no worries at all! Stan464 /Closed