I have confirmed that the issue is defintely linked to the multiple remote networks in the open vpn config as if I remove the additional remote networks and only have one subnet per vpn server it starts working again. The problem with this is the remote client networks then can't communicste with each other, only the server network.  While this isn't critical, as I can remote desktop into the server lan and access the other subnets from there, it isn't very elegant.

Thanks again for pointing me in a useful direction.  I clearly had not done all of my homework.  I am using TUN.  However, after further reading the TAP configuration might better fit my use case. Currently the connection to the VPN is rather fast.  I have no issue navigating documents, pictures things of this nature.  However, when I open my accounting software it takes 3-5 minutes to load the file.  Once it has loaded lag is barely noticeable in most cases.  I do have adaptive compression enabled. You're Awesome!

Yes, that's what I'm trying to do. It always me using different devices..

Hate to bump!!!

@jahonix: @Ryu945: Though I think I will be going with this case instead. Oh boy, if the case is one of your major concerns, then take a consumer router and start painting it or so. That could lead to more satisfying results for you personally. It has a shelf it needs to be able to fit onto.

Kb8wfh, A couple of things that helped me(and continue to help me) are: making sure to look in your firewall logs to see what is being blocked attached are my rules I have on my wifi interface, they are fairly hardened, I sense you are trying to do the same. It might not work for you…FYI - your LAN rules basically allow everything, rule 1 isn't doing anything that rule 2 would do. Try to understand my rules vs just copying them. when writing a rule, go into "Advanced settings" and you can pick a "gateway" i.e. Either WAN or PIA. I use this vs changing my default gateway get to know "easy rules" that can be turned on in your firewall log, it will add what was being blocked, you can modify these easy rules but it helped me understand the flow of data. Make sure to possibly change the order of the rule in your interface if necessary. make an alias for your Apple tv and WAN only devices (notice in my rules I have SEVLAN as a source, these are aliases I set up after setting up fixed dhcp leases), make rules allowing access using the alias as the "source", in advanced setting for those rules use the WAN. Dig into your log(NAT or Firewall), I suspect you'll see what's going on.... (As mentioned by someone else, your dashboard is showing your PIA as offline, dig into your gateway settings for PIA and look for the field for "monitoring IP",  use googles 8.8.8.8 as the monitoring IP...I had that issue as well and was fixed with adding a google monitoring ip) [image: IMG_0042.PNG] [image: IMG_0042.PNG_thumb]

Thank you for your answer, I managed to get it fixed by using the IP address of the VLAN on the authenticator in the active directory.

On the client at Remote I assigned the new ovpnc1 port to an interface and enabled it. This created a gateway for the connection. Then on the client at Firewall > Rules > LAN I created a new rule at the top to catch all IPv4 traffic (any protocol, any source, any destination, any port) and route it through the gateway created by the VPN interface. This is completely unnecessary and only serves to introduce policy routing into your environment, causing other effects and complexity that are fine if you understand them, but you do not (yet). I would delete any assigned interfaces to OpenVPN servers/clients, put the pass any any any rules on the OpenVPN tabs, and stop/start OpenVPN on both sides. Another thing that I see is networks are not 10.0.0.1/24 or 10.0.3.1/24. They are 10.0.0.0/24 or 10.0.3.0/24. It looks like the proper routes are being added by OpenVPN but when I look at it I tweak a little. Work one hop at a time. For instance, from host 10.0.0.X can you ping the pfsense interface address on the other side? Presuming 10.0.3.1. If you can, all the routing is in place. After that, can 10.0.0.X ping something on the 10.0.3.0/24 LAN? Be sure the target of the pings:     Has pfSense set as its default gateway     Will actually respond to pings     Does not have some local firewall (think windows firewall) preventing it from accepting traffic from foreign subnets Then do the reverse: Work one hop at a time. For instance, from host 10.0.3.X can you ping the pfsense interface address on the other side? Presuming 10.0.0.1. If you can, all the routing is in place. After that, can 10.0.3.X ping something on the 10.0.0.0/24 LAN? Be sure the target of the pings:     Has pfSense set as its default gateway     Will actually respond to pings     Does not have some local firewall (think windows firewall) preventing it from accepting traffic from foreign subnets ETA: Since it is shared-key the tunnel network will be treated as a /30 anyway….

I had some issues getting this to work, don't forget to add lines for auth, cipher, etc. for you OpenVPN configuration.  Perhaps those are obvious, but it wasn't to me. "Auth": "SHA256", "CompLZO": "adaptive", "Cipher": "AES-256-CBC", Lastly, the template is great, but I used the HTML ONC generator (https://github.com/CharlesErickT/oncgenerator/blob/master/index.html) to help me.

Okay, so presumably the office router is missing the route to 192.168.2.0/24. You may also do well with NAT. That's only results to translating the source address to the clients vpn address, so you're not able to determine the really origin device at office site. If you don't like this behavior you have to set the routes at the server. Have you already set the CSO on the office pfSense with 192.168.2.0/24 in the remote networks field? If that is done, establish a vpn connection from home and check the routes on the office router.

Hi First of all - Thanks for your Post and your Information. I made some more Tests with your Hint "FastIO" and Buffer Settings then i get over 82Mbit on a 100Mbit Connection and over 280Mbit on a 1Gbs Connection - so thats not bad. I also figured out that IPSEC is a little Bit Faster (site 2 site with Pfsense - same hardware same Wan same NET) - i did some tests and on the 1GBps WAN Connection i get with ipsec arround 380Mbps. But i can live with the Speed of openvpn and it s more easy to configure and forward… I have a additional Question:  Can i do "Routing" between different Subnets on different Openvpn Site2Site Connections ? So for example: Client Network1:  192,168,10,1/24 Client Network2:  192,168,11,1/24 Client Network3:  192,168,12,1/24 All This Networks have its own pfsense and all are connected to a Server Pfsense - Network: 192.168.100.0/24 All is done with Site2Site so: every Device in every Client Network (1-3) can ping each device on the Server Network Also each device on the Server Network can ping each Device on each Client Network But i also want that each Device of Client Network1 can reach each device of Client Network3. Is there a way to  configure pfsense (ovpnclient and ovpnserver) that the server route the request from Client Network1 to Client Network3 and in the other direction ? Or do i have to make a extra VPN Connection betwen this 2 Networks ?

Ah - so like the info a bleach that says do not drink this ;) that wording is already on the wiki doc btw https://doc.pfsense.org/index.php/OpenVPN_Client_Export_Package "If the list is empty, there are likely no users and/or certificates that exist which use the same Certificate Authority as this VPN server. " If you click the little ? mark top right corner of the export package page it takes you there.

You can use up/down scripts: Add to custom server options: script-security 3 system; client-connect /usr/local/sbin/up.sh; client-disconnect /usr/local/sbin/down.sh; up.sh: #!/bin/sh /full/path/to/your/console/email/app down.sh: #!/bin/sh /full/path/to/your/console/email/app mailx example: echo "Client $common_name connected to $HOSTNAME" | mailx -r "your@mail.com" -s "Client $common_name connected to $HOSTNAME from $trusted_ip" -S smtp="your.smtp.com:25" -S smtp-auth=login -S smtp-auth-user="usr@smtp.com" -S smtp-auth-password="password" touser@mail.com > /dev/null OpenVPN vars that you can use: $common_name $HOSTNAME $ifconfig_local $ifconfig_pool_remote_ip $untrusted_ip $trusted_ip $dev

Easy, go to Interfaces Tab, select the Interface you need to spoof, and type in the desired MAC in the "MAC Address" field. Also see this article, you may need to use shellcmd (it's a package you install) to run the interface in promiscuous mode (you should not need to do this with an intel NIC, but it may be necessary with a Realtek or other cheapo NIC): https://doc.pfsense.org/index.php/Interface_Settings#MAC_Spoofing Here's a thread on the topic: https://forum.pfsense.org/index.php?topic=106819.0

In the packet capture you can see the echo request leaving the Client LAN interface addressed to 192.168.0.201 and nothing coming back. The problem is somewhere outside of pfSense. Yes, pfSense has to be the gateway for the target device or you need to add a route on that host for the far side of the VPN tunnel with a gateway that is pfSense or the replies will be sent to the wrong place. Alternately you can place an outbound NAT rule on the client LAN interface so traffic sourced from the remote VPN network is NATted to the interface address there. Then replies will be same-subnet so the route will not be necessary.