I've started having this issue with PIA. The service has been rock solid on my pfsense box for 5 months, and just in the past week or so, I noticed that the VPN connection does not stay up. It drops with this error after about 5 minutes consistently.

If your upload on pfsense is 10mbps, and a client connects to pfsense even if its internet is gig/gig - any traffic that pfsense would need to send to this client would be limited to 10mbps. So if your routing internet through this vpn for example, or trying to download a file from something on the other end of the vpn - your speedlimit would be the 10mbps of pfsense upload.

The network you are connecting from isn't also using 192.168.1.0/24 as its LAN is it? What you are trying to do "just works" for thousands if not hundreds of thousands if not millions of people. All day, every day, no days off. There is no trick to making it work except for figuring out what you did wrong. Step 1: Stop looking at 2.3.3_1 vs 2.3.3 as source of the problem. It is not there. Step 2: Stop looking at pfSense as the problem. When those two truths are accepted you will be on your way to finding whatever it is that you have configured incorrectly. UPDATE 1:  Upgrading a working configuration from 2.3.3 to 2.3.3_1 does not break the OpenVPN LAN access. UPDATE 2:  Changing an OpenVPN setting (i.e. SHA1 to SHA256) after upgrading breaks OpenVPN LAN access. You can't just change server settings without making the corresponding changes to the client configurations. And UPDATE 2 is more of a connect or can't connect scenario. Not a can or cannot access some resources scenario. Slow down, work a hop at a time, check DNS resolution and pings. Take packet captures if you have to and figure out where you sent your traffic the wrong way.

@Mr.: More questions: Local NAS = 192.168.3.A Remote NAS = 192.168.3.B Both have a different WAN-IP of course. Both NAS-ses first and aforemost function in the local LAN, of course. Only for off site backup does the NAS need to go outside on the internet. What kind of firewall rules do you need? The wiki is not very clear for me. It only says 'add rules', but there are no examples. So: 1. Add firewall rules on both WAN's to allow port 1194 -> don't you need a port forward too to send the incoming, remote, NAS (A) to the local NAS (B)? Or is this done by the "Firewall Rules : Don't forget to add rules to Firewall > Rules on the OpenVPN tab to allow traffic inside the tunnel" from the wiki (Client part)? 2. Or do you need a port forward AND that "Firewall Rules : Don't forget to add rules to Firewall > Rules on the OpenVPN tab to allow traffic inside the tunnel"? And what rule would that than be? 3. In the local Synology, I have to enter an IP of the remote machine to backup to. Is that the external IP of the remote site, or the internal IP of the remote NAS? (The latter will go wrong, since both Synologies have the same IP on their local LAN). 4. If .3. is the external IP of the remote site, how then will the local NAS find the remote NAS in it's own local LAN? Is that a port forward on the remote site too, or??? Many questions :-[ [/quote] I just found this tutorial, it seems clear: https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_OpenVPN-connection_in_PfSense_2.1 However, still: 1. How do I send the local NAS (A) to the remote NAS (B), especially if they both have the same IP? Example: local NAS 192.168.3.12, remote NAS on external LAN also 192.168.3.12. 2. In the above link, there are no rules on the client part to send the client out to external server(?) 3. I'm still lost as into the Synology: A. if I tell it there to connect to 192.168.3.12 (meaning: the remote one), it will of course go to the local one - and complain, because it is 192.168.3.12 itself on this LAN. B. If I give it the external IP, then, when arriving at the remote WAN, where there is WAN-firewall rule to allow it in, how, from there on, does it travel to the 192.168.3.12 in the remote LAN: I need a rule for that, don't I? Portfward rule? OpenVPN-rule? (client or server?). C. And how do I deal with dynamic DNS in this matter? The IP's are SOHO, so semi-static. Can I enter dynDNS-names in the VPN-config fields, or doesn't that work? Thank you,

Hi, Each client have a distinct CN and Cert. The lan subnet behind each client is in Client Specific Overrides "IPv4 Remote Network/s" section. I also tried to enter in the "Advanced Section" of CSO the command: "route x.x.x.x 255.255.255.0", where x.x.x.x is the client lan subnet without success. Tia, Jorge Mota

alright, here is what you do. Firewall -> Alias Under IP -> ADD give it a name, and description if you want. Type -> URL (IPs) add as many urls as you like. either host.domain.ext or just domain.ext (www.google.com, google.com) save and go to firewall->Rules add a rule on your LAN interface, action pass, whichever sources you want, destination 'single host or alias' and use the alias you created above. go to advanced options, choose gateway ->Wan or whatever you have it called. save. then drag the rule ABOVE your VPN routing rule. save again and apply changes. you are now routing traffic to specific url/domains out your WAN instead of VPN. :)

Hi ahhh Squid! Fair enough, its unusual it would ignore you predefined rules, considering it would have to use a DNS Server of Sorts to deal with the traffic to begin with. I set Satic DNS on both the PFSense Box & my DNS Server running on Windows Server 2008 just incase. And no worries at all! Stan464 /Closed

Derelict, your instructions resolved our routing troubles perfectly! Thank you so much for responding to my problem! Bonte

Why do you have a second pfSense in your VPC? This is not necessary and as far as I know, AWS just supports IPsec with IKEv1. I basically covered what you want to do in a post a few days ago: https://www.ceos3c.com/2017/04/24/site-to-site-vpn-between-pfsense-and-aws-vpc/ Maybe this can help you? You over complicate things with the second virtual pfSense inside of AWS in my opinion. AWS has more than enough security measures in place that this is not needed. Ceo

I'm a dunce, plain and simple…. deleted everything again, no crazy port number etc.  what I was doing wrong was the wrong android client during the export... was choosing openvpn connect and using a similarly named app in the google play store... realized this when I went back to square 0 and deleted everything off every device I had tried... realized the interface was different and noticed i was using two different apps. needless to say, it works now.  icon in the play store is even the same..... OpenVPN Connect vs OpenVPN Connect for Android (two diff companies) TLDR; read, re-read instructions, follow names explicitly.

Would think your old sysadmin was an idiot ;)

thanx, i needed this

No, it's always been around 75ms. We have a roadwarrior in Site4 that ALWAYS had this issue with pulling files from Site1, so months ago I configured a separate openVPN server at Site1 for them using TCP and a different port. I just switched Site2 to use the TCP openVPN server and now I can pull large files without issue, albeit much slower then UDP. Just can't figure out why this Site2 UDP problem started now, but it seems to be latency induced.?.?