@dlogan Basically OpenVPN is designed to connect multiple clients to a server. But this is only possible if the mask is larger than /30. Consequently that gateway is not unique and you need another method to tell pfSense the correct gateway to route traffic to. You can enable routing in such setup a adding client specific overrides for each client on the server, where you define the remote networks. However, if you don't want to create CSO (which makes no sense in your case as you have a separate server for each client), you can set the tunnel to /30, so the gateway is unique. But I can't tell you, why this is not an issue with a pre-shared key setup.

@tjrjcj You can do what I (and others) do and have your VPN connection be dedicated to a single network and then change which network you use... on my iMac I can do that one of two ways: Service Order in the Mac or switch port at my desk. But it depends on your employer's VPN on if this is possible.

@rcoleman-netgate That makes sense if I were hitting the 10 year mark but it'll be awhile until that happens. My concern is from upgrading pfSense. My first 2.6.0 upgrade that had OpenVPN fell apart so I've been holding back until now when I can devote a large amount of time to both the upgrades and supporting the influx of calls. Now that I've upgraded a second unit and it didn't have the issues I'm trying to determine what to expect on the next 30 or so upgrades. Until now I thought that the upgrade necessitated a change in OpenVPN that would cause issues with remote users until a new cert was put in place but it appears not.

@michmoor Cool, thanks for clarifying that

@gertjan I agree, I have the same rules. I'll try to return the default settings and configure a different vpn server for each interface. thank you for your help.

If you changed nothing then perhaps the ISP changed something to allow IPv6 to work. The 'correct' settings here are very much dependent on what your ISP provides. Steve

Finally had a chance to look at this again after many days... I noticed my webConfigurator certificate was about to expire, even though I was pretty certain I had renewed everything. After renewing, I couldn't reach the server at all from my phone/client. Restarted the OpenVPN service on my Netgate, then phone/client connected but went back to "Authentication Error". In a fit of desperation, I tried resetting my user password once more and everything started working again. Even after I changed it back to something secure, it has continued working. Therefore, I guess I screwed up resetting my password before...Very embarrassing lol

@steveits /facepalm - Again, I am new to this and I see what I needed to do! I installed the patches package and applied all, did the reboot, and bingo! Back in business! Thank you so much!

I just upgraded to pfSense + (free version, this is for home use) and the local DNS started working.

@chiefsfan The remote side needs to have PIM enabled as well. You could have it point to your switch or maybe firewall as the RP (up to you). The main thing is that if the firewall is the RP, then all network points need to know who the RP is. That means your switch, firewalls, remote switches.

@viragomann Thank you, that is the response we were looking for. We will put the OpenVPN segment on a new vlan, it's a /24 subnet with lots of devices, so impractical to do a static route for them all. What you are saying makes complete sense. Thank you!

@travis-fleming No, pfSense also nat outbound traffic on WAN if there is a gateway stated in the interface settings. So go to Interface > LAN and check if there is a gateway stated in the IP configuration. If so and there is no reason to have it, remove it and pfSense will not nat outgoing traffic.

@viragomann Thank you, i will swap those around and give that a shot... Going to feel dumb if that works. lol

@gabriel_rocha A reason for the error you get could be that the client gets no response from the server, could be that he cannot reach it at all. After you have rechecked the server settings, best to start is to check the log. If there isn't any line of the attemption to connect sniff the traffic on the WAN (Diagnostic > packet capture) to see if the clients requests arrive there. Enter the port you've set for the server into the port filter, start the capture and try to connect from outside. Do you see any packets from the client?

@troubleshooting74 said in openvpn connect mac monterey: WAN UDP4 / 1194 (TAP) x.x.x.x.x Is it running in tap mode?

@michaellacroix Exact

@123123 said in ExpressVPN setup by beginner for beginners: (like if ExpressVPN updates the .ovpn files or something like that) Or the OpenVPN version used by pfSense changes ! Or the OpenVPN version used by Express changes. For the normal Express clients, this is a none-issue as they 'just have to upgrade their Express VPN client and done. When you use an VPN ISP with pfSense, you don't use their client. You and I and many others do things 'the hard way, also known as 'manually'. When the version changes, parameters can get declared 'not wanted' - and new parameters can get added. For some, there will be a pfSense GUI equivalent so you handle their usage with some ease. For some, the custom option box is needed. Right now, pfSense ans Express seems to be in sync, as my custom options box contains the bare minimum : [image: 1680954856745-d1c73da8-26ee-41e2-9ecf-0dae66705b2d-image.png] I'm pretty sure these parameters, fragment and mssfix, the decimal values, are not optimal.

VPN performance on pfSense is great if you configure and tune it properly. It's even better on Plus. It helps if you have hardware that supports acceleration and use algorithms which are accelerated by that hardware. A lot also depends on your ISP. The upload and download speed (claimed and actual tested speed), WAN type (PPPoE, DHCP/Static, etc), MTU, and so on. Also if your client is on another ISP their WAN speeds matter, too. As well as along the whole path between the two sites. All that said, SMB is notoriously crappy over non-local networks so it's a poor way to judge speed. Definitely run tests with something like iperf (between the client and the target server, NOT to the firewall itself!).

@jknott Hello JK, I have edited the text for better understanding. Anyway... I would have to enable the openvpn interface to create manual routes. But I am more interested on "why" it creates route for a 2001:: address and not for a fc00:: or fd00:: addresses.