@dyener thank you for the pointer! Adding lport 0 to the client config fixed my issues.

@vettalex If it's an SSL/TLS setup check "Dynamic IP" in the server settings.

@ghummantech Hi, I was able to resole the issue selecting different EC2 instance size, t3 or larger (without bust limit) seems to be resolving the problem. Give it a try and let me know.

I ran a few ookla speedtests, again, graph looks fine but numbers are nonsense. I have a 50mbit/s speed limiter on both pfsense boxes. [image: 1615081446614-pfsense_speedtest_dip.png]

A little more information. I can change the monitoring IP address in the routing>gateways>monitoring to the WAN IP address and the gateway reports good (because it is ping status from the WAN interface). However, the firewall LAN still report Blue Gateway status and no traffic is routing via the LAN rule. ...

@divsys Haha! And you are right again. I am not touching it. It works now and I need a break from it. ^_^ Thank you for your advice. It is a valid concern. I left the part not saying why the flag was there at the first place since the entire thing is all my fault. I added it upon suggestions from others and then I forgot. I am pretty sure that this is the only thing I messed up under the hood. Really appreciate your consideration!

@mbrossar I've seen that before.

I was able to further trace this to Unbound DNS Resolver. Unbound is frequently stopped, and restarting OpenVPN restarts Unbound. So this is not an OpenVPN issue but is an Unbound issue.

the fix for this is in thread https://forum.netgate.com/topic/161324/openvpn-is-not-working-if-client-is-reconnected-immediately/11 i needed to check the box for "Use a random local source port (lport) for traffic from the client. Without this set, two clients may not run concurrently." on the client export plug-in. this option adds lport 0 to the client config.

@r0okey said in upgraded to pfsense 2.5 and now OpenVPN is broken.: I have upgraded 2.5 I'm not able to connect from my client Hi, Have you ever thought about that? (NCP)... https://docs.netgate.com/pfsense/en/latest/releases/2-5-0.html [image: 1614886738633-d6125d70-7486-481c-a2bc-8380227950ab-image.png]

@high_voltage If you don't have access to the edge router, then you'd have to get your public IP by going to a website like https://whatismyipaddress.com or https://ipchicken.com. You can also do a google search for "what is my IP" and it will tell you. Once you have the public IP, you would go to the "Client Export" utility, change the Host Name Resolution to "other", enter the public IP and then export your client packages. Another option is to subscribe to a free DDNS service and enter a hostname instead of an IP.

@jacobisreal said in OpenVPN clients can't ping LAN: Any suggestions about how to filter internet sites / URLs for users connected via the OpenVPN? If you haven't "Redirect gateway" checked in the OpenVPN server setting internet traffic is not routed to pfSense normally. You have to consider that the users can add routes by themselves, however. So you should add rules to the VPN interface to restrict access for your needs. If you also want to pass internet traffic from the clients over the VPN rules are more complicated. But this depends on your needs. @jacobisreal said in OpenVPN clients can't ping LAN: Also, the automatic .ovpn client config file download? Already talked about that above. There is nothing intended on pfSense. But search the forum, maybe someone has posted a script to aid distributing VPNs.

@behemyth said in What FW Rule do I need to allow users internet access?: How do I allow a client access to the internet when they are connected to the VPN? I have a rule allowing them to hit the DNS servers, but any rule I make allowing the traffic to WAN NET or WAN address all fail. I dont want to put in a default allow rule to allow any traffic anywhere on my network. What am I missing? There are a few different ways to do it: One option: Pass - Tunnel Network/DNS server Alias Block - Tunnel Network/LAN net (or alias for multiple networks) Pass - Tunnel Network/any Another option: Pass - Tunnel Network/DNS server Alias Pass - Tunnel Network/Invert Match LAN net (or alias for multiple networks) Also, considering there's no local access... unless there's a reason you want your clients using your DNS server(s), I would actually remove access to DNS altogether and push them Google DNS.