correct, you put the ip of your preferred dns resolver, aka ip of the pfsense in your case don't forget to press thumb up if it was useful

It appears that was the issue having only one NIC, a box with 2 NICs on different submets connects and pings fine but now I've ran into the problem that it doesn't have a great throughput tried both OpenVPN and IPSec but packets over 50kb fail on pings.

@jakes said in BUG: OpenVPN client configs being overwritten: loading with the correct information initially, but then flash quickly gets repopulated/overwritten from values from the 1st That has to be the browser doing it then. Maybe an add-on/extension which is active in both regular and incognito mode.

Been stable for 24 hrs now. All working as it should with VPN bypass Aliases in place. Should it stop again, I will definitely look at the IP's for the CDN and refresh them to see if that's it. Had not thought of that. Happy to post tables etc for others if it would be of help.

That was exactly it, thanks for the help.

@viragomann I have no idea if I have messed something up or if its a pfsense thing or a openvpn on centos thing. It's been a while since I worked on a bare openVPN server without pfsense but there isn't much to set really vs using the web gui in pfsense. I have recreated the VPN twice and keep getting the same thing. I have resolved it to some degree by telling pfsense which is the default gateway vs using the automatic option in the systems >routing >gateways page. [image: 1566318010547-this.png] I've never had to do that before on a pfsense setup. But as I say I don't understand why the behaviour difference between this VPN and every other VPN I've ever created. Maybe I just need to sleep on it tonight. :) Regards Dave

UPDATE: Got this fixed. Turned out I had a space after a comma in the remote networks line, so it ignored everything after it. Works as expected now!

Well since your using ALL the 192.168 space.. your tunnel would have to be using something out of the 172.16/12 space or the 10/8 space.. Why would you be using such a large network? Do you have some 65K clients on this network? Set your local network to be something realistic.. How many clients do you have? And then use a tunnel network that is not inside that space. Say for example 192.168.0/24 or 192.168.0/23 if you had say some 500 devices on your network. Then use something other for your tunnel, say 192.168.2/24

From memory, With regards to SHA1 being broken, this is not the case in OpenVPN. This is because of the way it is used (HMAC-SHA1). Add to that the key that changes hourly by default (--reneg-sec). If one would be able to break through OpenVPN's layered security (if setup that way) one could get one hour of data.

yea I honestly have tried all that, I think its an issue with pia and openvpn certs. I've seen many people just do a complete reinstall and get openvpn working first then adding pia/pfblocker to see where the problem starts, I'm going to do that. Thanks for your help!

Got it! Thanks so much for your help. I've changed a dozen settings in the last couple of days so it's hard for me to say exactly what did it. The last thing I did before it started working was actually to uncheck the box that says "Force all client-generated IPv4 traffic through the tunnel." And now when I go back in, it shows checked again... hmmm. In any case, it's working now and I hopefully won't ever have to do any troubleshooting ;) Thank you again for taking the time to help me.

Ah I didn't see that. I prefer the docs. The videos are nice but too much blah blah blah. I can watch an hour-long video and try to hunt down the meat by skipping around, or blast through a text guide in 10 minutes. That's not to say that I don't like or appreciate the videos. On topics that I have little knowledge in, they're extremely helpful and I watch the whole thing. But when I just need the quick & dirty particular steps, the guide is best for me.

They would be in the xml when you backup "all" If all you want to do on the restore is the certs and info, you would have to manipulate the xml and then restore it..

That's exactly what I have done. I was looking for an easier way to administer for CSO users with multiple devices (iPhone and iPad). When sharing the cert didn't work, I assigned a new username/cert for each device. It's workable but cumbersome when users have a PC, iPhone, iPad, and possibly an Android device.

I connect remotely to a 100/100 link and it's very smooth. How did you configure your OpenVPN server? Did you follow the wizard or use a guide or change any non-default settings, for example?