@rico Hi Yes, seemed like the "key validation" in the form was disturbed by something. Now I can save (changed and unchanged key) but the client still does not connect. Aug 19 13:36:42 openvpn 43990 Cipher negotiation is disabled since neither P2MP client nor server mode is enabled Aug 19 13:36:42 openvpn 43990 OpenVPN 2.5.4 amd64-portbld-freebsd12.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jan 12 2022 Aug 19 13:36:42 openvpn 43990 library versions: OpenSSL 1.1.1l-freebsd 24 Aug 2021, LZO 2.10 Aug 19 13:36:42 openvpn 44249 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Aug 19 13:36:42 openvpn 44249 Initializing OpenSSL support for engine 'rdrand' Aug 19 13:36:42 openvpn 44249 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400) Aug 19 13:36:42 openvpn 44249 TUN/TAP device ovpnc1 exists previously, keep at program end Aug 19 13:36:42 openvpn 44249 TUN/TAP device /dev/tun1 opened Aug 19 13:36:42 openvpn 44249 /sbin/ifconfig ovpnc1 10.0.8.2 10.0.8.1 mtu 1400 netmask 255.255.255.255 up Aug 19 13:36:42 openvpn 44249 /usr/local/sbin/ovpn-linkup ovpnc1 1400 1472 10.0.8.2 10.0.8.1 init Aug 19 13:36:42 openvpn 44249 TCP/UDP: Preserving recently used remote address: [AF_INET]yy.yy.yy.yy:1194 Aug 19 13:36:42 openvpn 44249 UDPv4 link local (bound): [AF_INET]xx.xx.xx.xx:0 Aug 19 13:36:42 openvpn 44249 UDPv4 link remote: [AF_INET]yy.yy.yy.yy:1194 Aug 19 13:36:59 openvpn 35928 MANAGEMENT: Client connected from /var/etc/openvpn/server2/sock Aug 19 13:36:59 openvpn 35928 MANAGEMENT: CMD 'status 2' Aug 19 13:36:59 openvpn 35928 MANAGEMENT: Client disconnected Aug 19 13:36:59 openvpn 35928 MANAGEMENT: Client connected from /var/etc/openvpn/server2/sock Aug 19 13:36:59 openvpn 35928 MANAGEMENT: CMD 'status 2' Aug 19 13:36:59 openvpn 35928 MANAGEMENT: Client disconnected Aug 19 13:37:05 openvpn 35928 MANAGEMENT: Client connected from /var/etc/openvpn/server2/sock Aug 19 13:37:05 openvpn 35928 MANAGEMENT: CMD 'status 2' Aug 19 13:37:05 openvpn 35928 MANAGEMENT: Client disconnected Aug 19 13:37:14 openvpn 35928 MANAGEMENT: Client connected from /var/etc/openvpn/server2/sock Aug 19 13:37:14 openvpn 35928 MANAGEMENT: CMD 'status 2' Aug 19 13:37:14 openvpn 35928 MANAGEMENT: Client disconnected Aug 19 13:37:25 openvpn 35928 MANAGEMENT: Client connected from /var/etc/openvpn/server2/sock Aug 19 13:37:25 openvpn 35928 MANAGEMENT: CMD 'status 2' Aug 19 13:37:25 openvpn 35928 MANAGEMENT: Client disconnected Aug 19 13:37:25 openvpn 35928 MANAGEMENT: Client connected from /var/etc/openvpn/server2/sock Aug 19 13:37:25 openvpn 35928 MANAGEMENT: CMD 'status 2' Aug 19 13:37:26 openvpn 35928 MANAGEMENT: CMD 'quit' Aug 19 13:37:26 openvpn 35928 MANAGEMENT: Client disconnected

@johnpoz It would be because of a software configuration. Thank you very much for your attention. Now everything is ok.

@joshopkins Seems all the settings you did are correct, apart from the push-route commands in the default options. These do the same as the "local networks" setting does, which is the preferred way. You shouldn't have both settings. Ensure that the access is allowed by rules on all incoming interfaces. Means on the OpenVPN interface at B and on the IPSec of A and C. To see what's going on, sniff the traffic on the involved interfaces, while you try to access a remote IP from an OpenVPN client.

@alfaro I just connected with my iphone, without any issues.. ios 15.6 running 3.3.0 (5047) of the openvpn connect app.. Pfsense running 22.05 I do believe they have gotten rid of the cbc cipher so if you are attempting to use that? Here are my current server setup.. [image: 1660576522101-vpnsrv.jpg]

@jrfernandez The VPN clients might probably block access from outside of their subnet.

@jimp said in OpenVPN Data Channel Offload (DCO) failure, service does not start after upgrade to version 22.05-RELEASE (amd64): If you see this, your system did not fully complete the upgrade to 22.05. You should run pfSense-upgrade -dy from an SSH or serial console shell prompt. I had a fresh install from 2.6.0 > 22.01 > 22.05 and this issue appeared. This was the solution to the issue.

@viragomann and @Jarhead well I was able to test from my phone tonight and realized its not going to work on my phone so it'll have to be on a PC when i do this. Thank you guys for your help today! I am stoked this is working for the VPN.

Haven't found a way to use Captive Portal on the WAN interface. So, creating the LAN interface now everything works fine except when I activate the CP. Any petition is redirected to the CP page even after the session is initiated.

@gbitglenn Just wanted to say came across this while trying to troubleshoot an OpenVPN issue. it is helpful. thank you for sharing this information and being detailed.

@damianhl said in Disconnections to pfsense from OpenVPN: This is an old version of pfsense (2.4.3-RELEASE), I know I need to update this but I could not do this yet. Yes, you should consider to upgrade seriously. The client log indicates a broken TLS session. A reason for this could be that the system time on pfSense doesn't match with the clients time. Probably you can check this in case the issue occur again.

@viragomann Thanks for the reply! I have checked this box, however when I do reload the tunnel (momentarily dropping it) traffic does route to the other network card, so it must not be blocking it

@ghost-0 said in NordVPN doesn't reconnect after routine periodic VPN server maintenance or other issues...: Am I doing something wrong? Calling the Comcast technician when your VPN service isn't working is wrong. Other than that, no. It is not that comfortable running vpn services on pfSense. Worst thing, often different clients get the same address and gateway and don't work anymore but pfSense doesn't care.

@viragomann I see. This is all still ridiculously new to me. I will make adjustments. Yeah still not working. I'm about to give up on this.

@hispeed Great! Another triumph!