@viragomann said in Unable to contact daemon: check the system log for hints to the reason, why the server did not start. Thanks for the suggestion. It looks like I had a few separate (unrelated) issues. The first was my logs were not actually working at all...since none of the logs had updated since 19 March 2023 (the most recent entries for the System, Firewall, DHCP, etc. logs are 19 March). Going to System Logs > Settings showed a PHP error: Fatal error: Uncaught TypeError: Cannot access offset of type string on string in /usr/local/www/status_logs_settings.php:72 Stack trace: #0 {main} thrown in /usr/local/www/status_logs_settings.php on line 72 PHP ERROR: Type: 1, File: /usr/local/www/status_logs_settings.php, Line: 72, Message: Uncaught TypeError: Cannot access offset of type string on string in /usr/local/www/status_logs_settings.php:72 Stack trace: #0 {main} thrown This seemed related to a bug in pfSense 23.01 where if the <syslog> portion of the config.xml file is empty then this error will happen and no logging occurs. This is in the bug report here: https://redmine.pfsense.org/issues/13942 So, once I got that fixed and the logs worked again I saw that OpenVPN had the following error when starting: cannot open tun/tap dev /dev/tun1 no such file or directory pfsense ...which was related to another bug detailed here: https://redmine.pfsense.org/issues/13963 The ultimate fix for the OpenVPN issue was running the following command: kldxref /boot/kernel ...and then the OpenVPN service started immediately. Hope this might help anyone else in the same situation as me!

@scottlindner re "Is there a solution to that that can be automated?" not as far as I know. I've set up a gateway group of all 3 and set the tier priorities:- [image: 1684249832200-screenshot-2023-05-16-at-16.09.26.png] I also have a Nord LAN segment that I route all the traffic out to the gateway group:- [image: 1684249937422-screenshot-2023-05-16-at-16.09.54.png]

@mimu I'm using the OpenVPN server just as access for myself for remote administration. So, multiple connections, for me, is a rare thing. Still, I've set : [image: 1684129116528-be7e33ae-4fa9-4c02-b4c0-ff20980e0612-image.png] because : why not. I guess (OpenVPN doc should explain more), as soon as a 'client' tries to connect, a 'slot' is allocated. If you have many 'clients' that try, and these are just scripted scanners looking for less protected (NON TLS) VPN access, slots can allocated fast. Again : I guess. I've not (never) seen "I/O wait events" in my OpenVPN logs. I'm using two OpenVPN servers , port 1194 and port 1195. Both are completely separated, and work fine both. Both servers use TLS, and no user+pasword.

@parushev Is CARP working well? Check the system log for regarding entries. Is the OpenVPN server down on the secondary? Do you have a single router or is it an HA system as well? How are your pfSense boxes connected to it? Is there a switch or another device in between? Are they installed on bare metal or virtualized? Note: When a device is talking to the CARP VIP, it resolves the VIP and get the CARP MAC address and send the packet to this. However, pfSense uses its real interface address (WAN in your case), when replying. Some devices don't love this behavior. Maybe you're affected of this.

@viragomann Unfortunately, I lost access and won't be able to regain access until I revisit the site tomorrow. I didn't implement any rules on my OpenVPN server; I only selected the boxes while installing OpenVPN with the wizard to create the required rules. OpenVPN had been working before I enabled the interface and then changed the interface's name. I never implemented any rules under the interface OPT1 tab. The only rule that is implemented is under the OpenVPN tab and I believe it's just IPv4 with * in all the fields. @viragomann said in OpenVPN troubleshooting and Firewall / Rule / OpenVPN vs OPT1: Consider that rules on interface group have priority over ones on member interfaces. So if there is a pass rule allowing any to any, rules on member interfaces would not have any affect. So then enabling the OpenVPN interface creates an interface group? The single OpenVPN tab that is created when you setup the wizard is a member interface? (I don't know if this OpenVPN tab is their prior to the wizards use as I didn't look before I used the OpenVPN wizard.) @viragomann said in OpenVPN troubleshooting and Firewall / Rule / OpenVPN vs OPT1: What is the purpose of the other tab then? I'm trying to understand the difference between the rules associated with the tab created when you enable the OpenVPN interface in assignments and the rules made under the tab that is purely labeled OpenVPN.

@tank330 Never resolved the issue..the mute-reply warnings are still there. Just clutters up the logs...

@dbadovsky Yeah, it has to be in the client specific file, mentioned above. Nice that you got it sorted.

All sorted now, a couple of badly configured alias's were the issue and have now been rectified. all is working now as desired.

I want to post the critical take away I learned from this discussion for others searching in the future. I did find other discussions but they were very detailed and specigfic to the person's situation very much like this one is, so it is hard to know what are the specifc parts from the ones that apply to everyone. So here just to call it out, the key takeaway that taught me what I needed is. Check the gateway status (Status -> Gateways) for the VPN Client interface. That will tell you if you have a client configuration problem or not. I ultimately did but the Status -> OpenVPN page indicated it was fine and it actually wasn't.

@johnpoz It doesn't look like my load is that significant. It's been like this since this box has been running. [image: 1683394436062-947788aa-a1a3-4669-ab8b-c0d3ad215875-image.png]

@n8lbv You are main focusing one point from several available. Entire pfSense is multi or single core Underlying system FreeBSD WAN part ist single or multicore pending on the usage of PPPoE or not. (PPPoE = single queue not PPPoE = multi queues) One queue per each CPU core is able to use OPNvpn package is taking advantage of multi CPU cores usage or not. It all plays together and not something alone. You may be able to tune some things here in the game according to your hardware and use case, like; mbuf amount mbuf size queues amount queues length queues size

@viragomann Thank you very much for your answers, in particular I did not consider that the error could be in the official tutorial of ProtonVPN, probably I will set up the variant "Client - pfsense - ProtonVPN" with DNS over HTTPS.

@gokulapandi Yes should work for A and C. But if you restrict access on B to certain subnets as well, you need to add the same rule as you have at A on the interface connected C and that one you have at C on the interface connected to A.

@tangooversway Presumably the VPN server pushes the default route to you. This is a pretty common setting of VPN services. To avoid it go to the VPN client settings and add a check at "Don't pull routes". After that you have to create policy routing rules to direct the desired traffic out through the VPN. Also, with my own OpenVPN setup, I didn't have to switch interfaces in the NAT rules. With the BrandX, it didn't work at all until I switched them. What do you mean with "switch interfaces in the NAT rules"? Basically you need to add outbound NAT rules for your internal subnets on the VPN interface, if you want to pass out upstream traffic. But there is nothing to switch. Existing rules (automatic) should stay in place.

@mhassman In our case, as I seem to recall from a few years ago now, the service was running but people couldn't connect until the service was restarted. I am not finding my notes in a quick search though. The weekly restart was just a sledgehammer approach to fixing it.

@roberto-bianchi Yes, is not compatible right now. We need to stick with 2.5.x line until someone fix this issue. I have the same situation and I'm testing pfsense 2.7-dev and some case. Hope to soon see the solution here, regards!!!

@marvosa said in Site-to-site up but not routing, can't use a /30 or /24 tunnel?: No tunnel network defined, need to add 10.152.0.0/24 in the "IPv4 Tunnel Network" box I think there's some misunderstandings and misleading info on the tunnel network for a site to site. It shouldn't be needed unless someone is using a /30 topology. It should get the tunnel network from the server. Regardless, before yesterday's patch, the tunnel network setting wouldn't accept anything less than a /30.