If a connection is stuck at UNDEF that means that it's stuck before it identifies itself, either it has not or cannot send its certificate or credentials. The logs on both sides may be of more help, but generally when this is seen it's because there is poor connectivity between the client and server. Upgrading is important, though it may not help you with this particular case.

I have a 50Mbps/10Mbps Comcast business account and I use Private Internet Access (CA) and I can hit those speeds without issue.  I use BFC-128 encryption, otherwise I have the same settings posed by someuser123. I had compression enabled but that would cause FPS/MOBA games to lag when there were simultaneous downloads running like steam updates.  I turned compression off and the lag went away.  CPU usage didn't change much.  General internet usage never suffered from the lag. My Firewall has no hardware AES support.  It's a converted HP Thin client running an AMD Turion X2 TM-84 [image: 4605048706.png]

Well if you can not resolve something with using the resolver than you have other issues..  Nobody would work using your resolver on your network, not just vpn users. I take it you really don't understand what the difference between forwarding and resolver is? If you want clients to resolve local stuff then they should have 1 dns - the dns that has your local stuff in it.  This dns then should either resolve for forward.. When you place multiple dns in a client where some are public and some are local you have no real idea when the client would use 1 vs the other, and depending on what is returned either refused, serv fail or nx can determine if the client asks the other dns in its list.  Or if just times out talking to one of them. This is not a good strategy to count on client asking the correct dns for what its looking for by switching back and forth between them.  For one in this scenario you end up asking say google for your local stuff.  Which is just waste of time and could be seen as information leak.

Without seeing a diagram of how this is all wired together, my first guess would be that there's an improper setup of an  internal firewall or configuration setting in the devices that don't work. When an external client connects via OpenVPN, it will appear to an internal device that it has an IP address outside the internal LAN. Some devices either fail to recognize or actively block those types of addresses. The other possibility is you've got something(s) wired wrong. Without a diagram, it's pretty hard to say.

so why would you not have put this in the original thread..  And in that thread you were talking about web access and port forwarding not from remove vpn client.. But yes your router to your "source" now removes your asymmetric routing problem. This is the original thread you are talking about is it not? https://forum.pfsense.org/index.php?topic=97861.0

Good news. More forum searching with a few different terms and I came across this post. https://forum.pfsense.org/index.php?topic=76735.15 This lead me to upgrading the older pfsense install I had at the remote location. After upgrading the tunnel came up and I tested more backups with my original way of using rsync. So far so good, I have transferred many gigabytes over this tunnel without any random crashes.

pfSense 2.2.x added the DNS resolver (Unbound) as an alternate DNS service to the original DNS forwarder. The resolver is definitely a more full featured DNS provider for pfSense and is now the default for new installs. Most of my systems are upgrades from older versions of pfSense so they typically use DNS forwarder, which is "simpler" but still adequate for my needs. You setup one or the other to work with your systems. As far as the solution I suggested, you can follow the same steps, just do the "Services->DNS Forwarder" pieces in "Services->DNS Resolver" instead. I would suggest you keep the Resolver as is and simply add the changes I suggested. You could mix and match the Forwarder vs Resolver across different sites, but there's little advantage and much confusion to be had going that route. As I said earlier, pick one or the other and configure as necessary.

I have had the same issues. There are a number of old threads on this.  I find I have to manyually kill the process from the command line and then it'll work.

Yeah.  That checkbox is only for clients connecting to the same OpenVPN server instance so your Mobile and site-to-site will be different.  You need to make sure everyone has the routes to the other VPN server clients and that all the rules are in place.

In general it should be possible to recreate the current Win-based OpenVPN server so that it performs the same way in pfSense. A critical piece of the transfer will be extracting the certificates used in the Windows setup and transferring them to pfSense. The other pieces of the puzzle should be fairly straightforward. Now having said all that, there isn't a simple "import" function that will do this. If you can describe your setup in more detail - a simple network diagram and description of what your trying to accomplish - would really help us help you. Who setup the original Windows installation?

Yes, if the port forwarding works correctly and the traffic is permitted the VPN connection will work well. I've had a similar setup for a time.

Thanks everyone for your help.  I have solved the problem. The reason it wasnt working is becuase i was putting a /30 network in the tunnel network, but using a /24 in the local network.  As soon as i changed this, it came up in openvpn status. Thank you everyone so much for your help.  Its communities that make products extra good, and this is one hell of a product!

Try to change over VPN servers interface to the specific VIP. If that works and you need it listening on more than this one resolve that with NAT port forwarding.

I just went into the cert manager and created a test CA and then a cert off that CA and no issues.  So yeah without some exact details of that your doing no way look into this. Please post a screenshot of your settings used to create your CA, and then the error your seeing [image: testcaandcert.png] [image: testcaandcert.png_thumb]

If you have a gold subscription, there is a Hangout video a did a couple months back walking through a basic HA setup, and there is also info in the book.

And… is the Windows firewall disabled there?