I'd also investigate a MTU mismatch etc... Here's my (potentially flawed) logic: Server on Side A has larger MTU than Server on Side B. (I assume you copy server to server) Initializing the transfer from Site (B) I can copy FROM a file server on Server (A) with roughly 20MB/sec which is great. I assume the server on Side B requests a small packet size... (Maybe Path MTU Discovery) Initializing the transfer from Site (B) I can copy TO a file server on Server (A) with roughly 20MB/sec which is great. The server on Side B sends data packets that are smaller than Server A maximum accept size. Initializing the transfer from Server (A) I can copy FROM a file server on Site (B) with roughly 20MB/sec which is great. The server on Side B will only send small packets (or packets that are smaller than what Server A can receive) ...but Initializing the transfer from Server (A) I can copy TO a file server on Site (B) with only roughly 8MB/sec Server A doesn't know that Server B can only receive small packets. The Firewall (VPN endpoint) on Side B now has do extra work breaking up large packets into smaller ones - which Server B can accept. So my guess would be fragmentation etc... MTU can be set on Host interfaces, too ... You could try reducing the MTU Size on Server A network interface. Also have a look at the pfsense option (Remove DF bit) https://www.reddit.com/r/sysadmin/comments/2mt3jc/reducing_mtu_value_to_fix_slow_cifssmb_over_vpn/

Ah, got it. I knew I was missing something simple. Thanks!

@ddbnj said in Cannot access beyond router via OpenVPN: 10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0 Yeah that would dick it up ;) Glad you got it sorted! Told you it wasn't pfsense ;) hehehehe The trick is getting the person to clearly see that themselves... Which is why the sniff proves to the user, hey pfsense is doing what its suppose to be doing... Have to look elsewhere..

If you do run your vpn server downstream, you can host route on devices on your local network that you want to create traffic from to your remote vpn clients.. Its not all that hard to do, depending on the such restrictions you might have on the actual local client.

@handleric I think that fixed the issue. Thank you!! This has been driving me nuts!

Hello, Over the past few days i've been doing a lot of research trying to remediate this issue and it seems there are a dozen or more threads for this same issue, is anybody from the development team investigating this?

@akkiz Not got express vpn, but sounds like phill simply re-created or selected his openvpn certificates and downloaded a fresh copy and used them instead. pfsense can be tricky one wrong setting or one wrong copy and paste of a set of certifcation and it won't work, always best to take your time and re-read the guides and double check your settings, am still making mistakes time to time.

Hi this probably won't be as much help but I did try Astrill VPN a few months ago, did ask tech support but they told me pfsense was not supported and they had no future plans to do so. Instead they support merlin firmwares on Asus routers like the Asus 86u (just make sure you access it via 192.168.1.1 router address and not their asus logging website!) Astrill have a applet which works on Asus router (merlin supported) which support port forwarding. It does work stable and well imo. If you are good enough with networking and pfsense you could download the openvpn files and open the files via notepad and see the server addresses and ports and details and perhaps use this in pfsense. I do not have astrill anymore and did not try this when I had it though but was going to use mullvad or nordvpns pfsense guide and just input astrills server address and port number and use astrill certs and files instead. Its a shame Astrill does not support pfsense properly, but I guess they wished to go via commerical routers like Asus and netgear instead.

10MB is a lot? How much memory does your system have?

@JeGr said in Question on OpenVPN restricting IPs: Actually that's one point why I'm propagating the use of FreeRadius together with pfSense' OpenVPN in RAS scenarios, as it's much easier to handle than creating CSOs based on the CN of certificates. Also it minimizes the probability to make configuration errors that would allow VPN users to access pfSense WebUI with their only-for-VPN user when using internal authorization. Yeah it's just a bit of a pain adding the users by hand, I did pop a redmine in for a copy function in the Freeradius package a couple of years ago. https://redmine.pfsense.org/issues/8031

Forget everything- even though the remote networks field was entered and displayed properly I re-typed the values there on both sides. And -whooops- network connected proerply. Just for reference. /KNEBB

@careymichael I am having this same issue. When you said you had a static route pointed to the LAN interface, are you meaning in the firewall rules?

@viragomann Hi, Let me clarify again. Like I said, if I initiate a session directly to HTTPS from VPN client, there's no issue at all, working as I expected perfectly. The problem here is, when I initiate a session from my VPN client to HTTP, the redirection is not happening. I can see packets are going but no return packets. This can be confirmed on pfSense packet capture. I've tested from another host in the LAN and redirection works. That's why I am wondering if I missed something on pfSense. Hope I explained the situation clearly. Thanks a lot. Eoin

@Gertjan [image: 1580310491087-2.jpg] so i activated one more network (my pf sense has 4 nic) and added another router running ddrt and it worked but when i run open vpn on pf sense it shows connection up but disconnects in 20 secs... i will look

@viragomann said in Unable to connect to mutiplied pfsense based openvpn server: lport is the local port, the OpenVPN client instance binds to. It should default any if it's not stated, but maybe that doesn't work in your set up. lport 0 sets the port to any, which means OpenVPN should select the next free port. So you may give it a try. I haven't seen this as default in any config for openvpn that I work with but it connects and I can ping so far it's working thank you @viragomann

Hello. I want to specify the IPv6 rule for OpenVPN. Which source IP do I have to enter for IPv6 as shown in the picture? [image: 1580301704172-ipv6.png] Best regards Axel

Are your WAN interfaces configured automatically by DHCP or PPPoE on both, office and home? If yes, the issue may be in the ISPs network and you should consult him again.

Don't forget also you dest box your trying to rdp too, more than likely his firewall not going to allow traffic from vpn tunnel IP your remote client would be using. So the host firewall need to be adjusted to allow the traffic.