@viragomann UDP is about 10/8 ishhh....

Forgot to post an update when I fixed this, for people who might have this issue later. Check the client output settings, make sure it is set on the version 2.4+ and it points to either your domain/wan IP address. I will admit that me being a newbie I never looked at that and just went for the client output. I still get a keys out of sync error but that is because the internet drops a packet or 2 on connection, what do you expect from free wifi though.

Hey guys, I have to admit, I thought this issue was solved. However, it is not! At Local Site: When a connection is initiated from inside (e.g. I am trying to access google.de using Chrome) then my complete traffic gets routed via VPN tunnel. Back and Forth! Everything! Good! However, when a connection is initiated from outside (e.g. someone is trying to access a service) then the traffic from the outside gets routed from Remote Site to Local Site. There, the service "answers" the requests from outside, however the local pfsense just does not send this packets again through the tunnel. All packets want to leave WAN at local site - not at remote site! However, they should leave at remote site ! and not at local site! I can see this clearly when looking at packet capture. Following example: I visit https://www.yougetsignal.com/tools/open-ports/ I enter the host address of remote site and the port, which gets forwarded through the tunnel. I click "check" Then I go to pfsense -> Packet Capture at Local Site and monitor. I can clearly see that all answer-packets leave at WAN interface! However, they should get routed through the VPN tunnel and leave the WAN interface of the remote site! I have clearly defined a firewall rule at local site: [image: 1579889963907-unbenannt.jpg] At remote site I have configured Outbound NAT. But I think the problem right now is local site, because there the packets want to leave via WAN interface. However, they should get sent into the tunnel. Does anyone have an idea what's the problem?

Check your floating rules, and check Status > Filter Reload to make sure your ruleset is loading properly. And are you certain you are hitting your own nginx? Is the logged by nginx on the firewall? Does it show in a packet capture?

@heper Dear heper, I have followed the steps as your guidance, but nothing is showing in packet capture while constantly pinging the host (192.168.1.19) from vpn client. [image: 1579766024566-capture7.jpg]

Thank you! That's what it was, Windows firewall was blocking it. I was able to ping 2 Windows Server 2019 machines but not 2 Windows 10 machines. In case someone is looking for the same info here's how to allow it on Windows https://superuser.com/questions/1106907/windows-firewall-doesnot-allow-to-connect-from-vpn I just set range from 10.0.0.0 - 10.0.0.254

@viragomann Hello, thanks for the answer. I do get the public IP. @kiokoman It WORKS!!! I am so happy. Many thanks. I deactivated the DMZ settings and I changed the NAT rules to 192.168.3.1 in place of 192.168.1.1 and it just works... Stupid mistakes are sometimes the most difficult ones to find. Many thanks to you, Viragomann & Kiokoman. I really appreciate!

@jwsi said in Automatically Restarting OpenVPN Client: @guardian This is interesting. If you're using the directive redirect-gateway def1 (route all IPv4 traffic via VPN). This is likely not reconnecting because if the server IP address is changing and you're routing all traffic via the VPN, it could struggle to reconnect because the default route to establish a new VPN connection (via a changed server IP) will be via the now broken VPN tunnel. In any case, if this is the issue, it should be fairly easy to solve after looking at the routing table. Do you notice a loss of Internet connectivity when the VPN dies? I have never noticed a significant loss of Internet connectivity on the main WAN, just on the guest WiFi network. I use the VPN to route all my guest WiFi network traffic though -- most traffic goes straight out. I have a website pinger that checks the startus of my shared host every 5 minutes and as part of the code it does a quick UDP socket connection to about a half dozen differnt public DNS servers. If for some reason none of them connect, then this is logged and the test is skipped. I get between 1 and 10 of these / day. I suspect it might be a temporary loss of cable modem connectivity, (could also be an intermittent NIC interface) and it might also be some sort of bug in my program. I also experience some slow DNS resolution and occasional failed attempts that need to be retried (web page not found -- hit the enter key again, and it comes up - and occasional messages in terminal about temporary address resolution failure). Here is the config file with appropriate redactions: dev ovpnc1 verb 3 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_client1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp4 cipher AES-256-GCM auth SHA256 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local xxx.xxx.xxx.xxx tls-client client lport 0 management /var/etc/openvpn/client1.sock unix remote vvvvvvvvvvvvvvvvvvvvvvvvvvvv 1197 auth-user-pass /var/etc/openvpn/client1.up auth-retry nointeract ca /var/etc/openvpn/client1.ca ncp-disable comp-lzo adaptive resolv-retry infinite route-nopull route-noexec persist-key persist-tun remote-cert-tls server reneg-sec 0

@Gertjan said in Firewall blocking OpenVPN port: Hummmmm. Try this : change the "Destination" in your rule(s) from "WAN address" to "any". Ok so today without doing anything for the past 4 days, I didn't check the configs, didn't restart the router or anything. today when i tried to connect to the VPN it just worked

Hey viragomann, thanks for your answer. I also tried "route 10.2.66.30 255.255.255.255" but when doing so, Windows PC 10.2.66.30 has no internet access anymore. Is it possible to route single IPs or is it only possible to route whole subnets? Thank you! EDIT: Problem solved, see: https://forum.netgate.com/topic/149934/redirect-gateway-def1-routing-traffic-from-subnet-through-openvpn

so the solution was to take ips from this list https://openvpn.net/community-resources/configuring-client-specific-rules-and-access-policies/ [ 1, 2] [ 5, 6] [ 9, 10] [ 13, 14] [ 17, 18] [ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38] [ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58] [ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78] [ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98] [101,102] [105,106] [109,110] [113,114] [117,118] [121,122] [125,126] [129,130] [133,134] [137,138] [141,142] [145,146] [149,150] [153,154] [157,158] [161,162] [165,166] [169,170] [173,174] [177,178] [181,182] [185,186] [189,190] [193,194] [197,198] [201,202] [205,206] [209,210] [213,214] [217,218] [221,222] [225,226] [229,230] [233,234] [237,238] [241,242] [245,246] [249,250] [253,254]

@viragomann I understand, but this was set since the beginning as I wrote in my first post about the config: DNS Server 1: 192.168.1.14 (pfSense, I use pfSense as DNS server with pfBlockerNg) but I tried to add it also manually before to the config by this line, but actually did not change anything: push "dhcp-option DNS 192.168.1.14" What was interesting, I also saw connections earlier from the phone to the pfSense IP on port 53 based on states (Firewall > Rules > OpenVPN, then clicked traffic data in the States column) but something was not good as the DNS server actually not responded to the queries from the phone. At the moment I have that only idea the DNS server service was not in a good condition. Anyway, thanks a lot for your help, I really appreciate your prompt feedbacks!

@Pippin said in OpenVPN logs: Set verbosity to 4 on the server and while viewing log close the dashboard. Thank you very much for your response, now I see more detail. Regards! Martin

@marvosa Thanks man, it wasn't easy, almost gave up. That was kind of my last attempt... opened a beer to celebrate lol

Give the diagram provided, I see 8 home users connected to modems that need to connect to servers behind Router 1. For this, you would configure a remote access solution (client to site)

@ltxda Got it figured out and working. Thanks to anyone that saw this and was going to jump in to help.