Ok so i think i have found the issue but need some help fixing it I think it maybe a MTU size issue when copying over smb. I have tried some options fragment 1400 mssfix 1400 The server seems to accept it but when i add to client and click connect it errors saying failed to connect to management service. Anyone got any ideas?

Thanks!

Check Don't Pull Routes in the VPN client.

Doh! Missed that step. Been a while since I setup a new user. Thanks for the answer.

...this is what I already told you 2 days ago. -Rico

In some scenarios that's necessary for handle the routing with multiple VPNs. Just assign an interface to the VPN instance and enable it. Otherwise check the routes on site B and C and use traceroute to find out where the packets go to.

Normally, when I use my iPhone and the VPN to connect to my work (have a pfSense over there) the App I use to connect to my DVR on the LAN, it uses the low resolution video stream when it shows all the videos. When I focus one stream, I could switch to high res. Every stream has a 1 Mbit/sec stream at least when my cameras are in colour mode. My VDSL upstream from works is hardly a 2 Megabit/sec connection, so yes, I could overload that one very easily..

Yes Pippin, I think that is best practice - and I do that. You should also ensure that you Enforce CN / User Matching when using CSO's Otherwise; a user with a valid cert can circumvent the intended CSO routing / firewalling if he knows another user's name & pwd. (Or a mindless Sys Admin can get himself confused )

@viragomann Hey thanks. Its working now thank you so much for your help! Been trying to resolve this for ages!! Kawa

@bcruze @bcruze said in Issues with VPN connection not staying up: do you have IP6 enabled on your pfsense router? I will have to check on this when I get home. I am currently "working" lol

packet HMAC authentication failed is very often just down to wrong TLS Configuration or wrong key / key direction. Going just back to some old Version like 2.3.5 is a very bad idea. -Rico

@rico said in VPN Setup: You can go with Static Key if you don't want to use Certificates. Using Certificates in pfSense with OpenVPN is no big deal tho, there are tons of tutorials around. https://www.netgate.com/docs/pfsense/vpn/openvpn/openvpn-remote-access-server.html https://www.netgate.com/docs/pfsense/vpn/openvpn/configuring-a-site-to-site-pki-ssl-openvpn-instance.html https://www.netgate.com/docs/pfsense/vpn/openvpn/configuring-a-site-to-site-static-key-openvpn-instance.html -Rico Followed the first link/guide you posted and it worked first time! Thanks Chris

I kind of gave up on the openvpn and went with IPsec... seemed to work as expected on the first try.

After this, I'm going to move this to a different thread. The topic has moved to remote/client performance. I did a google search. There are some other users that have had some success with various config settings. tun-mtu 9000 #ifndef WIN32 o->rcvbuf = 65536; o->sndbuf = 65536; #endif -or- sndbuf 0 rcvbuf 0 Along with some other settings that I didn't find helpful. I need a true remote setup where I'm on an alien WAN, at a distance. Best I can do at the moment is test on my AT&T WiFi Hotspot, which is horrible in itself. (Though most hotel WiFi is just as horrible, so...). Anyway, unless anyone has anything to add, I'll close this thread down. If I find out anything new/interesting, I'll start a new thread. Thanks for listening.

Glad you figured it out, and thanks for posting detailed information about how.

@rico Thanks !

@viragomann Thanks for the further response. The 4G Router used at the Client site is either a TL-MR6400 or an Archer MR400. Those routers only have only one LAN port which is connected to an internal 4-port Ethernet Switch. Unfortunately, given that scenario, I can't see a way to connect the VPN Client machine on to a separate subnet at the router. Given the number of potential Client sites the cost is significant so changing the router is not really an option.

OpenVPN has no user licenses. If it doesn't work, it's almost certainly in your configuration. Typically issues with multiple clients end up being a problem with the certificates/credentials being used (everyone needs unique certs and usernames), or the tunnel network (it should be x.x.x.0/24), or possibly incorrect firewall rules. Post more detail about your configuration and we might be able to help narrow it down. Also check the OpenVPN log for errors, and check the clients to see what addresses they claim to be using at the time.