@gertjan client vpn is behind the firewall and it is blocking the traffic ..now it is working fine ...thanks for your support

@p9wgnzxcsd said in OpenVPN Service not running: remore-cert-tls Did you add any extra options in the advanced config? Maybe mistyped remote as remore?

@johnpoz said in To VPN or not to VPN?: "I think I read that you can bind specific applications to a specific NIC." Good luck with that ;) If you want to bypass using your vpn, easy way to do it is based upon policy routing.  So where you want to go bbc iplayer - what is the url you connect to?  I could be as simple as creating an alias putting in the sites you want to go to and using that alias as your dest in rule that send that traffic out your normal wan. Depending on the site you may need to do some investigation on what exact networks they use via some CDN in the backgroun that is not really clear in just the url you use to get started, etc. Other option to this is to do it the other way around, use your normal wan for most of your access and just send the traffic you want out the vpn - sometimes it is easier this way since sites you want to vpn might be smaller, etc. Not sure where you got the idea that applications allow you tie them to specific nic or IP - this is pretty rare in the windows world for sure, and in client applications.  Server applications are more likely allow you to tie them to a specific nic or IP.. There may be some addons for the browser your using that add this sort of feature..  But to be honest policy routing better solution if you ask me, since then doesn't matter if the application supports it or not. Thank you to both of you, I just went online to see if someone is also experiencing the same thing with VPN and I'm happy I found a solution.

No, that is correct. AES-NI is not available here in the droptown, but it is used anyway. In pfSense 2.3 it was still available there, however the recommended selection for AES-NI capable CPUs was to select "No hardware crypto". But it has to be enabled in the System > Advanced options.

FreeBSD 11 isn't technically supported until ESX 6.5 so it's possible you have a compatibility issue causing stability there as well.

@protar Nope, nothing to do with Android. the pfSense is a OpenVPN client to a few servers. It was indeed a DNS issue then getting stuck in a routing or nat loop. I'm still looking into ways to delay the other vpn connections to start so that I can use my internal DNS server that utilizes the first VPN connection outbound.

Thanks.

@maverick_slo said in How to block access from roadwarriors: @unaibg You can totally do it with rules and client overides. Assign static IP to that client, and make rules that fit your situation. Its just as secure as separate tunnel.. IF rules are smart designed of course I assign clients specific IP addresses via Freeradius. "ipsec-test" Cleartext-Password := "PASSWORD-WAS-HERE", Simultaneous-Use := "1", Expiration := "Jan 01 2020", NAS-Identifier == strongSwan Framed-IP-Address = 172.16.8.254, Framed-IP-Netmask = 255.255.255.0, Framed-Route = "0.0.0.0/0 172.16.8.1 1"

Yes. Fairly advanced OpenVPN concept though. You have to assign an interface to the OpenVPN client instance at Site A and be sure that the port-forwarded traffic does not match the firewall rules on the Site A side's OpenVPN tab and only matches a firewall rule on the assigned interface tab at Site A. This gets reply-to working there preventing the reply traffic from the port-forward target host from being routed out the default gateway at Site A and routing back through the tunnel instead. I am not certain this specific use case was covered but you might do well to watch this: https://www.youtube.com/watch?v=ku-fNfJJV7w

@philw Thanks. I also currently have a fully working OpenWRT (LEDE) setup. This does the job very well. But, there are certain little things that can be annoying (for me at least). So I am wanting to replicate all my existing LEDE setttings with pfsense and will be comparing which I like better.

After setting this up, and installed this router in the remote side, after several days of testing I notice that there was a 50% decrease on internet speed, so I had to route just the traffic for my primary side, and leaving the remote side with his own uplink for internet. From primary side to secundary, there is a distance of 30kms, and both have uplinks of 100/100 Mbps. Here is the issue described: https://forum.netgate.com/topic/133011/solved-loss-of-internet-speed-while-on-vpn-from-site-to-site

So I had changed IPv4 remote network at remote side, just to route my primary side network, to avoid this situation. I have also tested crypto accelerators in both sides but didnt had any change.

Thanks for the reply, after few hours someone else mentioned that /24 sometimes wont work so adding /30 did the trick Thanks again

So you link to some openvpn installer script?? That has zero to do with pfsense.. Then you come back 5 days later and say fixed. Completely pointless!!