Thanks for the tip. Very interesting results on the speed test. With my setup, using AES-128-CBC (as per PIA) I get a theoretical throughput of 87Mb/s. What I find interesting though is a while back, when I first got PIA, I could get 250Mb/s throughput. I assumed this was due to compression and obviously fake as I only had a 200Mb/s connection. I'm still baffled as to how this has changed… I'll have to rethink my firewall then if I want to move up ;)

@mhertzfeld: Curious why you are not pointing unbound to the PIA DNS servers. If privacy is your concern those are the servers you should be using. I have nearly all my traffic going through a single PIA tunnel and have never had DNS performance issues. They don't appear to support DNSSEC.  I've got a pair of bind9 servers up and running with full recursion + DNSSEC authentication now, and everything is good.  Average query times are sub 200ms now for uncached entries. They're talking to the root servers via PIA, so I'm ok with that. Never could get unbound to behave right, even leaving the tunnels out of the equation.  There were multiple addresses it would not resolve for me, forwarding or recursion didn't matter.  Not sure what's up with that.

@viragomann: Have you also other services available yet? If not, check if "Block private networks and loopback addresses" is checked in the WAN interface settings and uncheck it if it is. If the issue still persists use the "packet capture" tool from the Diagnostic menu to check if the VPN packets reach the WAN interface. Select WAN interface and enter 1194 at port. It works! It was as simple as unchecking the option you mentioned and forwarding the port from the router to the pfSense WAN interface. Thank you so much, I've been pulling my hair out over this one. Now, I just have to figure out how to pass over DNS settings so that my colleague can resolve local hostnames and access the internet while connected to the VPN. Edit - that was easy, I have now passed DNS settings over to the VPN client, too.

Currently they only VPN in with their AD credentials.  I want them to have to enter their AD credentials and a token code.  Requiring a token code from a separate device is much more secure than a certificate alone especially if a user has their workstation/password compromised.  It also takes away from having to manage individual user/machine certificates.  The last 3 places I've worked required RSA hardware tokens, but the team here wants to try out an application based token such as Google Auth/Duo/Authy.  I'm well aware the ease of using a certificate/credential alone, but that's not the direction we chose to go.  Thank you for your input though :)

I run a number (30+) of DDNS based OpenVPN links continuously with none of the described issues. At least two of the links use free No-IP names without any difficulties. For me, I've never needed to setup a "watchdog" service to ensure the link is up. OpenVPN does a good job all on its own. I'd look at removing the watchdog and then trying to analyze the real reasons for any OpenVPN failures. If you're looking tp try a different free DDNS provider, FreeDNS has worked well for me over the years.

It's the firewall in FreePBX that's blocking non-local IP addresses.

I am using the subnet feature (pfSense) trying to migrate from the net30 architecture.  Some of my clients are 2.1.5 the rest are 2.3.2. have infconfig-push configured properly in the server's client spec override. I believe I have configured this correct because routing seems to work.  However, I cannot find the client tunnel-end address I assigned to any of my clients in their routing tables ovpn or freebsd.  Ifconfig yields only 172.16.64.0 –----> 17216.64.1 (the server) on the relevant interface.  Ovpn status routes shows only 172.16.64.0 for the virtual interface. Is this correct?

Awesome, thanks that answers a lot of questions, I was farting around with settings for the firewall rules and borked something up, once I get it straightened out, I'll try that. Thank you for your reply. Yes, I am limiting the size of the subnet, but I will try increasing the number of IP's available, initially the scope has strictly been to get one tunnel working, but I fully expect there will be multiple clients in the near future. Part of it is that I have to consider if the single server will be sufficient for all our needs or if a 2nd vpn server instance will be needed.

Digging this thread from its grave to post my solution: I enabled "Client Specific Overrides" and literally copy-and-pasted my configuration from the "Servers" tab. I have no idea whatsoever why this would be needed but everything works now. If someone could explain why I needed doing so this could maybe help another poor soul with the same problem.

I changed to 192.168.2.1/24 but after of this i lost wan ip on pfsense, but i can ping it.. http://prntscr.com/cpnhll http://prntscr.com/cpnjdk

At a high level: You need to push the Site 2 Lan subnet (192.168.4.0/24) to your clients in the roadwarrior's OpenVPN config You need to add a route for the roadwarrior's tunnel network (192.168.2.0/24) in the Site 2 OpenVPN config

How have you set up your 'Outgoing Email Server' in the Untangle Email Settings. Are you using Direct or Relaying via another mail server? Both Hotmail and Gmail are very picky about who they receive mail from. If you are sending using the direct option and your Untangle box hostname is not resolvable via public DNS then the mail will be rejected/blocked. If your public IP is dynamic then chances are good that the mail will also be rejected. If in doubt set up the Outgoing Email Server using the relay option via your ISP's SMTP server.

If anyone has any suggestions about this, I'd really appreciate it. Aside from it being a routing issue, I'm out of ideas as to why the server works for ipv4, but not for ipv6. I can post the existing routing on the client and/or server pcs and pfsense if that would help.

because i found this topic already open will update with the same issue i have. The openvpn connection is verry slow. When i try to copy something it gets a max of 50kb/s !!! I have attached the connections for both client(speedtest) and pfsense-openvpn server(console). On the Openvpn side i use: DH Parameter length (bits) - 2048 Encryption Algorithm - AES-256-CBC Auth digest algorithm - sha256 Hardware Crypto - Intel RDRAND engine Should i need to lower those? Thank you  

No what I mean by ACLs is the ACLs in unbound (resolver).. Unless you have turned that off and turned on the forwarder (dnsmasq)?  There seems to be an issue going around with that dnsmasq seeing a conf file and limiting queries to the local network if your using the forwarder. https://doc.pfsense.org/index.php/Unbound_DNS_Resolver#Access_Lists_Tab "I was regurgitating something I read somewhere else on the interwebs." Hehe yeah since we all know everything you read on the internet has to be true ;)  Some of the nonsense I see that says it more secure or better to do something is most of the time complete utter hogwash!! The big thing as of late is dns leakage.. How tight is your tin foil hat??  What dns are you using exactly?  Do you really think your ISP is tracking what IP address 1.2.3.4 (which they know is billy bob their customer) is going queries for..  Oh that billy likes his fetish porn, serve him up more fetish porn ads?  Or maybe they are selling that to ???  The nsa maybe?? While yes data can be gotten from dns queries.. Who do you think is watching yours?  And where exactly are they doing it from?  Once you know who your trying to hide from, then you can figure out how and if you need too.  All comes down to how tight that tin foil hat is…

Right, so the connection still gets opened up. I removed the additional parameter from System -> Advanced. Still works. Of course deleted all "Clients". Still works. No traffic though. I verified that my ovpn-file for this firewall looks exactly like others that work - so I opted to download and install the latest version of the OpenVPN client for Windows. Tadaa. Now everything seem to work as expected. I suspect that part of debugging should be killing the openvpn.exe -process in windows every time, to make sure you don't have stuff interfering. A learning experience.

With the recent upgrades of pfSense, the default network topology changed from net30 to subnet. If your main site changed to subnet after an upgrade and all of the other sites, clients, etc. stayed on net30, you would likely have issues. I would see what the topology is set to on the other networks, i.e. net30, subnet, p2p, then adjust the main site to match and see if that corrects the issue. As a side-note, you can check the OpenVPN logs on the main router by going to Status -> System Logs -> OpenVPN.