@pfsenserookie Please close this topic off. Issue is resolved; i setup openvpn from scratch and used different port and cleaned up some old firewall rules made by the openvpn wizard.

@rcoleman-netgate Been busy, and Internet seemed stable for the last couple of months. The last couple of days it as been acting up again. The WAN gateway is showing packetloss: WAN_DHCP 38.13.74.19 340.8ms 9.0ms 13% Warning: Packetloss Sometimes the packet loss was occurring on the NordVPN gateway instead, but I couldn't capture it yet. I am using a Netgate 1100. pfSense 22.05 I'll look into the links you posted as well.

@dev-tomas2003 I strongly recommend using real hardware for any firewall, not just pfSense. However, with DHCPv6-PD, the ISP provides a prefix, often a /56, which pfSense then splits into multiple /64s, for the various interfaces. For example, I use prefix ID 0 for my main LAN and 3 for my guest WiFi VLAN. I also use the same values for the 3rd octet of my IPv4 address block to keep things simple. Also, with IPv6, local LANs are supposed to be /64, which means you don't split off part of it for other networks, VPNs, etc..

@kilian77 said in Problem configuration OpenVPN: @johnpoz my ISP router: 192.168.10.1 my pfsense WAN port: 192.168.10.22 my pfsesne LAN port: 192.168.1.1 Ok, that's fine. As that is what I have. [image: 1685541348384-f3730204-1f71-4696-ae1b-779d79caf14a-image.png] My pfSense WAN IP (DHCP) is : [image: 1685541361301-49ee6be1-b9ea-4f36-b569-e78fb7f32638-image.png] What about the other Livebox settings ? You've set a DMZ ? What is the firewall setting ? I use : [image: 1685541503826-6fd31916-4d51-4759-a9a1-38421c83c6c9-image.png] This (uPNP) has been shut down : [image: 1685541566173-68154c35-a684-4479-b02d-e2834c143c22-image.png] as, as it says (translation) : this option can make your live hard ... Nothing here : [image: 1685541618474-7a8a35e6-e01d-413c-8c2a-29ceab16f7d9-image.png] As said earlier : [image: 1685541680681-debb9342-f2dd-4f4f-9110-f424172fcc0f-image.png] Because 'why not'. (pfSense is the only LAN device of my Livebox [except the Orange TV decoder ]) If with these settings you still won't fine a solution. RESET the Livebox (and do not restore faulty settings back in !!). You have to give manually the fti/xxxxxxxx and the connection ISP password Make the connection work. Then change the LAN network from 192.168.1.1/24 to 192.168.10.1/24 And make that work - test with pfSense. Then : make the NAT OpenVPN rule UDP to pfSense, port 1194. And test. It is and should be as easy as that. Remember : These Livoboxes are world's most stupid ISP routers on the planet. It still does't work : throw it out of the windows. Call 3901 (Orange Support). And also : visit the neigbor : test at his place. Or come pay me a visit, I'll show you.

@Gertjan Yes, using iOS Settings/VPN to activate is the workaround noted in the article @tman222 pointed me at. OpenVPN says they are working on a fix...

@viragomann I will try to check and if i found the reason i will post it on here. maybe it help somebody else. anyway thank you for your help and quick response.

@Wastapi said in Update DNS on every VPN connection: @Bob-Dig Where is it defined to be 5 minutes? URL please It is called "Aliases Hostnames Resolve Interval", you find it in System - Advanced - Firewall & NAT.

@Derelict said Probably not going to happen for only one device unless that device is the only device on the bridged segment. Thanks Derelict. If it comes down to it I might try a tap connection. Can two site-to-site OpenVPN instances run at the same time with one in tun mode and the other in tap mode? That would be nice if a small segment of LAN IPs (or perhaps a separate subnet) could be in tap mode, with the bulk running in a 'normal' tun configuration.

Thank you for your response! I meant Advanced filed in the Client specific override. I got it to work!! The problem was with S2 server configuration, where I forgot to check: Username as Common NameUse the authenticated client username instead of the certificate common name (CN). When a user authenticates, if this option is enabled then the username of the client will be used in place of the certificate common name for purposes such as determining Client Specific Overrides.

When renewing the Certificate Authority, navigate to the Certificate section and proceed to renew the server certificates. It is important to note that when creating a new user for the VPN, avoid using an existing user, as it may not function properly. Once you have created the new VPN user, test the functionality to ensure everything is working as expected.

@stephenw10 can you also take a look please. Thank you

@viragomann you said "assigning an interface to the VPN instance gives you a gateway. " probably I'm confusing "assigning an interface to the VPN instance" with "assigning a VPN instance to an interface" or something. I'll get there eventually. cheers

@Dobby_ I believe you. Thank you and @SteveITS for the assistance. I really appreciate you guys taking the time to help. I will check speeds again later tonight to see maximum throughput.

@jknott said in P_CONTROL_HARD_RESET_CLIENT_V2 error: @rico The NAT is at the other end. My pfsense has a public address, so no NAT needed at this end. Here's the rule: [image: 1650482158503-121df6a2-46c0-429d-83b1-be3e7903212f-image.png] As for interfaces, I currently have UDP IPv4 and IPv6 on all interfaces, though I have tried just UDP IPv4 on WAN interface. Either way, it does the same thing. For some reason, in the OpenVPN Server you have to set the interface as any, not WAN

@bob-dig OK got it, thanks again.