@viragomann I find myself in great difficulty for a random behavior. Yet the configuration is the "basic" one, created with the Wizard and the same as many others described on the Internet. For testing I use: Browser with clean cache Browsing in private mode, not to save caches, cookies, etc. Online newspapers because they have a very dynamic content. Well: In pfSense there is the Redirect Gateway = ON I connect to the VPN, the tray icon turns green; a Win10Pro message appears telling me that an IP has been assigned for the tunnel; I can access the pfSense configuration page. I open the browser for the test; I open the online newspaper; I browse some articles; I ping using the newspaper domain. So, everything is OK. After few minutes, the VPN is still active, but the pages are no longer reachable and the ping from the PC no longer works because it cannot resolve the domain, while if I do it from the GUI of pfSense, ping works correctly on all interfaces. OpenVPN log reports: Nov 15 07:00:40 openvpn 30979 IP-ROUTER:55664 peer info: IV_VER=2.5.4 Nov 15 07:00:40 openvpn 30979 IP-ROUTER:55664 peer info: IV_PLAT=win Nov 15 07:00:40 openvpn 30979 IP-ROUTER:55664 peer info: IV_PROTO=6 Nov 15 07:00:40 openvpn 30979 IP-ROUTER:55664 peer info: IV_LZ4=1 Nov 15 07:00:40 openvpn 30979 IP-ROUTER:55664 peer info: IV_LZ4v2=1 Nov 15 07:00:40 openvpn 30979 IP-ROUTER:55664 peer info: IV_LZO=1 Nov 15 07:00:40 openvpn 30979 IP-ROUTER:55664 peer info: IV_COMP_STUB=1 Nov 15 07:00:40 openvpn 30979 IP-ROUTER:55664 peer info: IV_COMP_STUBv2=1 Nov 15 07:00:40 openvpn 30979 IP-ROUTER:55664 peer info: IV_TCPNL=1 Nov 15 07:00:40 openvpn 30979 IP-ROUTER:55664 peer info: IV_GUI_VER=OpenVPN_GUI_11 Nov 15 07:00:40 openvpn 30979 IP-ROUTER:55664 peer info: IV_SSO=openurl,crtext Nov 15 07:00:41 openvpn 27557 user 'USERNAME' authenticated Nov 15 07:00:46 openvpn 30979 IP-ROUTER:55664 [USERNAME] Peer Connection Initiated with [AF_INET]IP-ROUTER:55664 Nov 15 07:00:46 openvpn 30979 USERNAME/IP-ROUTER:55664 MULTI_sva: pool returned IPv4=10.101.101.2, IPv6=(Not enabled) Then follow dozens of reports all the same Nov 15 07:00:56 openvpn 30979 USERNAME/IP-ROUTER:55664 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #163 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings Sometimes disconnecting and reconnecting is not useful and I have to close the OpenVPN client to reopen it again. Now I am forced to work with three PCs: One to access pfSense. One to test the VPN One connected directly to the router to be able to navigate so that you can always access the online documentation. The OpenVPNclient GUI is v11.25.0.0 Installed with OpenVPN-2.5.4-I604-amd64.msi This is the config (.ovpn) dev tun persist-tun persist-key ncp-disable cipher AES-256-CBC auth SHA512 tls-client client resolv-retry infinite remote MYDDNS.duckdns.org 1194 udp4 setenv opt block-outside-dns lport 0 verify-x509-name "mynamepfsense-ovpn-rwa" name auth-user-pass remote-cert-tls server explicit-exit-notify <ca> -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- -----END PRIVATE KEY----- </key> key-direction 1 <tls-auth> # # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- -----END OpenVPN Static key V1----- </tls-auth>

@gertjan said in Redirect all Torrent traffic to a host: @audiobahn You can chose : On the clien using the VPN's app. Or Use the OpenVPN-client on pfSense, and use firewalls rules (policy rules) to select what traffic or which clients get routed over the VPN. @gertjan said in Redirect all Torrent traffic to a host: @audiobahn You can chose : On the clien using the VPN's app. Or Use the OpenVPN-client on pfSense, and use firewalls rules (policy rules) to select what traffic or which clients get routed over the VPN. @andyrh said in Redirect all Torrent traffic to a host: On pfSense only allow the VPN port. For opening a port for torrents you will need a VPN that allows port forwarding. pfSense cannot help you with port forwarding to a VPN service. Thanks both. I ended up shifting the vpn connection on the server side and it works fine now.

@mrwildbob Do the firewall rules on A on the VPN interface allow the access from remote site? Show the IPv4 routing table from A, please. From what you described, I assume both VPN endpoints are the default gateway in their respective LANs, right?

@rbarbato Nice.

With the Wizard there are two fields. Instead, if the server is created, then if the checkbox is ON, the Tunnel Network field disappears.

I figured it out. It was not a firewall on the devices nor was it the pfsense. It was user error. The device behind the pfsense had manual IP's and no gateway setup. Once I changed them to DHCP things started working.

@viragomann I've removed the static routes and restarted things. I have this setup in the OpenVPN config for both interfaces. [image: 1636494974119-6545aeb1-6782-4570-ab9c-fe46ad927de3-81ed3d47-5d8f-475c-9513-5a0c4810782c.png] The bit I was missing was the IPv4 Tunnel Network IP, I just put that in and everything seems to be working! I'm now going to back all this up and then grab a copy of this session as notes for if I ever need to add a third VPN. Thanks very much for the help debugging this, it was more complex than I thought, but in the end it all makes sense I think. I'll re-read it all in the morning, it will probably have sunk in by then.

@viragomann when i check "Redirect IPv4 Gateway" then "IPv4 Local network(s)" is hidden. But I am searching for the field "IPv4 Remote Network" - which never apears. I just found out that "IPv4 Remote Network" is only shown when Server mode is "peer to Peer (SSL/TLS)" instead of "remote access (SSL/TLS)

was useful to know. I was looking for good vpn service

Ah! That makes sense. I was under the impression that everything under 'Services' -> 'OpenVPN' was server-related, but pfSense can be a client too, of course.

Anyone? This is still an issue, we are getting desperate! The only solution right now seems to be a scheduled restart every night. But to me that is like peeing your pants to stay warm, not solving the problem. So are there really no one out there, that has any idea, how to solve this issue?

@viragomann I think I may have solved it. Initial tests are positive, but want to do further diagnostics to be sure. Wanted to post what I found now so I don't forget. I compared the ARP cache tables between the gateway and the TrueNAS box. Both tables showed the correct respective IP addresses for everything. However, in the gateway ARP table the MAC address for the TrueNAS box was incorrect (the IP address was correct). As soon as I deleted the listing in the gateway for the TrueNAS box that had the incorrect MAC address, I was able to ping both directions between the gateway and the TrueNAS box. Thanks for your guidance. I figured it had to be something like this, it was just unfamiliar territory for me. Jeff

Disabling VPN server and it's interface (I have both VPN client and server on PF) solves this issue, is it not supposed to work both of them one time or just something wrong with outbound NAT?