@viragomann Thank you. We solved the issue by not using port 1194

There is no need to hide private IPs. @powerextreme said in OpenVPN Rules and Routing Problem: I don't know why if I specify the gateway the access to local IP's go away. Cause that rule allow only traffic to the specified gateway. You will need an additional rule on the top of the rule set to allow access to internal subnets. What do get on the client, when you try to access an internet resource? Check if you can access the web by using an IP instead of a host name to rule out a DNS issue.

@aimalkay said in OpenVPN Remote Connection unable to complete connection after update. Details/Screenshots attached: Packet Capture Output: 02:13:59.922186 IP 52.202.215.126.49740 > [MYPUBLICIP].1194: tcp 0 02:14:00.919181 IP 52.202.215.126.49740 > [MYPUBLICIP].1194: tcp 0 02:14:02.923256 IP 52.202.215.126.49740 > [MYPUBLICIP].1194: tcp 0 That packet capture shows TCP attempts while your server is on UDP.

I see the: WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead. From your logs. Just to confirm, the guide you followed is this one, right? https://www.expressvpn.com/support/vpn-setup/pfsense-with-expressvpn-openvpn/ It specifies, among other steps, providing the following custom options that include remote-cert-tls: fast-io;persist-key;persist-tun;remote-random;pull;comp-lzo;tls-client;verify-x509-name Server name-prefix;remote-cert-tls server;key-direction 1;route-method exe;route-delay 2;tun-mtu 1500;fragment 1300;mssfix 1450;verb 3;sndbuf 524288;rcvbuf 524288 Do you have those custom options, and everything else specified in the guide? I'm not an expert on VPN client config, although I have run with Nord clients for a long time without issue. You may also want to post screen shots of your entire client configuration.

I wonder if it has something to do with encryption. When I first implemented OPENVPN on our PFSense router [using the software on an old PC] i was having issues with speed. After doing some research I discovered that the CPU of the PC did not have any of the hardware crypto supported in PFSense. I then bought a cheap but 'newer' PC with an Intel I5 CPU and speed was never an issue again. Here is what I have now: CPU Type Intel(R) Core(TM) i5-3570 CPU @ 3.40GHz Current: 3400 MHz, Max: 3401 MHz 4 CPUs: 1 package(s) x 4 core(s) AES-NI CPU Crypto: Yes (active) Hardware crypto AES-CBC,AES-XTS,AES-GCM,AES-ICM

OK, this has happened several times. What does "Type-of-Service" do? I have had this happen where everything is working just fine, and then all communication drops between the two networks. I go in and toggle off the "Type-Of-Service" on both firewalls and communication is restored. I have the TOS on (I'm thinking) so that my VOIP phone on the 2.0 network can utilize traffic shaping on the server on the 0.0 network with higher quality. I have not changed anything over the last few days, but just all of a sudden, this was blocked. I'm on 2.4.5-RELEASE-p1 on both machines.

Yeah.. That would do it! Glad you got it sorted.

Do all VPNs bypass the pfsense DNS Resolver? The setup for Nord VPN seems so...

@anwoke8204 said in VPN can't connect after fresh install: packet capture came back empty Well then how you would you connect! If pfsense does not see the traffic!! Mean you have something in front of pfsense that blocking 1194 UDP if you did not see any traffic on pfsense wan.

Hi, Sorry I forgot indeed. Here's what I have on the server: proto udp6 port 1194 dev tunudp1194 keepalive 10 60 persist-key persist-tun topology subnet verb 3 # CERTS duplicate-cn key /etc/openvpn/easy-rsa/keys/myvpn.key cert /etc/openvpn/easy-rsa/keys/myvpn.crt ca /etc/openvpn/easy-rsa/keys/ca.crt dh /etc/openvpn/easy-rsa/keys/dh2048.pem # hardening remote-cert-tls client tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 crl-verify /etc/openvpn/easy-rsa/keys/crl.pem tls-version-min 1.2 cipher AES-256-CBC auth SHA256 reneg-sec 60 server 10.x.y.z 255.255.255.0 For now I'm using an image generated by scaleway: https://github.com/scaleway-community/scaleway-openvpn. The idea is to run OpenVPN in Remote Access since I don't want the remote site to connect back to the pfSense box.

I guess finding a bug is sometimes a good thing. I was using TCP for years. After switching to UDP, it does indeed seem faster. I wonder if this isn't as uncommon as you might think. I'm pretty sure that I followed a tutorial years back and the protocol was 'TCP'. I would also like to suggest that if someone is tries switching from TCP to UDP, don't forget to also change your firewall rule protocol as well! It's easy to overlook when you are trying to figure things out in a hurry.

@Netgate-Steve can you take a look at this and tell me if it warrants a bug report, please.

@viragomann So I basically need only client override settings for this right? If i'm doing this with unknown clients that only indentify by cert (CN) (SSL/TLS) I just need P2P mode and Client Override Setting pointing to each remote network so that server knows where to route (iRoute)? So... I don't need any static routes anywhere right, since only GW I can create is interface of server itself (10.10.250.1)? If I use persistent routes on windows machine, it ignores anything I write there and just goes by default route every time. I know this setting is confusing, but also this FW is setup so WAN is on differen public IP (different network subnet) and LAN is also public IP which is routed through FW (it's not NAT). On switch I have route that pointing to that LAN network through WAN interface. Maybe that's creating issues... I'm very unsure...

maybe should upgrade openssl to 1.1.1+

nobody ever experienced this issue?

Syslog and feed it into Splunk or Elastic Search. https://docs.splunk.com/Documentation/Splunk/8.0.5/Viz/IplocationChoropleth https://www.elastic.co/blog/geoip-in-the-elastic-stack Never done it, but if I was I'd use one of the two above.