@unsichtbarre A binary search would get you to the happy number fairly fast and is easy to impliment. Ted

@arcusnetworks said in Routing when using pfSense as Openvpn server only: If I add a static route on a device in my cloud that routes back to the LAN ip of the pfSense, all is well. This would not work if the client had route to the remote device. So I presume, the server pushes the route to the client properly. But you need proper routes for both directions. The issue in your setup is that the ASA is the default gateway. So the devices route all traffic, which they have no route for, to the ASA, even packets destined to the VPN client. If you think now, a route on the ASA for the VPN tunnel network to pfSense does the job - forget it. This would lead into asymmetric routing. It would work for pings though, but not for TCP traffic. There are three possible ways to make the routing work in your setup: The bad one you found out already: Add a static route for the VPN tunnel network to each device you want to reach from VPN clients. Better, but depends: NAT the traffic from the VPN clients on pfSense LAN interface to its LAN IP. So the devices send responses back to pfSense and access from the VPN clients will work. The drawback of this is that you are not able to see the real clients IP on the destination device. But maybe that's acceptable for your use case. The best: Disconnect pfSense from the LAN and put it into a separate network segment. Then add a static route for the VPN pool to the ASA and point it to pfSense. With this the whole VPN traffic passes the ASA in both directions. The packets arrive with the client IP on the destination device, responses are sent to the ASA and due to the static route, they are forwarded to pfSense.

@ivica.glavocic Deleting the client certificate from pfSense does nothing at all, if the client is still sending the cert to the server. The OpenVPN server just verifies if the client cert is signed by the assigned CA. If you want to disable a client certificate you have to revoke it and assign the CRL to the server.

@ivica.glavocic said in OpenVPN with Google 2FA: https://redmine.pfsense.org/issues/16558 The redmine ticket shows clearly what your issue is - or was ^^ "freeradius" is .. huge. It has many options, possibilities, extension, and so one. It's one of the most used software package in the world (we all use it several times a a day), and its also the most unknown software. The issue is that the pfSense GUI offers a very small set of the actual capabilities of Freeradius. Go look at the official documentation, you'll be off for days, and when you come back, you won't be the same man anymore. Netgate could create a GUI access for all these options, they also have to 'support' it from then on. That's close to mission impossible. The same thing goes for OpenVPN, or worse : bind, and even worse : postfix. All these 'packages', imho, don't even belong on a firewall, but I'm not complaining as I'm using OpenVPN and Freeradius on pfSense right now. I even modified the Freeadius config files so it used the SQL backed for the 'users' (captive portal users) and not the pfSense User Account Manager as I tend to think that "totally not trusted users" should not have a user account on my pfSense. I'm the only user using the pfSense OpenVPN access for my pfSense, so I don't need 2FA - for now. Thanks for your follow up anyway

@nobanzai +1 amd64 15.0-CURRENT FreeBSD 15.0-CURRENT #21 RELENG_2_8_1-n256095-47c932dcc0e9: Thu Aug 28 16:27:48 UTC 2025 root@pfsense-build-release-amd64-1.eng.atx.netgate.com:/var/jenkins/workspace/pfSense-CE-snapshots-2_8_1-main/obj/amd64/AupY3aTL/var/jenkins/workspace/pfSense-CE- Crash report details: PHP Errors: [16-Nov-2025 21:48:05 Europe/] PHP Fatal error: Uncaught TypeError: Form_Select::__construct(): Argument #4 ($values) must be of type array, null given, called in /usr/local/www/vpn_openvpn_client.php on line 942 and defined in /usr/local/www/classes/Form/Select.class.php:31 Stack trace: #0 /usr/local/www/vpn_openvpn_client.php(942): Form_Select->__construct() #1 {main} thrown in /usr/local/www/classes/Form/Select.class.php on line 31 I'm temporery fix it. Use diag_edit.php edit /usr/local/www/vpn_openvpn_client.php & saved history version 4b9165e "Default to an empty array for functions expecting a countable value Do this for foreach() and count()." https://github.com/pfsense/pfsense/blob/4b9165e5ad3f47c36d1dec3a585a60b629bcdc3a/src/usr/local/www/vpn_openvpn_client.php and edit ciphers in client.

OK... I figured it out... I need a rule set on Firewall->NAT->Outbound. Set Mode to Manual and save. Add a rule set below [image: 1762981320073-nat.png]

I set MTU 1472 and MSS to 1432 on both links. I have tried a range of mtu-tun for wireguard down to 1320. everything causes SSL error An error occurred during a connection to thermalright.com. PR_END_OF_FILE_ERROR Error code: PR_END_OF_FILE_ERROR The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. just started about 2 weeks ago. have tried switching to configs from different countries, routing through different wans. nothing works

@timbopoise said in OpenVPN instructions for ubuntu server behind router firewall and no ufw: Or am I missing something? Setting up a VPN behind the router, instead of on it, causes routing issues. Devices on your LAN have to learn somehow what the route to the other end of the VPN is. DHCP won't do it. If the VPN is on the routing, it sorts things out as usual.

@jucelio_rosa said in Client server with two point-to-point VPNs (SSL/TLS) connection drops.: On the server, we have two links (a "primary" link and a "backup" link). What exactly do you mean with the term "link" here? Where is the OpenVPN server running on? Where is the clinet running on? How does the config look like?

@elvisimprsntr Thanks for that elvisimprsntr. I don’t use “privacy” vpns for privacy, just for casual defense against geo-blocking and it works for me. Thumbs up for that video though.

@TheGushi said in OpenVPN with ipv6 delegated prefix: I do not know what prefix my ISP will delegate to me. Hopefully, it won't change. I've had the same prefix for almost 7 years. However, you have to select System /Advanced / Networking Do not allow PD/Address release to keep from getting different prefixes. But not all ISPs obey that.

Hi Everyone after hours of log investigation i find out the problem is the DNS. what a waste of time. thanks

@the-other Ok, I made a specific rule in the OpenVPN interface to allow any to both NAS servers. [image: 1761707110778-2cd0716f-d4f0-4e63-94e8-4fc93788fd6d-image.png] Here you can see me connecting to the VPN server with my iPhone and attempting to ping both the NAS servers. The traffic passes through the firewall but the ping fails to the Synology (200.4). [image: 1761707746508-eb97e248-fbd4-43cf-977c-31d87df234ce-image.png] [image: 1761707789724-efcea745-54b9-4460-a44a-e2fffc8c5644-image.png] I can, however, successfully ping the backup NAS (200.5) but I cannot connect to that one either with the File Explorer app. BTW, the backup NAS is an old Asus AC-RT86 router in AP mode with WiFi disabled and a SAMBA SSD in the USB port.