@bafcharles what version of pfS ? maybe deprecheated version best guess go and update your box to 2.5.1 brNP

As mentioned already you need correct routing, and you would need correct rules in your openvpn interface on both ends.. Pretty sure it default to any any. Another mistake common, is policy routing being done with would shove traffic out the wrong interface and not allow pfsense to send traffic out the vpn interface. Another common issue is host firewall on where your trying to go, etc.

You can already get lport 0 by setting the option to randomize the local port, though I can't recall off the top of my head if that is the default. I don't think it has a way to set nobind. If it doesn't set that by default, we should probably update the package to work that way and use nobind.

@bcruze said in OpenVPN 2.5 released - Overview of changes: Did you update Pfsense somehow? No, I just used the new Windows-Client with the Server on pfSense.

Thanks to viragomann, the problem is solved. The problem is that the default gateway for devices in the client lan is not pfSense, we need to setup NAT mapping as a work around. Really appreciate the help @viragomann !

@viragomann completely agree.. Lets see what it shows.

@johnpoz said in LAN to local server rule?: NOT the correct way to do it.. but OK. then please propose the better one Prior to change I identified the passing rule: [image: 1624023172533-screenshot-from-2021-06-18-15-35-22.png] 192.168.5.0/24 is LAN, 192.168.101.0/24 is a subnet on the other site. VPN_S2S is the interface added for ovpnsX according to Assigning OpenVPN Interfaces in the doc. I see my current configuration to be inline with this Tip from the docs: "The best practice is to create manual negation rules at the top of internal interfaces such as LAN. These rules should pass to local and VPN destinations without a gateway set on the rule, to honor the system routing table. "

@bob-dig said in VPN (Surfshark) not working after reboot: I do a nightly reboot of my pfSense via cron. So I added another cron job (rc.reload_all) after that one and this does it for me. All in all a little bit to complicated for my taste.

@juancho1981 said in two openvpn: But if I have the network added in the tunnel On both OpenVPN servers? Post the routing table of both clients when they are connected. Ensure that the destination device in 10.6.0.x doesn't block the access by its own firewall.

@viragomann omg facepalm yep, you're totally right. Thanks. I know what I did now. When I initially set up the OpenVPN client I entered the wrong credentials (and didn't realize it) so it didn't appear as an option when I was initially assigning an interface so I arbitrarily selected em2 not knowing it should have said something like ovpnc1. Went back just now and changed it. Gateway shows as up. And was able to select it in my firewall rule. Beautiful. Thank you very much.

you ran out of /24 Ips - ok then how about a /23 or /22 ;) The jump from /24 to /16 is nuts. You use that as your mask on your devices or you just using it as a routing summary? To be honest that is not here or there to be honest - but it one of my trigger points is all ;) Insanely huge networks used for no valid reason. The only thing you need to do is fire up another instance.. The details of which are up to you, the really the only thing needs to change is has to be an actual different instance.. so another port say 1195, and use say 10.0.183.0/24 as the tunnel network. Then create your rules in your openvpn interface for 10.0.182 and 10.0.183 that limit or allow what you want those clients to be able to do.

There is no way to get v3 with the config built in yet. You can export an inline config and then import that into whatever and it should work. But none of us here have tried builds of v3 yet. It's still too early.

Thanks

I had a play with this over the weekend and i tried running some ping tests. I pinged machine b while remote desktop to machine b on site b from site c. I had no ping drops but the remote desktop connection did drop so i have a feeling this isn't a VPN issue, it might be more of an issue with FRR / routing. Any help how i can debug FRR? (and how can i change this post to that forum?)

so sad! thanks!

@s0p4l1n said in Issue with VPN Bandwidth, even with scaling: 100% of the bandwidth because they are loading high quality image We have several radio stations, ergo we had the same problem with transmitting raw uncut *.WAV audio files. We then deployed the Cisco UCS and its performance is satisfactory. Good luck with your work

@pippin Thanks a ton ! It definetly looks like it !

Thank you dotdash and bingo600. I was able to change the login name