interface widget on the dashboard

smb/cifs over a high latency connection is going to blow no matter how you look at..  Your doing what 1 stream - do the math that is going to suck for performance.  Would never use that as method of moving files over long fat pipe. I have a seedbox in Luxembourg, I use https to grab files from there to my box.  I use a web file manager called kloudspearker.  Max out my internet pipe here at 80mbps..  Or could just use sftp as another option but its normally not going to scream over high latency either but going to be way better than smb because its not as chatty.  Public key auth pretty freaking secure ;)  I don't lock down access but you have to auth to it..  There is nothing of personal nature on this box - if someone guessed username and password or used an exploit that would have access to what you normally put on a seedbox ;) My seedbox ping is 108ms from me here..  So with default window size, 1 stream a TCP window of 64 KByte and RTT of 108.0 ms <= 4.85 Mbit/sec. Bump that window size up to 256 and your still only talking 20 Mbps.. You need more streams and large window size if you want to move files over a long fat pipe.  SMB is not the protocol to do that since its chatty as all get out.. Do a simple sniff of your file copy even local, look how many packets..  Now increase the time for each packet from your local 1ms to 100 plus ms and how long does that file copy take ;) So depending what is on there - sure https with some sort of login works, sftp or scp very secure method of moving files going to be faster than smb that is for sure.  Comes down to what is on this vms that you would be worried about to how secure you need to make it.  Any sort of admin I wouldn't open up to just public internet via its gui.. Like the esxi host managment or pfsense web gui.  Make sure that is secure.  Locked to your IP would be fine - but make sure you have another secure method to get in that doesn't lock to your source IP.  What if that source IP changes ;)

Networking Stuff in 172.20.1.0/24 Hyper-V Hosts in 172.20.2.0/24 Well that is all in the /20 so you just want large network space to have IPs that look to be in different blocks so you can create rules via /cidr or something and they are not actually in their own network?  If you want those networks why would you not put them in their own actual networks so you could firewall between them?  Vs just using IP ranges all in the same network? To test your dns issue I tried to duplicate.. So from my phone connected to my vpn, you can see it hands out my dns server.. I then told it not too and made sure the openvpn service restarted.  I then connected in again from phone and you can clearly see dns is not handed out. [image: nodns.jpg_thumb] [image: nodns.jpg]

Think I may have it resolved.  Time will tell for sure but looking good so far. After adding the push route-metric and route, the interface network category was still set as "Public".  But then after setting the network category to "Private", using the "Set-NetConnectionProfile" command it seems to stick with future connections.  So we'll see how well that holds up over time. I consolidated the two push commands into a single command of: push "route 0.0.0.0 0.0.0.0 vpn_gateway 9999" Any gotchas lurking with the single command?  OpenVPN doc does mention the "vpn_gateway" keyword may not be compatible with all OS's.  But didn't mention any specifically. Thanks to everyone for your help and getting me on the right path.

OK … this one of those cases where reboot works. Rebooted the Server pfSense and all is well now. Thanks a bunch for your time and help!

pfSense can route through as many OpenVPN connections as you want, so long as you have the proper routing configured on each leg.

I see (now :)) Probably the config is stored in /var/etc somewhere. Try to find it and see if persist-tun is in it.

If the tunnel is up the devices between the tunnel nodes do not affect the availability of the hosts behind it. Based on your description of your issue, I presume the client is set behind the Cradlepoint and other hosts in the LAN use the the router as default gateway and will have no route to the server sides LAN. If so you will either have add a route to each LAN host at client side for server sides LAN to direct the traffic to pfSense or do NAT to translate the VPN traffic to the clients LAN IP.

Speaking of the OpenVPN app, that thing needs to be updated.  It's GUI looks like crap.

Uncheck "Redirect gateway" in the OpenVPN server setting and enter the subnet(s) you want to route over the vpn in the "Local network/s" box.

I would guess it would work if you create firewall rules in each vlan, source your network; destination theirs, and select advanced options in the rule and manually select the gateway interface. So long as you have it assigned to an interface. Though, admittedly, I am new to OpenVPN.

Thanks, I'll try that and see if it works.

@johnpoz: why would you not just give the user specific IP in your tunnel Even better! But how we specify a specific IP for a user in tunnel ? Same configuration (Client Specific Overrides) with a CIDR / 32 ?

Thanks again for the help.  I was able to get this working using the following. Download the client including the gui manager. Once installed I was able to go in to services and set the openvpn service to start automatically I then downloaded the openvpn-mi-gui program and when I run it I don't have the problem with the admin and it runs the batch files in the config directory as the logged in user.

Hi, Sorry, I can't help you at this time. But maybe you can help me! I am new to pfSense and also have Torguard VPN.  I have successfully installed Torguard on DD-WRT and ASUS Merlin Build routers.  I am trying to get it to work on pfSense 2.3.2. I followed the instructions on https://torguard.net/knowledgebase.php?action=displayarticle&id=208. The wan, lan and Torguard VPN interfaces are up and running. My laptop gets an IP address, but I can't access any websites. What instructions did you use to install TorGuard VPN? Thanks in advance for the help. EDIT: I was able to fix the problem. I started creating screen shots to send to support. When I landed on the LAN Interface page, I noticed that IPv6 Configuration Type was set to “Track Interface”. I don’t use IPv6 and recall seeing on the pfsense forum that IPv6 needed to be turned off.  I tried to change it to “None”.  But I received a message that DHCPv6 Server was active and must be disabled first.  So, I went to Services, DHCPv6 Server & RA, and set it to disable.  I then went to Interfaces. LAN, IPv6 Configuration Type = “None”.  I am now able to access websites.  Problem solved!

"Skip rules When gateway is down" is now off and will stay off!!! I like tagging the packets destined for the vpn in the lan rules … then the floating rule matches the tag and rejects packets so they can't get to the Internet. In practice this method seems to be much faster at rejecting packets. Any, guys, thanks very much for the information ... much appreciated.

so did you look here? https://doc.pfsense.org/index.php/Mobile_One-time_Passwords_with_FreeRADIUS