@marvosa I had already opened the case yesterday, follow the link

https://forum.netgate.com/topic/142192/slow-navigation-after-connecting-openvpn-problem-with-host-to-site-dns-resolution/3

Thank you.

Driving me insane now - needed to reinstall pfsense. - set it all back up and now its not setting the ip i set in the bridge dhcp

code_text ```Wed Apr 3 14:44:57 2019 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options Wed Apr 3 14:44:57 2019 OpenVPN ROUTE: failed to parse/resolve route for host/network: 10.9.8.0 Wed Apr 3 14:44:57 2019 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options Wed Apr 3 14:44:57 2019 OpenVPN ROUTE: failed to parse/resolve route for host/network: 10.9.8.0 Wed Apr 3 14:44:57 2019 TUN/TAP device tap0 opened Wed Apr 3 14:44:57 2019 Initialization Sequence Completed``` code_text

I tried to manaully add the route but that didnt work either - any ideas?

I see the OpenVPN Interfaces is your PIA stuff.
So I've just read through your problem again, you had your Site-to-Site connection A/B fully working and the problem with A can't access B started with adding PIA as OpenVPN Client, right?
Generally speaking for most scenarios with VPN providers you want to enable the Don't pull routes option in your OpenVPN client.
Also check out https://www.netgate.com/resources/videos/openvpn-as-a-wan-on-pfsense.html - very great hangout! Maybe you can grab some useful tips & tricks for your PIA.
Troublesome could be your any-any Firewall Rule in the OpenVPN Tab. You allow any traffic PIA is sending in your direction there!

-Rico

Common software firewall's behaviour is to block traffic from outside its own subnet, so it will not reply to pings from your VPN network. The Windows firewall behaves this way. Perhaps these other devices do as well.

I am grateful for your reply. What I did eventually after trying everything I could think of was to reload the configuration to an apparently safe previous state but to no avail. Finally I reloaded the 2.4.4.1 distro and rebuilt to where I was when the calamity made its appearance and all was well. Once in the clear I clicked for the 2.4.4.2 and that loaded beautifully.

You will be right I am sure but I just could not find it. As a noob I am a great deal clumsy and inattentive but I now have a working installation with OVPN server and clients, pfBlockerNG and Snort. I await delivery of my SG1100. What I am running on is an old AMD Athlon 2core with hardware crypto acceleration. I don't think that is working yet on the SG1100.

If you know you won't have to revoke the cert again in the future, then it can be removed.

As @Rico said though the details are copied to the CRL so you could re-import them from there if needed.

Though that may go away in the future. Certificates are always revoked by serial, having the extra info is handy but not strictly needed.

https://www.netgate.com/resources/videos/advanced-openvpn-on-pfsense-24.html
Multi-WAN Tactics starting at around 40:05min.

-Rico

Is your pfSense WAN address RFC1918?
So there is any ISP upstream router? Did you forward your OpenVPN port from this router to pfSense?

-Rico

@jacotec said in OpenVPN server via stunnel @pfsense - routing not working:

What did I miss?

You might have some "fun" getting through the Great Firewall of China. Using an unauthorized VPN is illegal there. A fried of mine worked in China for a while and couldn't get a firewall to work.

@rhoekstra thank you very much for the info. It does makes sense. I follow most of it :)
I currently already have an ovpn setup which requires a unique cert per user. As you said it is more work, but I prefer this since I do have users which travel. If a user cert is compromised, I can revoke that specific cert and it won't affect other users. I have more homework to do on the radius part. I have not configured that yet.

Thanks again.
Raffi

@Tjh said in StrongVPN:

TLS Warning: no data channel

sounds like you have tls enabled. but strongvpn does not support it?

open the opvn files and setup the tunnel with what is displayed... alot of times you have to remove a few things in the opvn file to get it to connect. no idea there since i never tried that provider

resolved. changed browsers . chrome to firefox.

Thank you so much, trying Edge worked and I was ale to save the setting and finish the setup.
P.S. for anyone reading this... this error appeared to be part of of a deeper issue so what I did was backup the configuration and rebuilt the system from scratch (Not a Reset to Factory default) as I tried that first and it didn't resolve anything, but a full re-install the os and applied the backup. This was the greatest fix and resolve other "glitches" as well.
Thank you for your help.
Cheers

THANK YOU

this worked perfectly. I figured it was something involving the gateway, being that I wasn't using the default gateway.

I got it working, after setting up the port forward I had to go to firewall - rules - lan and move up the new rule so that vpn dns grabs before the dns resolver.
Annotation 2019-03-27 033736.jpg
Annotation 2019-03-27 033910.jpg

granted this is with mullvad but I also got it working with expressvpn. Since express doesn't give out their dns and it can't be found in the ovpn config; easiest solution is running their client on your desktop and using cmd commands to find the dns address being used inside the tunnel.