thanks i see i needed to add(enable) the interface even though it was auto created.

Add a CSO: VPN > OpenVPN > Client Specific Overrides

Enter the common name that matches to the users certificate.

Enter an "IPv4 Tunnel Network" by considering the stated hints.

Guys any update???? Your help will be appreciated

How do you know the Server side is working properly?
When your Client side pfSense Internet access is working and you don't see anything else in the Logs, you have used a wrong IP/Port or the Problem is the Server side.
Can you for example make Update checks for your pfSense to make sure the connectivity is working in general?

-Rico

I think this is more of a OpenVPN problem rather than PFSense problem.
Apparently, it isn't possible for OpenVPN server to listen on both IPv4 and IPv6 addresses. It can listen to ALL (meaning all IPv4 and IPv6 interfaces on server) OR a single IP address (IPv4 or IPv6).

https://sourceforge.net/p/openvpn/mailman/message/34193818/
"AFAIK this is currently not possible - openvpn can either bind to ALL
addresses (IPv4 and IPv6) or it can bind to a single address - either
IPv4 or IPv6. "

https://community.openvpn.net/openvpn/ticket/937?cversion=0&cnum_hist=5

create static addresses for the devices you want outside the tunnel.

then create a Rule so those device travel over WAN instead of the PIA tunnel...

this is how i operate my "smart" TV so i can stream

@konstanti
Ok
For example
cisco side
access-list 100 permit ip 172.70.70.0 0.0.0.255 100.100.100.0 0.0.0.255
pfsense side
0_1546541458002_4e868b7e-4cfb-4231-8d39-2bc43d3da4b4-image.png

Forgotten
The network behind openvpn can be different if you use NAT .
About this we must remember
I gave an example , assuming that NAT is not being used

Nordvpn is the worst provider i have tried.

and i have tried about 5-6 of the vpn services

i suggest run away quickly

i feel i can say this with confidence as i use the SAME exact settings with another provider and i get full speeds and no buffering 99% of the time

Please make sure to disable Block private networks and loopback addresses and Block bogon networks under Interfaces > WAN because you do double NAT.

-Rico

You are absolutely right , this is only happening with some specific providers rest all are working fine without any issues.
I know this is stupid, but is there any workaround / fix in order to overcome bandwidth throttling from ISP.
I will change the default port & try - will let you know the status
Traffic shaping is not activated on PfSense.

@johnpoz said in OpenVPN TAP TCP traffic not passing, ICMP works:

All of which makes zero sense for a remote user or site to site.

As a generalized statement without having any application-specific insight, this is just plain incorrect.

I have a combination of tun and tap VPNs across multiple sites: there's rarely a time where using tun doesn't annoy me and interrupt my workflow, and never have I been able to notice a performance hit or any practically measurable or operational added latency from using tap.

mDNS, and all sorts of layer 2 applications, both high and low bandwidth can be incredibly useful remotely.

I'm not advocating that tap should by any means be thought of as the preferred option across the board, I'm simply saying there's no reason to wonder why someone may specifically want to use it - it has plenty of uses. For me I would not be able to work from home without it.

@sweden_cool said in Port Forwarding OVPN:

0_1546187776402_NAT how.PNG

Do you need everyone or can you remove two of them?

You can remove the ISAKMP one. I'm not sure about the "pia group" one, but I guess that's from some tutorial ? Remove it or disable it. Keep it clean.

This is easily resolved with the "Avahi" package. Installed and enabled with default settings-- it will repeat the broadcast requests across all subnets, so devices on LAN network become discoverable to you while connected through OpenVPN network (different subnet).

Just logging the answer I found for others. Thanks

I have two wan gateway. I create pfsense openvpn client instance using wan1 gateway. When wan1 down I lose connection of pfsnse openvpn client. I want to up this openvpn connection via wan2 gateway (wan failover).
0_1546272336652_vpn interface.jpg

TCP in TCP is far from ideal, as you are finding out. I would at least test using UDP for the tunnel and see if your issues go away there.

@marvosa I WILL SEND YOU THE NETWORK MAP SOON, ONE QUICK UPDATE

THIS IS HAPPENING ONLY FOR SOME SPECIFIC ISP MY FIREWALL RULE FOR VPN IS ALLOW ALL I HAD CREATED SOME EASY RULE WHICH I HAD SEEN IN FIREWALL LOG FOR THOSE CONNECTIONS GOT BLOCKED.

I'm using Namecheap, which is listed in pfsense dydns drop down list, i've also tried the custom url from Namecheap, which also failed to update.

I already have 127.0.0.0/8 in the NAT Outbound settings for AirVPN WAN interface.

The credentials are correct since it updates when using the WAN interface.