High Availability would solve that. You would port forward OpenVPN traffic to the CARP VIP. If the primary goes down, the traffic will hit the secondary instead.

XMLRPC sync would sync the OpenVPN server configurations between the two.

It is an active/passive configuration though. The would be no "load balancing."

I should add, I have tried increasing and decreasing buffer size, I've tried switching UDP ports and removed cipher encryption all together. Nothing changes to download speed from my Nvidia Shield ethernet connected.

For Android no idea, with iPhone OpenVPN works like a charm for me.

-Rico

And you will also have to specifically route the tunnel network to the pfSense interface in the VPC routing table. And pass it in security groups, disable source/dest check, and all that.

@ariban99
NEVER MIND. I had to restart the VPN and it works perfectly as you said.
so NO server changes, just the client changes and its working now!!
thank you

Hi Gertjan,

We're on the process of upgrading the pfSense version soon, We're just waiting for the returned firewall.

By the way I already fixed the issue, I just need to change one of the default settings in openVPN connect apps.

@yannie

Thats the tunnel network. Nothing to worry about. And it is the address of your side of the tunnel network. Using your username and password will bring up your box.

@trazom said in no connexion from client on internet to lan connected at pfsense:

debug: [openvpn] Sat Dec 22 09:17:34 2018 Attempting to establish TCP connection with [AF_INET]192.168.1.254:1195 [nonblock]
debug: [openvpn]
debug: [openvpn] Sat Dec 22 09:19:34 2018 TCP: connect to [AF_INET]192.168.1.254:1195 failed: Connection timed out

That's the key part of this log.

Where are you connecting from? It's trying to connect to 192.168.1.254 so would have to be on that same private subnet to connect to that.
I suspect your pfSense box is behind another router and you have used the client export wizard to create that config with the 'Host Name Resolution' set to Interface IP address. You will need to have that set to a real external IP or a hostname that resolves to it.

Steve

How about you share your screen shots, describe what is happening, and we can tell you what to change.

Looks like the problem was the first OpenVPN rule that was there to allow the VPN server to route traffic to the internet but for whatever reason, it was confusing the pfsense routing. I have deleted that NAT rule and now it works as expected

i use KVpnc to configure my client; i'm going to try to use basic client.
where can i find client's configuration doc on a kali linux distribution?
thanks

Nope. that's the weird thing i was talking about. the client secret is connected to the server with port 1202 but when i print the log on the server (cat /var/log/openvpn.log |grep secret) it prints the above.
Hope not doing something wrong.

@divsys Thank you that makes it very clear. I'll have to change my local subnet, so that at the remote site i'm trying to connect to via OpenVPN has its own unique subnet. Thank you soo much. Will let you guys know when I get it all working

OpenVPN does not set the default gateway like that.

It leaves the system's default gateway alone and inserts two routes:

0.0.0.0/1
128.0.0.0/1

This covers all traffic and is a longer netmask so it is controlling.

Undo whatever it is you did to make that default route go to ovpnc1 and let OpenVPN do what it's supposed to do.

That was it, I changed destination and gateway to my WAN instead of wildcards and it all started working. Cheers.!
OpenVPN rule for future reference.

@thenmanbr said in pfsense bypasses firewall rule:

@chpalmer
however, in the event of a reboot, do you know how would i prevent this issue from happening? (i'm assuming it's the order things are loaded, first vpn then filters... if that even makes sense)

I do not.. I comes as a little bit of a surprise to me as well. I use separate VPN servers for each of my tunnels and Im the only road warrior connection here. If I was to stop a connection to a site I would first go to that site and delete the client.

Can you try a "reject rule" and see if that does it?..

So troubleshoot resolving names from one of the connected clients and see where the process is breaking down. Do you know how to troubleshoot DNS issues using tools like dig and drill?

Yeah. we know you have had nothing but problems with pfSense insert feature here lately. So troubleshoot it.

Even in the logs, I can see that the server is pushing its own address as the gateway, yet pfSense does not use it as the gateway IP:

Dec 21 02:45:36 openvpn 67745 PUSH: Received control message: 'PUSH_REPLY,route-gateway 172.27.120.1,topology subnet,ping 10,ping-restart 120,ifconfig 172.27.120.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'

No. I used some tutorial of PIA open vpn client.