How are you trying to access your resources? I see one issue:

You are pushing a DNS domain of 192.168.11.1 to your clients, so all of your name searches are being appended with "192.168.11.1" which is incorrect. The DNS Default Domain box in your config should have the name of your domain (e.g. MyDomain.com) in it, not an IP. Are you even using AD? If not, you shouldn't be pushing a DNS default domain.

I also see you have an AirVPN client tunnel configured. Is that new? I would modify the firewall rule on the OpenVPN tab, so it's explicit to your remote access tunnel network and your LAN. In other words, change the source to 10.0.11.0/24 and change the destination to "LAN net".

What do the rules look like on your AirVPN_WAN_HK tab? Hopefully, you don't have an any/any in there :)

Another question, what version of PFsense were you running on your old hardware? What version are you running now?

In the OpenVPN Server configuration on pfSense.

A push route configuration on a client makes little sense.

@gertjan Oh ! this issue is solved, because my "IDM" (Internet Download Manager), i have disabled IDM and download config file with native browser downloader and it's work !!!!!

Thank for reply and support me !!!!

@viragomann When I added the NAT rule you suggested I left the other NAT rule. It didn't help. I took a look at the routing rules and eventhing is correct. Both now have the explicit routing rule but no change.

Ok so i think i have found the issue but need some help fixing it

I think it maybe a MTU size issue when copying over smb. I have tried some options fragment 1400 mssfix 1400

The server seems to accept it but when i add to client and click connect it errors saying failed to connect to management service.

Anyone got any ideas?

Thanks!

Check Don't Pull Routes in the VPN client.

Doh! Missed that step. Been a while since I setup a new user. Thanks for the answer.

...this is what I already told you 2 days ago. ☺

-Rico

In some scenarios that's necessary for handle the routing with multiple VPNs.
Just assign an interface to the VPN instance and enable it.

Otherwise check the routes on site B and C and use traceroute to find out where the packets go to.

Normally, when I use my iPhone and the VPN to connect to my work (have a pfSense over there) the App I use to connect to my DVR on the LAN, it uses the low resolution video stream when it shows all the videos.
When I focus one stream, I could switch to high res.

Every stream has a 1 Mbit/sec stream at least when my cameras are in colour mode. My VDSL upstream from works is hardly a 2 Megabit/sec connection, so yes, I could overload that one very easily..

Yes Pippin, I think that is best practice - and I do that.

You should also ensure that you Enforce CN / User Matching when using CSO's
Otherwise; a user with a valid cert can circumvent the intended CSO routing / firewalling if he knows another user's name & pwd.
(Or a mindless Sys Admin can get himself confused )

@viragomann

Hey thanks. Its working now thank you so much for your help! Been trying to resolve this for ages!!

Kawa

@bcruze

@bcruze said in Issues with VPN connection not staying up:

do you have IP6 enabled on your pfsense router?

I will have to check on this when I get home. I am currently "working" lol

packet HMAC authentication failed is very often just down to wrong TLS Configuration or wrong key / key direction.
Going just back to some old Version like 2.3.5 is a very bad idea.

-Rico

@rico said in VPN Setup:

You can go with Static Key if you don't want to use Certificates.
Using Certificates in pfSense with OpenVPN is no big deal tho, there are tons of tutorials around.
https://www.netgate.com/docs/pfsense/vpn/openvpn/openvpn-remote-access-server.html
https://www.netgate.com/docs/pfsense/vpn/openvpn/configuring-a-site-to-site-pki-ssl-openvpn-instance.html
https://www.netgate.com/docs/pfsense/vpn/openvpn/configuring-a-site-to-site-static-key-openvpn-instance.html

-Rico

Followed the first link/guide you posted and it worked first time!

Thanks
Chris