Did you use the wizard to setup OpenVPN?

Are the rules in right order?

Do you have a static or dynamic ip from your ISP ? Are you hitting the right IP?

I got the Inline config to export by unchecking the MS certificate storage option. I then ran openvpn –config pfSense-blah-blah.ovpn from the command line as root, and it worked. I was afraid I'd kill my Windows clients' ability to connect by unchecking the MS cert option, but at least one still appears to be functioning.

My remaining difficulty involves configuring the Fedora 27 VPN GUI. Using it from the command line works, but requires a few extra steps and a root password to complete the connection. I've tried configuring the GUI several ways, but none of them seem to work. Probably need to post in a Fedora or OpenVPN forum, but if anyone here knows I'd appreciate your input.

@viragomann:

You have to set up a client specific override for each client. This only works with SSL Auth.

At "Common Name" enter the common name you've set in the clients certificate. At "IPv4 Local Network/s" enter the LAN network behind the server and the LAN behind the respective other client, in the "IPv4 Remote Network/s" box enter the LAN network behind the meant client. All networks in CIDR notation and comma separated.

YOU ARE A LIFE SAVER!!  All I did was change to peer to peer SSL/TLS, added net info into remote nets, and the client specific entries.  And it worked!  A to B, B to C, and A to C.  3 Way VPN!  Thanks brother!!

For what it is worth, you seem to have the same problem as me: https://forum.pfsense.org/index.php?topic=142389.0

My main concern is that there is no 'local network' entry in the server setup, could that be the key to a solution?

Thanks so much.

That's pretty unlucky.

Yes, but the NAT has to be done at that location. For them to talk to each other it has to be done at both locations.

@VAMike:

@bcruze:

@Derelict:

Not sure how anyone actually thought that these commodity VPN providers had a sustainable business model as traffic/subscribership increased.

i understand what you are saying but they advertise only 30% decrease in speeds from your ISP.

I, for one, have never seen misleading advertising or inflated claims!

The bottom line is that no VPN can avoid adding latency. Depending on what you're doing that may be a small impact or a huge impact. But, given the billions of dollars of R&D that have poured into reducing latency over the internet, it's got to have some noticeable effect. You may be willing to make that tradeoff, but be aware there is a tradeoff.

i had over 15 support tickets to nordvpn in the past 2 and a half weeks.  at home and work.  whether i used my pfsense box or their proprietary software.  i could not get half of my internet speed on ANY device i used. (heck it couldn't get 1/8 of my connection)

they refunded my money yesterday and I won't go back.  that was my 2nd time using their service,  the last time was 2 years ago so they have not improved at all.    buggy software, and servers either overloaded or misconfigured.

just my experience at multiple locations with multiple devices

i don't have that exact issue with PIA.    but their servers work more reliably and are faster.

i am still looking for an alternative to PIA.  i am open to any suggestion for  Pfsense/ Openvpn use and for Apple, windows 10 use

tried with a different SIP soft-client (Zoiper) and it worked. It seems there is a bug in LinPhone.

All traffic between client and server should ultimately be encrypted and out-of-view to anything running on the firewall anyway.

I do not know of anything other than squid+clamav for that and it will almost certainly be ineffective for file share traffic.

Story is continued here

https://forum.pfsense.org/index.php?topic=142066.0

Awaiting Derelict to get time to look at my uploaded configs.

/Bingo

Sounds like you have a low-level filesystem issue. Take a config backup before doing anything about it.

You might be able to use the console reboot menu to run a fsck (disk check) for the next reboot, if that doesn't work you'll need to reboot to single user mode from the loader menu and then run "fsck -y /" a few times until it finds nothing wrong. Don't stop running it when it claims the disk has been fixed, it needs to be re-run until it finds no new problems.

Worst case scenario, reinstall using the recover config.xml option to retain your existing settings.

OK Solved!

I've flag the option "Force all client generated traffic through the tunnel" in client specific overrides, this time worked perfectly!

Thanks to all!!

The optimal buffer size depends on your connection and other factors, it's not so simple as picking a number and using that for everything.

There is a GUI control for send/receive buffer in 2.4.x, you can use that if you like, or if you leave it set at 'default' then you can still use whatever advanced option you want for those directives.

It's actually not the e-mail address that is the trigger but any SAN in addition to a CN with a space. It tries to copy the CN to the SAN list, but a CN with a space can't make a valid SAN entry, so it ended up with a bunk empty entry due to the way I coded that feature originally.

https://redmine.pfsense.org/issues/8252

I just pushed a fix, should show up in a few minutes.

We might misunderstand each other or I might be wrong.. -> Since the server never pushed the route "push "route 192.168.1.0 255.255.255.0"" to the client, the client on the lan(192.168.1.0/24) would use  the "wifi interface" when requesting host's in the 192.168.1.0/24 range instead of tun interface (opnvpn adapter).

When I added "push "route 192.168.1.0 255.255.255.0"" to the server config, the client now knows it should use the tun interface instead.

The reason I thought this could be a bug is because when I configured the server I specified these options(using the wizard):
Tunnel Network 10.0.8.0/24
Redirect Gateway checked
Local Network 192.168.1.0/24

Because of the "Local Network 192.168.1.0/24" entry I expected "push "route 192.168.1.0 255.255.255.0"" to be present in the server.conf.

Any way, things are working and im happy:)