Have you added the VPN ip subnet in "Squid Access Control Lists" > "Allowed Subnets"

Then the second link for setting up OpenVPN as a Remote Access Server using the wizard is what you're after.

/var/etc/openvpn

It's recommended to make the settings in the GUI. There are drop-downs and input boxes for the most common options, if you need others you can set it in the "Advanced Options" field.

after the change this is still an issue at least i was home this time.  i have been statically connecting to 64.237.37.121 for weeks now.  i think i am going to try another server…

Gateway load balancing seems to work well. I have two PIA VPN tunnels configured on an SG-3100. I have them both as part of a gateway group in tier 1, and my test machine matches a firewall rule that sends all traffic to that gateway group by default.

When running a Speedtest, the download test uses both tunnels - one openvpn process on each CPU. During the upload test, it only uses one of the tunnels. If I have the gateway group prefer one tunnel over the other, the download test only uses that tunnel and not the other, and the upload behavior doesn't change. I was able to confirm that by watching top from a console and looking at the bandwidth monitor.

I managed to pull down 60 mbit over OpenVPN doing it this way a few times, but on average it was about 50 mbit. I know there's more throughput available here given the hardware specs, so I need to figure out the best encryption algorithm to use. I want to try a real bench test to take the intertubes variable out of the equation to see how this really works.

Thanks Pippin.

Doesn't help when you are watching the web page for a reason, huh

Just a followup to those who think about cert based OpenVPN from QNAP (client) to pfSense (server). In foreseeable future - password only.

From their tech support:

I have received information from PM that there are currently no plans for improving QVPN OpenVPN client security. However, I have created a feature request regarding this, so it will be considered and possibly implemented in future.

Where can I get a simple guide to setup openvpn in pfsense?

bump?

captive portal is not going to work.

Can you elaborate?  Why?

revoke the certificate if the router is lost/stolen

This isn't really a good defense against someone with physical access to the router.  I'm less concerned about theft and more concerned about possible unauthorized use by others who may have physical access to where the router is stored.

Use SSL/TLS + User auth

How can I do this with a voip phone I'm attaching via one of the ports on an sg-3100 that needs vpn'd access to a non-public phone switch?  I can certainly do openvpn connections with password protected certs - in fact this is what I use for my other remote access clients.

I'd like to use the sg3100 to provide vpn services for other hardware that can't do vpn services for itself, and I'd like it to take a user supplied password for initial connection to prevent casual access by unauthorized people.

At this point, I'm leaning toward password-saved-in-the-router ipsec vpn for JUST the voip phone and software (openvpn client) on the laptop.

I was just hoping to find some way to do both with the hardware.  Thanks for your suggestions.

@techy82

That LAN rule you show a snip of, is there anything above that? If it works with the openvpn off then it really looks like an incorrect rule.

@Derelict:

Make sure the inbound traffic is NOT matched by rules on the OpenVPN tab (disable all rules there) and IS matched by rules on the OVPN tab. That will get reply-to functioning.

Removing the rules from the OpenVPN tab resolved the issue. Thanks!

Why would you want to do that?  that is just the shared secret.. Really no point in that being any higher..

https://community.openvpn.net/openvpn/wiki/Hardening

that is the shared secret key, anything over 2048 is just pointless.. This is the key used to sign the tls packets..  Would be better to set your tls min to 1.2 and enable tls encryption… Keep in mind that the some clients do not support tls crypt - I do not believe the ios openvpn connect app as enabled its use yet, etc.  But really don't see how increasing that would matter..

@viragomann:

Since you're directing the QNAP Traffic and also it's DDNS registration through the OpenVPN, it will register the public OpenVN IP in the myQNAPcloud DDNS.
However, presumably your VPN provider doesn't forward access to you.

So if you want the QNAP traffic to bypass the VPN and go over your WAN gateway, just add a firewall rule for the QNAP internal address as source to your LAN interface, allowing access to public addresses (or only to the myQNAPcloud DDNS) over the WAN gateway. You can select the gateway in the advanced options of the rule settings.

Thank you, will give that a try.

@dsp3:

From your pfsense openvpn log

ERROR: FreeBSD route add command failed: external program exited with error status: 1

Overlapping subnets I would guess. You need to check this.

Thank you for tossing an idea my way.  I started diving into that error and researching errors with route pulling/pushing.  After a bunch of research I remembered I hadn't looked at the PIA openvpn log to see if it too had the error you mentioned and it did not.  I've done some further research regarding the PIA side of things and I'm no further than I was before.  I've attached the PIA log from openvpn for review and the only thing that I can see as an issue is the link-mtu/cipher/auth/keysize get the "used incorrectly" error (I've seen a ton of people have that issue with PIA and none of them talk about the issues I'm having) but I'm open to suggestions on that front.  I don't see any other errors in that log but maybe my eyes are missing something.  Any thoughts from here?

[pfSense OpenVPN Log2.txt](/public/imported_attachments/1/pfSense OpenVPN Log2.txt)

Hi!

Is there any step by step instructions for this? Also… it it possible that somebody update purevpn instructions for purevpn site for version 2.4 pfsense? https://support.purevpn.com/pfsense-openvpn-configuration-guide

You should probably start a new thread.

But in general you probably need to add 192.168.80.0/24 to the Remote Networks on the Site-to-Site tunnel at the side with the 172.16.16.0/24 network so it knows how to route back to it.