Maybe it's a Client Config error. Double check TLS Key is correct on your Desktop.

If you want to do multiple sites on the same server there are additional considerations that usually require CSOs. And you must use SSL/TLS mode with a tunnel network larget than /30.

Just to follow up, I was able to get rid of this error, but disabling the 1:1 NAT mapping.

Sty make sure you don't have "redirect-gateway def1" in your advanced configuration for the PIA VPN.  That will override all of your policy based routing and send all traffic through the VPN by setting your default gateway to the VPN.

Figured I'd post my results from tonight… SG-4860 w/ 4 tunnels in a load-balanced gw group spread across 2 WANs. NordVPN. 256k buffer, comp-lzo, fast-io + RDRAND. Was able to sustain 250Mbit/s with CPU load between 9-12% Pretty happy with this, but will continue striving for higher highs. [image: UJ0hCf7.png]

Dude a mask of 255.0.0.0 means that 10.anything is the same network.. 10.13.11.100 is the same network as 10.12.10 So a client on 10.13.11.100 that gets traffic from something say 10.12.10.14 would just say oh hey buddy nice to talk to you.. Here is my answer.. it would NOT send it to its gateway because its the same network…  Fix your mask to be 24 bit and your problem will go away.

Thanks! Windows firewall…  Should have guessed.. Now ping and Windows remote desktop from VPN client to LAN is working  :)

After countless hours day and night, and two different experts gave up, I finally made it myself. I have to say, I was pretty desperate. Solution? I went to interfaces on local pfsense, added some cryptic ovpnc to interfaces and added manually NAT-routes for all interfaces wlan, lan, opt1, opt2 etc (all allowed, every direction). For some reason, I don't know why, everything worked! I can ping in every direction as long as I'm on a LAN. Now I have to reduce the access again so that I don't have more open routes that needed. Thanks for no help on this…

smashed it, i created a "client specific override" rule for the openvpn user "common name" to use a static virtual ip and from there i created "rules" under "openvpn" for the static ip to only access those ip addresses [image: Capture.PNG] [image: Capture.PNG_thumb]

Hi guys, I'm a new pfsense user and I've tried to use the steps on post 2, however I couldn't get the VPN running for some websites that want to go through the VPN. After I restart the VPN I loose WAN and VPN connection, it shows VPN down in Status! Is there something else it needs to be done?

"There is no such thing as caching records that have their TTLs expired in DNS, it is stricly against the spec." While I agree with you its not good practice.. there is such a thing ;) Unbound advanced Minimum TTL for RRsets and Messages The Minimum Time to Live for RRsets and messages in the cache. The default is 0 seconds. If the minimum value kicks in, the data is cached for longer than the domain owner intended, and thus less queries are made to look up the data. The 0 value ensures the data in the cache is as the domain owner intended. High values can lead to trouble as the data in the cache might not match up with the actual data anymore. dnsmasq support the same sort of thing where you can overwrite a min ttl value with something long.. Say dns says TTL is 600, you could make your min TTL 3600, etc. But seems like what the OP is asking is how to use a smaller TTL than what is provided.  So the DNS server they are using "godday" has a min TTL of 10 min they can set.. They would like to set it to something shorter, say 60 seconds.. Just host their public dns somewhere else is what I would suggest if you want a shorter ttl.  Or look to see what the min TTL value they can set in the godaddy dns manager.  It might just default to 10 min.. Possible they allow for shorter TTL.. But you can always flush cache entries in unbound.. See all the flush command here https://unbound.net/documentation/unbound-control.html dnsmaq can do the same thing with just a simple restart.. I don't know if you can just send it a command to clear out specific records like you can with unbound..

@Derelict: Do this: B: 192.168.2.x - Openvpn servers Server settings to (A) Server mode: p2p (Shared Key) Device mode: tun Interface: WAN Local port: blank Tunnel Settings IPv4 Tunnel Network: 10.1.200.0/24 IPv6 Tunnel Network: blank IPv4 Remote network(s): 192.168.3.0/24~~,192.168.1.0/24~~ Disable IPv6: yes Server setting to(C) General Information Server to other (C) Server mode: p2p (Shared Key) Device mode: tun Interface: WAN Local port: blank Tunnel Settings IPv4 Tunnel Network: 10.0.100.0/24 IPv6 Tunnel Network: blank IPv4 Remote network(s): 192.168.1.0/24~~,192.168.3.0/24~~ Disable IPv6: yes You are attempting to create an OpenVPN route for both remote sites on both openvpn tunnels. You only need to define the remote networks that are actually remote on that connection. You are probably seeing all kinds of strangeness because the OpenVPN process that starts first gets both routes and the other one fails to add the routes because they already exist. Hey thinks that worked, after removing ,192.168.3.0/24 & ,192.168.1.0/24 from C on the two servers ping and tracert is now working and not looping. So I see what I was doing wrong after you pointed it out, think you for this Derelict.

What exactly are you testing?  Are you connecting a remote site through the VPN, perhaps as a "road warrior"?  If so, the upload bandwidth will limit the download bandwidth of the remote site.  Is your fibre connection symetric or asymetric?  If asymentric, you will have different upload and download bandwidths.  My cell connections are symetric, but my cable connection is not.  What do you get if you run speedtest through your fibre connection?

I got this working.  I'm posting my setup for posterity, since there's a shortage of docs for this stuff.  The goal is to set up a TAP VPN in a hub-and-spoke-format: @jimp: Never, ever, ever make static routes that point to OpenVPN. It fails in exactly this way. OpenVPN manages routes internally. Depending on your setup, you need to set them in the local/remote networks on the clients and servers and possibly in client-specific override entries on the server. If you can describe the setup of your VPN more in-depth that would help. For example, which VPN mode you're using (static key or SSL/TLS), the tunnel network you have set, etc. I saw what you meant.  I should just be able to push the routes I need from the server. So I ripped everything out, except for the certs and my client specific overrides (which is just used to specify the bridge iface IP).  I deleted every route and gateway that I had manually made, and removed every reference to remote or local LANs in both the client and server setting.  I added just two directives to the advanced section of the client specific settings. To set the bridge interface ip address for the client on SITE A: ifconfig-push 10.0.0.100 255.255.255.0; I always had that, but to properly set the route, mask, and gw for client on SITE B's subnet, all I needed to do was: push "route 10.10.0.0 255.255.255.0 10.0.0.101"; Therefore the client on SITE B must have it's address assigned as follows: ifconfig-push 10.0.0.101 255.255.255.0; … and it can resolve SITE A through SITE A's client's bridge interface address which we just set above ... push "route 10.5.0.0 255.255.255.0 10.0.0.100"; The last thing you need to do is allow/block traffic on the bridge interface (Firewall -> Rules -> OpenVPN.) Block 67-68 (DHCP) from any source to any destination Allow from * to * (or on on a per subnet basis) That's it.  No need for anything else. Thanks everyone for all the help..