It definitely was something on pfSense. Since I ran out of time I had to replace both of them with something else. Changed nothing else and it instantly worked. Pretty unsatisfying though. Really would have wanted to know what exactly was causing the problem. Also very unfortunate that paid support by incident is no longer available. Definitely would have been willing to pay for support for that but with the new contracts only system it would have cost me almost $2000 /:

Ensure that pfSense is the default gateway on the hosts behind. you have a firewall rule set on the OpenVPN interface which allow the access. the destination hosts system firewalls do not block the access.

Dear All, Can you please guide how to configure Site to Multi site VPN Connection. I have Site A (Head Office) +Site B (Water Factory) +Site C ( Steel Factory) + Site D ( Crusher Factory). I have Static ip and dyndns accounts with me Regards kiruba

Hello everyone, any thoughts on this issue? I've spent hours already but nothing works unfortunately.

@bimmerdriver: I'm trying to set up Mullvad using pfsense 2.4 beta. Their guide (https://www.mullvad.net/guides/using-pfsense-mullvad/) is somewhat vague and is for an earlier version of pfsense. It's working for ipv4 but not for ipv6. Can I ask, did you deviate from the guide at all? I have tried to setup mullvad on my pfsense box following that guide and it doesn't seem to be working at all. I am relatively new to this so any help would be greatly appreciated as you seem to have it working for IPV4, which is all I need at the moment.

Hi, I solved it! I had made it more complicated than it should have been! :D I followed the documentation and set up another server on another port. A peer-to-peer server then you could specify "client" network and then the routing got solved by itself. It works flawless now :-) I just love pfsense more every day :P Thanks for your concern and fast answers! :-)

Hi whosmatt, Thank you very much for the help! Actually the CentOS server is one of my openvpn- clients since  it is behind firewall I have no control on. I have used  sudo systemctl enable openvpn@pfSense-TCP… and it is working perfect. I am using TCP since it is thru ssh- tunnel. I rebooted it several times and it is starting automatically after the start of my kvm. I am actually thinking to change the kvm with oVirt. Do you have any experience with it? Best Regards, agrozdanov

I'm no expert either but I do have a similar setup, a single PC routed over my VPN with all other traffic going over the WAN. I don't see why you couldn't do the same but just specify a /24 instead of single host. Firewall / Rules / LAN Create new Rule Action: Pass Source: Set your 10.0.20.0/24 network Advanced Options - Gateway: Select your VPN Save. Move the new rule above the "Default allow LAN to any" rule. Click "Save" then "Apply" and restart your VPN service. If this is off track please give some more details. -Chris

I was testing on the PFSense Console that's why it was not working. I tested on a computer connected to the LAN of the PFSense and the traffic is being routed however the Load Balacing is not working as expected, most of the traffic is leaving from the first OpenVPN Client. EDIT: I tested with a download accelerator downloading a file on a web server hosted on the "House 1" and it uses all the bandwith from both WAN's. I guess my problem is solved then. If someone knows some ways to improve or tweak feel free to post.

So, I do have some answers for you. Yes, MTU is affecting ping and tracepath, but that may not be the problem here…though, pmtu may be to blame. The best thing I can suggest is to try and run a packet capture on each end and on one firewall or the other to see if the packets are needing to be fragmented and are not getting fragmented. If the DF flag is set, then it could be dropping packets once it hits the firewall if the mtu is not properly set. Your ss shows that mtu of 1198 works to ping over the tunnel. What I recommend you do to verify this is to use something like this: ping -c 2 -M do -s <size><ip address="">...the above is a linux command, but it should show that the message is too long until you drop it down to 1198. The second thing to do is check that pmtud is running/enabled. The next step is to make sure that ICMP type 11 can make it through each end of the VPN tunnel as that will show "destination unreachable" and is what is necessary for PMTUD to work. Of course, the quickest and easiest way to see if MTU is the problem is to drop the MTU on your Synology interfaces down to 1198 on the interface itself (generally can be achieved with ifconfig <devicename>mtu 1198 run as root/sudo). If you drop it down to 1198 and can ping without using the -s flag to drop the message length and rsync STILL isn't working...there may be other factors at play. Also, something to consider is the methodology that rsync is using to connect to the remote host...this generally is done over the rsync port IF there are no credentials for ssh access...rsync is PREFERRED to be done over ssh, however, because it is more secure than using the unsecured rsync port (I do realize that you're doing this over VPN, but it's still more secure to do rsync over ssh). In another note that I remembered based on your statement "Logging into the GUI of the first Synology, and mounting the second Synology to the local filesystem and consequently copying a large movie (5 gig) through the VPN tunnel works fine. The other way around works fine too." ...suggests that general connectivity is fine between the two devices...this likely means that there is a firewall in the way or something to that effect for rsync specifically. I would also like to address why you were getting a "too many hops message"...that was due to the devices in between each point not responding to the ICMP type 11 time exceeded that should be received on traceroute and tracepath messages...you should look at how those work to get a better understanding of the tool. The basic function is that a packet is sent out with ttl=1. Once it gets to the next hop, it decrements the ttl and checks to see if the ttl has expired, if expired, it sends back ICMP type 11, which lets the client know the next hop's information. It repeats this until it hits the final destination and checks for "Destination port unreachable" ICMP message to be sent back. It does this (by default) over UDP in Linux/Unix. So, the reason you got the messages COULD be for a few reasons, but it looks like none of the devices responded to the ICMP messages. This very well could be due to MTU, but tracepath will drop the MTU automatically...the more likely scenario is that these devices are not responding to ICMP type 11 messages. ...hope some of this is helpful.</devicename></ip></size>

It's quite possible that the Qnap won't accept traffic from any network outside the LAN it's attached to.  The traffic from your OpenVPN connection appears to come from your OpenVPN network address. Have a look at this thread.  Substitute your subnets/addresses into jimp's solution and see if it works. Edit:  I don't know about the Qnap but you may also be able to configure the networks allowed to talk to it, as you can in NAS4Free.

"Source Port Range to 50000 (torrent client port)" Because your client is not using that as its source port..  Source ports are normally some random port above 1024.. your sure your traffic was going to X from the source port 50000, you saw that in the clients connects with a simple netstat on the client.

Just looked at their instructions - not sure what their point of trying to get you to put the key in for the CA.. They don't have a clue ;)  That is the key they are using for the tls auth - its right in their config.. client dev tun proto udp remote vlau-us1-ovpn-udp.pointtoserver.com 53 persist-key persist-tun ca ca.crt tls-auth Wdc.key 1 cipher AES-256-CBC comp-lzo verb 1 mute 20 route-method exe route-delay 2 route 0.0.0.0 0.0.0.0 auth-user-pass auth-retry interact explicit-exit-notify 2 ifconfig-nowarn auth-nocache So clearly its not the CA private key ;)

Hi Sorry for late. In pfsense I did not get public ip at wan interface cause of my ISP. So i can not remote access to my from Internet.

thanks for trying to help gjaltemba !! I am embarrassed to say my son on the other end was the one telling me that he couldn't connect to anything on the remote LAN from the home LAN.  As I was troubleshooting that issue, he mentioned the internet had been acting up for "about the past hour" - this is at the home address running pfSense, and it happens to be on a gigabit connection. After troubleshooting that issue to TWO LAN computers where two other members of the household were each downloading (and I think possibly seeding) a 3.3 GB patch for ARK (and then stopping those) - he could immediately connect to the ASUS LAN cameras web server.  He isn't able to see the video streams, but I can see them on my phone across two VPN connections, so I think it must be 99% working. Knock on wood, I think it might be fixed *