@viragomann I was able to open the .exe as an archive in 7-zip and just rename the .ovpn as you don't even need to run in it as a command - rename is an option when right-clicking on the file whilst having the it open as an archive.

Thanks again for pointing me in the right direction!

@viragomann actually I use an alias with my various subnets, including the tunnel subnets, so I believe it is covered. I also use an interface for my OpenVPN servers and don't use the "general" OpenVPN tab as such. That way I have some idea what is going on by doing things manually.

I need to do a bit more digging into this.

@postuser49
Try to use AES-256-GCM cipher. The CBC is a known as less performant.

You can find further tuning hints on Netgate's VPN Scaling page.

@whitefed0ra are you still having connection problems with PIA? I'm asking because my PIA also stopped on PFsense 2.60...
After reading several posts, I was told that using TLS keys are going to be removed in PFsense v2.70. If this is true, I don't know yet and first must be determined. Until then, my VPN is offline.

@viragomann
Thanks, I see now the part of Remote Networks that I didn't see before.

After some more testing, I decided to try using WireGuard as an alternative. Problem fixed in 10 minutes.

I agree, pfSense could be much easier. But it is not a consumer product, it is for the enterprise and those are the ones who are willing to pay the money its cost.

@powerextreme Probably best to troubleshoot from the pfSense side.

Is the OpenVPN firewall rules tab showing that you're passing all data?

Are there any blocked events in the Firewall log related to your OpenVPN connection?

@betahelix Nothing really sticks out as a problem but you can try turning off hardware crypto.

The other thing is viragomann's suggestion.
You have:
ifconfig 192.168.72.1 192.168.72.2
route 192.168.10.0 255.255.255.0 192.168.72.1

Should be on the client side:
ifconfig 192.168.72.2 192.168.72.1
route 192.168.10.0 255.255.255.0

Other than that, my guess is something on the Asus which I know nothing about. Might check if they have some kind of support forum too.

@viragomann Confirmed you were correct!

Adding a 2nd Phase 2 rule at both ends tells it where to send the traffic and it works perfectly.

Thanks for the tip!

@dimitri21 nevermind it was the windows firewall.

Powershell

New-NetFirewallRule -DisplayName "Allow inbound ICMPv4 from Patch Svr" -Direction Inbound -Protocol ICMPv4 -IcmpType 8 -RemoteAddress 192.168.71.110 -Action Allow

I solved it by having a constant ping to my client and noticed the openVPN traffic spiked on the client but no reply. So I assumed it was the client. Then I turned off the firewall and had ping. I then noticed the scope ip range for a private network is only the local subnet, not the patching server. I then added the patching server ip address in and turned on the firewall and I didn't lose ping. I then decided rather then figuring out which profile its in, rather to add specific firewall rules just for the patching server only.

Hope this helps someone.

@viragomann Hi, I solved! Your advice got me reasoning. I send you the configuration done:10.10.2.254_services_dnsmasq.php.png

@johnpoz thanks and understood. The double nat suggestion sounds familiar and I assume it's safe to say that the pfSense features are a superset of whatever the freebie ISP router has (I don't have access to the mfr/model info at the moment) so we shouldn't be losing anything by moving the network to the pfSense unit.

Many thanks!

@erlandghd well let us know how it works.. If you run into trouble, happy to help. But this weekend I prob not going to be around - My youngest son is getting married this weekend ;)

@gasper_gt
In the OpenVPN server settings check "Redirect gateway". This pushes the default route to the clients.

Additionally there is an outbound NAT rule necessary on WAN for the the source of the VPN tunnel network. If it isn't added automatically by pfSense you have to configure it manually.

@mrneutron hmm I have never seen that, but I don't recall an outage of that long in very long time..

Normally the outages here are very short, like 1 hour is really long outage.. We had pretty bad storm last night in the area, lots of people in the area out for really long time (downed trees taking out lines I think) - still out I think for some, but we were lucky my power bounced, it was maybe 10 seconds if that.. Long enough to reset all the clocks etc. But I didn't even hear my upses start beeping that they were off Ac.

Just long enough for all my smart lights to turn on because of the outage.. You know power bounced in my house because all the smart lights turn on when it comes back - hehe.. I have one of my alexas on ups so when it bounces like that I can turn off house without having to wait for all the alexas to reboot ;) And since network and internet are still up when have a power outage can normally still control stuff from the one alexa..

But if you loose internet like that, you should prob just need to reboot your modem and not even worry about rebooting pfsense.

But hope the reject thing helps.. Heres hoping though you don't have to see if works for a long time.. Power outages suck ;)

We did have one long time ago where we were out for 3 some days, but electric company even paid for food we lost in frig, etc.