https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site

So to clarify your asking how to circumvent your schools policy and sneek a vpn connection through?

While there are many ways to do that.. You really should check with your schools policy on such activity - if you have a legit reason to use a vpn from your schools network then they should give details on how to do that.

While you might find some people here willing to help you circumvent.. Many here will not be willing to offer such help.. Good luck.

tun-mtu 1500;mssfix 1400;fragment 1300;

Thanks axelf911, that worked for me.

Now, I also connect into my pfSense Server via OpenVPN; and would like to be able to route back to the RV50.

I have an identical config that allows me to route to another 4G OpenVPN device (H685-OpenWRT) - but I can't do it to the RV50.

Do I have a mismatch?

@katinatez:

Thank you so much!! have been struggling with PIA speeds. Tried just about every configuration but could not pass 45 Mb download with a 400/40 Mb internet plan. I have achieved  the best speeds so far with your config!!

My question is if I want to use 128 encryption would the special config change to this? Thanks for your reply.

This is running pfsense 2.4.3 for referrence for other users.

explicit-exit-notify 2;
ifconfig-nowarn;
tls-client;
persist-key;
persist-tun;
persist-remote-ip;
remote-cert-tls server;
auth-nocache;
keysize 128;
tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA;
fast-io;
sndbuf 524288;
rcvbuf 524288

I have N3150 with AES-NI extensions and my ISP line is 100/20 Mbps.
I need to actually say I didn't noticed any appreciable speed difference setting down AES-128-CBC.
Your config looks good, just try it.

I found that the solution can also lie in the interface settings.

https://forum.pfsense.org/index.php?topic=129871.0

In the OpenVPN Client Protocol dropdown, you probably have selected "UDP IPv4 and Ipv6 on all interfaces (multihome)".
That ignores the selected interface.
Select "UDP on IPv4 only"

Also, make sure the OpenVPN interface is set to be the WAN CARP VIP, not the WAN IP.

This fixed the problem on my end.

Hello,

I finished installing openvpn and I did not exactly do it wrong, by chance I managed to solve it.

May 2 15:13:15 openvpn 85741 Options error: –server directive network/netmask combination is invalid
May 2 15:13:15 openvpn 85741 Use --help for more information.
May 2 15:13:24 openvpn 3650 Options error: --server directive network/netmask combination is invalid
May 2 15:13:24 openvpn 3650 Use --help for more information.

obrigado,
Rodrigo

So I managed to get this to work. I need to include some push directives on the server side that resized the send/receive buffers for clients.

I now have a separate problem- although I'm getting line speed through the VPN, I'm now having an issue with web browsing from behind the VPN and I'm not sure why. Specifically, http/s traffic in general is anywhere from 2 to 3 times slower at certain instances than when I don't use a VPN. There doesn't appear to be any particular constancy to when it slows down. I have configured unbound to do DNS queries via Cloudflare. I've been using a browser addon called "Page Load Time" which breaks down the webpage stage loads. Accordingly, I'm usually spending most of my time in "Connect", "Request", and "Response."

Thanks for the feedback.

Well i tried to configure openVPN using my default WAN adapter. I had some weird issues, i got errors after configuring openvpn and pfSense admin page displayd some filter reload erros. Also after restart i had no internet connection on my lan devices.
So i took the openVPN server down and removed all the firewall rules and did a fresh restart. After that, when i set up openVPN again, on the default WAN interface, at lease i got it to work.
Weird is also the fact, that this is almost a fresh installation, i havent really configure anything.

I think this was the issue with the virtual IP also, but i am going to reconfigure the openVPN when i have enough free time.

All settings are default.
The NAT between the LAN-WAN (and OPT1) works as expected. (I use dual-WAN config and Gatewas groups).

Packet capture was showd the packets with original addresses.

ovpn_nat_settings.png
ovpn_nat_settings.png_thumb

try viewing this website for the PIA DNS servers: https://helpdesk.privateinternetaccess.com/hc/en-us/articles/219460397-How-to-change-DNS-settings-in-Windows

then go to system > general.  and add them there

THEN go to services > dhcp server > servers / DNS.  add them there

post again after you have rebooted the pfsense router

i have found adding DNS to the general tab is what causes the leaks.. when i use the PIA DNS servers on the actual SERVER DNS it fixes leaks for me.

this is for PIA and AIRVPN… i also do not use the DNS forwarding tab. its disabled,  i use the DNS resolver tab

not a pro, just sharing my experience with my setup

In your tunnel settings for the OpenVPN server: You state that you MUST check "Bridge DHCP" - this is NOT a MUST:
I don't check this in my config
I guess it depends on how you want to provision your network.

Did it on iOS - All correct.

Re-installed on Samsung & rebooted; all is working correctly.

Thanks for your help anyway, it made me go through and check all settings.

I got it figured out after reading a few more articles, and examining firewall logs!
In the end, I still needed to do a few things:

Create an Outbound NAT entry for the VPN

Create a LAN FW rule to explicitly permit SiteB traffic to VPN Gateway

Fixed VPN FW rule to allow all types of traffic (not just TCP/UDP)

Thanks for your feedback guys. It was helpful knowing I was headed in the right direction.

I don't think you read my OP very thoroughly. I pretty specifically laid it all out as to why I want this. It's not a matter of hating on IPV6 or not wanting to ever use it, only that in its current form my privacy and security cannot be protected with IPV6 like it can with IPV4. The second that changes I will be the first to jump on using it but not until then. IPV6 isn't the problem, VPN providers not supporting it is. I think it's pretty self-explanatory.

That's a bug in the OpenVPN wizard. It is known and fixed in next release.

Edit the OpenVPN firewall rule created by the wizard and set the protocol to UDP and save it. It should work then.

"So i'd like to keep the /8 for the LAN (if possible)."

For what possible reason would you need such a large mask… Do you have 1.6 million some hosts on this LAN?

A /8 makes zero sense on an interface - its only uses would be firewall rules and or summary routes, etc.

Use of such a network means that you will have nothing but issues with vpn clients that are coming from any network using 10.x.x.x address space...

Pick a realistic network size.. Love to help you work out whatever issue it is your having - but setting such a mask is just stupid, and made a new promise to myself not to deal with stupid ;)

Hi

you can set advanced parameters in the config screen VPNOpen -> VPNServers -> Edit -> Custom options
there you can add a line like:

Ping every 60 seconds, restart after 300 seconds without a reply.

regards tohil