I get even worse results ...

Machine A (pfSense 2.6.0):

time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-128-gcm 2022-02-26 19:22:27 Cipher negotiation is disabled since neither P2MP client nor server mode is enabled 0.192u 0.000s 0:00.19 100.0% 601+171k 1+0io 0pf+0w

Machine B (pfSense 2.6.0):

time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-128-gcm 2022-02-26 19:22:35 Cipher negotiation is disabled since neither P2MP client nor server mode is enabled 0.587u 0.023s 0:00.61 98.3% 618+176k 0+0io 0pf+0w

I spent most of the day trying to reach reasonable speeds, and this is the result:

iperf3 -c 172.16.16.1 -R Connecting to host 172.16.16.1, port 5201 Reverse mode, remote host 172.16.16.1 is sending [ 5] local 172.16.16.2 port 53032 connected to 172.16.16.1 port 5201 [ ID] Interval Transfer Bitrate [ 5] 0.00-1.00 sec 6.10 MBytes 51.2 Mbits/sec [ 5] 1.00-2.00 sec 8.03 MBytes 67.4 Mbits/sec [ 5] 2.00-3.00 sec 7.28 MBytes 61.1 Mbits/sec [ 5] 3.00-4.00 sec 7.60 MBytes 63.8 Mbits/sec [ 5] 4.00-5.00 sec 6.77 MBytes 56.8 Mbits/sec [ 5] 5.00-6.00 sec 7.17 MBytes 60.1 Mbits/sec [ 5] 6.00-7.00 sec 8.87 MBytes 74.4 Mbits/sec [ 5] 7.00-8.00 sec 7.41 MBytes 62.2 Mbits/sec [ 5] 8.00-9.01 sec 7.54 MBytes 62.9 Mbits/sec [ 5] 9.01-10.00 sec 6.44 MBytes 54.3 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.14 sec 73.4 MBytes 60.7 Mbits/sec 91 sender [ 5] 0.00-10.00 sec 73.2 MBytes 61.4 Mbits/sec receiver

😞

@jknott said in OpenVPN Not working after update:

Are there changes in the new version (again) that cause earlier versions to fail?

There are always some pesky minor changes, that's why "just updating" pfSense == updating OpenVPN creates "OpenVPN Not working after update".

The "OpenVPN server" is just a process that listens on a port, typically UDP/1194. That's just a firewall rule, no nat needed.

When the connection doesn't work, that is because the 'client' doesn't understand the 'server', or the other way around.

@gertjan

That setting doesn't work for me in the issue I've been having.

I also have encountered this issue. What occurs is that pfSense sometimes gloms the options together when OpenVPN is restarted, causing a syntax error. So

pull-filter ignore "ifconfig-ipv6" pull-filter ignore "route-ipv6"

becomes

pull-filter ignore "ifconfig-ipv6"pull-filter ignore "route-ipv6"

You can workaround this problem by adding a comment marker at the end of each affected line, like:

pull-filter ignore "ifconfig-ipv6" # pull-filter ignore "route-ipv6" #

@viragomann sorry how do I do that? How do I get to the configuration file?

Basically, when doing a whatmyip, I want a WAN address of my VPN endpoint, not my actual IP address at home.

Also, I would expect to see the VPN route reflected in a tracert if I'm not mistaken.

Thanks

@viragomann Hi
All port seems to be closed on pfSense, even they are not.

I use and "port checker" (on internet) and it shows that ports are closed but they are not.

I already disabled AV and Squid.

After reverting this changes https://redmine.pfsense.org/issues/12232 in file after update, active connections shows again in OpenVPN status.

@johnpoz Thanks

@bob-dig Thank you!

@dlogan
No, this cannot be done in OpenVPN.

I think, you could achieve this with two failover groups with inverted gateway priorities. But this requires two different OpenVPN servers on the main site.

If you want to fix this regression pls apply this patch

3ade222beb2cae2c0681ed69d4e5a0c82c6303f9

@jly2680
Same problem ?
Then you should be able to find the answer here.

Btw : you're late. 2.5.2 is past now, so is OpenVPN 2.5.2. It's pfSense 2.6.0 now, and OpenVPN 2.5.4.
But, be happy, the issue stays the same. Depending your setup you use, some adjustments have to be made.
As always, as everything, this needs the old way of finding solutions : look at the logs. Make the errors go away. Do what needs to be done.

@viragomann Thanks. Came here to report the final solution and I see you had answered with the same. The issue was that the default gateway was not responding to ICMP. Changing the monitoring IP to something else had immediately brought the Gateway up, and the routing now works as expected.

This took way longer than it should :o

Hi, thank you all for your valuable input. I went with Cert+RADIUS to have extra layers of protection, like @TO2020 mentioned. This way I have a tad bit more security and a better integration into active directory where I manage all accounts.

@misinthe said in Issues with Subnet behind UDM Pro:

It was just the internal networks on the pfSense weren't able to go through the UDMP.

Most likely because the UDMP was still natting, and to get behind you would have had to setup port forwarding on the UDMP, etc.

If your going to use the pfsense LAN as transit network to downstream router, please do not put any devices on this network - or your going to run into asymmetrical traffic flow. Whenever you connect 2 or more routers together, especially if they can firewall devices on this "transit" network between routers are going to have asymmetrical flow unless you route on each of these hosts to which router to go to get to specific networks..

If the downstream router does not nat you will most likely see the problem with downstream network trying to talk to devices on the transit..

You run into this problem..

ass.jpg

Pfsense never saw the SYN, so a SYN,ACK going to be block.. If your going to setup routers that talk to each other and route between networks they are attached to.. Setup a transit network.. See this diagram.

pfsense-layer-3-switch.png

@jmartinelli said in Very low speed on OpenVPN:

I thought that wiregard was dropped from pfsense support (i.e; no longer supported)

7a61259d-5d4c-4758-baec-d1c1e2077ea5-image.png

EXPERIMENTAL

@viragomann ok figured it out
plex was getting the my site 2 public ip so it was trying to connect directly
so I gave the docker its own IP and made this rule 57acdb42-e989-4ae8-9caa-b086ab97f01e-image.png now I get
29717dc3-d5e4-4881-8b42-f697f29d33c0-image.png
this is my rule
957da0c2-55b8-4602-b8b2-61e0bdec29c9-image.png
I even tried
1d3d78f6-8a74-482f-b315-cbe535e2c743-image.png
to test if I left a port closed but still the same.

when I disable the rule that changes the default gateway to site 1 it finds the private and public IP just fine

@troutpocket
I had this issue in former versions of the network manager OpenVPN client.
To workaround, I checked "don't pull routes" and entered the remote network manually above. As far as I remember, you only need to enter the network and mask and save it.

@thebonden this is easy if you want we can do it for you, we offer technical support at a very low cost!

@Gertjan

Thank you, the monitor IP (8.8.8.8) and compression is what I needed to make mine work!

@netblues im trying to optimize for performance with a good security balance. But that works for me too, thanks for the input

@dael-sutton said in OpenVPN client connections get dropped when rc.filter_configure_sync script runs (every 15min from crontab):

Yee-Haa. Unticking that "flush all states" tickbox seems to have done the trick. Thankyou @Silence for your patience while I grabbed at straws until the correct one appeared. 15:15 came and went and my test openvpv connection didn't drop, and my ssh session stayed running too.

Don't forget to like the comment that helped you.

@johnpoz OK thanks ... I have learn alot thanks to this forum ...

@viragomann this makes a lot of sense. Thank you for the information!

Just want to share one more thing if i connect LAN cable directly on my desktop internet is fine and working but when i use internet through the WIFI router there is no internet and i can't access the webgui either.

@to2020 I managed to resolve this issue myself.
I came across this article https://redmine.pfsense.org/issues/9511

So even thought my regular login to my pfSense has access to "WebCfg - All pages" which is inherited from admins, it does not include the advanced options.
Looking at the permissions for the "admin" user itself, I see nothing different, but that user still has access to these advanced settings.

@mgideon It boils down to how do you authenticate your users to deliver secure information.
pfsense doesn't have something automated in any case.

Does anyone have any thoughts around this?
Or maybe this is of no concern to most users or IT security admins?

@trever
So you fail to access VPN clients?

Consider that each client run its own firewall. And firewalls of different operating systems can have different default settings naturally.
Maybe you noticed that your issues concerns Android devices only.

Hi @viragomann,

You're my hero! I've added the certificate to the certificate manager and selected this certificate in de VPN config and that was the solution.

Thank for your help :-)