See image here https://forum.netgate.com/topic/156544/ipv6-over-openvpn?_=1599304505033

thanks for your update. OpenVPN 2.5 will allow to pass a domain search list to Windows clients, see

https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst (search "Support setting DHCP search domain")
https://community.openvpn.net/openvpn/ticket/1209

Glad you have it working now.

-Rico

@Rico Thanks for the link! I don't know why I didn't go there first.

@johnpoz netgear C300. yes when i configured my netgear as a brigde my laptop grabbed an IP public, but when i tried to configure wan interface trough dhcp, it shows as 0.0.0.0.

Glad you have it working now.

-Rico

@techsovereignty
The remote devices need to use pfSense as default gateway to access them from the VPN client.
If there is no option to set a gateway you have to nat the packets to these devices to the pfSense local IP.

You're only talking about the router and the switch. I think, there will be other devices, which you're capable to access?

@sceptre357 try to make a packet capture of the RADIUS response and check it for the network mask value

OK, the problem got fixed on the Cyberghost side. This can be closed.

@MrGlasspoole
Yes, I guess it is blocked in these networks.

You may setup your OpenVPN server to listen on port 443 TCP to avoid blocking.
However, TCP has a worse performance than UDP. So you may also run two servers as I do. One is listening on 1194 UDP, the other is listening on 587 TCP, thinking port 587 is mostly allowed, since it is used on some mail servers.

Then you can configure your client to connect to the second server if the primary isn't reachable.

@sbuchanan Thank you so much. That was an exceptionally frustrating 2 days I just spent on this. It's almost more upsetting that it was just a single checkbox for an optional feature.

Im using FF 80.0.1 and not seeing this..

Just tested with multiple config for multiple openvpn instances running.

The downloaded files are 6kb in size and look normal..

BTW - I snipped out that IP you posted, you prob didn't want that posted.

@viragomann Thank you. We solved the issue by not using port 1194

There is no need to hide private IPs.

@powerextreme said in OpenVPN Rules and Routing Problem:

I don't know why if I specify the gateway the access to local IP's go away.

Cause that rule allow only traffic to the specified gateway. You will need an additional rule on the top of the rule set to allow access to internal subnets.

What do get on the client, when you try to access an internet resource?

Check if you can access the web by using an IP instead of a host name to rule out a DNS issue.

@aimalkay said in OpenVPN Remote Connection unable to complete connection after update. Details/Screenshots attached:

Packet Capture Output:
02:13:59.922186 IP 52.202.215.126.49740 > [MYPUBLICIP].1194: tcp 0
02:14:00.919181 IP 52.202.215.126.49740 > [MYPUBLICIP].1194: tcp 0
02:14:02.923256 IP 52.202.215.126.49740 > [MYPUBLICIP].1194: tcp 0

That packet capture shows TCP attempts while your server is on UDP.

I see the:

WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.

From your logs. Just to confirm, the guide you followed is this one, right?
https://www.expressvpn.com/support/vpn-setup/pfsense-with-expressvpn-openvpn/

It specifies, among other steps, providing the following custom options that include remote-cert-tls:

fast-io;persist-key;persist-tun;remote-random;pull;comp-lzo;tls-client;verify-x509-name Server name-prefix;remote-cert-tls server;key-direction 1;route-method exe;route-delay 2;tun-mtu 1500;fragment 1300;mssfix 1450;verb 3;sndbuf 524288;rcvbuf 524288

Do you have those custom options, and everything else specified in the guide? I'm not an expert on VPN client config, although I have run with Nord clients for a long time without issue. You may also want to post screen shots of your entire client configuration.

I wonder if it has something to do with encryption. When I first implemented OPENVPN on our PFSense router [using the software on an old PC] i was having issues with speed. After doing some research I discovered that the CPU of the PC did not have any of the hardware crypto supported in PFSense. I then bought a cheap but 'newer' PC with an Intel I5 CPU and speed was never an issue again. Here is what I have now:
CPU Type Intel(R) Core(TM) i5-3570 CPU @ 3.40GHz
Current: 3400 MHz, Max: 3401 MHz
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: Yes (active)
Hardware crypto AES-CBC,AES-XTS,AES-GCM,AES-ICM

OK, this has happened several times. What does "Type-of-Service" do? I have had this happen where everything is working just fine, and then all communication drops between the two networks. I go in and toggle off the "Type-Of-Service" on both firewalls and communication is restored.
I have the TOS on (I'm thinking) so that my VOIP phone on the 2.0 network can utilize traffic shaping on the server on the 0.0 network with higher quality.
I have not changed anything over the last few days, but just all of a sudden, this was blocked.
I'm on 2.4.5-RELEASE-p1 on both machines.