Been stable for 24 hrs now. All working as it should with VPN bypass Aliases in place. Should it stop again, I will definitely look at the IP's for the CDN and refresh them to see if that's it. Had not thought of that. Happy to post tables etc for others if it would be of help.

That was exactly it, thanks for the help.

@viragomann

I have no idea if I have messed something up or if its a pfsense thing or a openvpn on centos thing.
It's been a while since I worked on a bare openVPN server without pfsense but there isn't much to set really vs using the web gui in pfsense.

I have recreated the VPN twice and keep getting the same thing.

I have resolved it to some degree by telling pfsense which is the default gateway vs using the automatic option in the systems >routing >gateways page.
this.png
I've never had to do that before on a pfsense setup. But as I say I don't understand why the behaviour difference between this VPN and every other VPN I've ever created.

Maybe I just need to sleep on it tonight. :)

Regards
Dave

UPDATE: Got this fixed. Turned out I had a space after a comma in the remote networks line, so it ignored everything after it. Works as expected now!

Well since your using ALL the 192.168 space.. your tunnel would have to be using something out of the 172.16/12 space or the 10/8 space..

Why would you be using such a large network? Do you have some 65K clients on this network?

Set your local network to be something realistic.. How many clients do you have? And then use a tunnel network that is not inside that space.

Say for example 192.168.0/24 or 192.168.0/23 if you had say some 500 devices on your network. Then use something other for your tunnel, say 192.168.2/24

From memory,
With regards to SHA1 being broken, this is not the case in OpenVPN.
This is because of the way it is used (HMAC-SHA1).
Add to that the key that changes hourly by default (--reneg-sec).
If one would be able to break through OpenVPN's layered security (if setup that way) one could get one hour of data.

yea I honestly have tried all that, I think its an issue with pia and openvpn certs. I've seen many people just do a complete reinstall and get openvpn working first then adding pia/pfblocker to see where the problem starts, I'm going to do that.

Thanks for your help!

Got it! Thanks so much for your help.

I've changed a dozen settings in the last couple of days so it's hard for me to say exactly what did it. The last thing I did before it started working was actually to uncheck the box that says "Force all client-generated IPv4 traffic through the tunnel." And now when I go back in, it shows checked again... hmmm.

In any case, it's working now and I hopefully won't ever have to do any troubleshooting ;) Thank you again for taking the time to help me.

Ah I didn't see that.

I prefer the docs. The videos are nice but too much blah blah blah. I can watch an hour-long video and try to hunt down the meat by skipping around, or blast through a text guide in 10 minutes. That's not to say that I don't like or appreciate the videos. On topics that I have little knowledge in, they're extremely helpful and I watch the whole thing. But when I just need the quick & dirty particular steps, the guide is best for me.

They would be in the xml when you backup "all"

If all you want to do on the restore is the certs and info, you would have to manipulate the xml and then restore it..

That's exactly what I have done. I was looking for an easier way to administer for CSO users with multiple devices (iPhone and iPad). When sharing the cert didn't work, I assigned a new username/cert for each device. It's workable but cumbersome when users have a PC, iPhone, iPad, and possibly an Android device.

I connect remotely to a 100/100 link and it's very smooth.

How did you configure your OpenVPN server? Did you follow the wizard or use a guide or change any non-default settings, for example?

@shshs said in Unable to work over multiple concurrent connections for the same client account:

But to restrict a VPN user access in a firewall you have to explicitly assign the IP address to its connection, so the IP remains the same each time the user connects to VPN. And to do this you have to specify subnet per user in CSO.

Not a single IP, but a subnet, since you have a net30 topology. As mentioned above you may set here at least a /29 subnet to realize two client connections from the same user, a /28 for four and so on.
And you have to use exactly the same subnet in your filter rules source networks.
It would be more clear if you post some screenshots of your OpenVPN server config and the CSOs and filter rules.

Since I have separate VPN servers (not CSO!) for achieving different permissions to multiple user groups, I use the tunnel subnets in my filter rules.
And I asked you if multiple OpenVPN servers may be an option for you.
I've never run multiple connections with the client for which I've assigned a CSO.

@wrodriguez56 awesome!

Might help someone else reading down the road. 🙂

In the OpenVPN client settings:-

Screenshot 2019-08-11 at 20.35.04.png

I bet if you were to look at Diagnostics -> Routes the default route is pointing to the VPN

I have fixed my site-to-site config. Unfortunately this was done by deleting the client and server config and recreating them. It now connects but Site B keeps its internet. Backup taken (just in case) and adding desireable tweaks, like adding an interface so the traffic graph is drawn on the homepage. If it breaks again I will restore the backup.

If I figure out a change that stops internet access for Site-B again, I will post here.

Thanks to both who tried to help. Much appreciated.