THANK YOU this worked perfectly. I figured it was something involving the gateway, being that I wasn't using the default gateway.

I got it working, after setting up the port forward I had to go to firewall - rules - lan and move up the new rule so that vpn dns grabs before the dns resolver. [image: 1553684083712-annotation-2019-03-27-033736.jpg] [image: 1553684092733-annotation-2019-03-27-033910.jpg] granted this is with mullvad but I also got it working with expressvpn. Since express doesn't give out their dns and it can't be found in the ovpn config; easiest solution is running their client on your desktop and using cmd commands to find the dns address being used inside the tunnel.

I found this guide, do you think it can work? Its some years old. https://nguvu.org/pfsense/pfsense-multi-vpn-wan/ Thank you.

@MathiasMa said in OpenVPN fails to start: But does it really matter? No, as long as you keep it in mind and don't add another subnet to pfSense which overlaps it, it doesn't.

On the server-side (if that's the right config), looks like it's set up as a remote access server, which isn't what you want. You need to change the server mode to one of the Peer to Peer options and configure the server for either a shared key or PKI setup. On the client-side, the client is not routing any networks over the tunnel. So, there appear to be several issues: The server-side needs to be reconfigured for Peer to Peer mode The client-side is not routing any networks over the tunnel. a. If the objective was shared key, here's one of your issues b. If the objective was PKI, the server-side will need iroute statements for the client's network(s) in the CSO section The client override screenshot posted in your OP is missing an entry in the "IPv4 Remote Network/s", which will autogenerate the iroute statements needed for the server to reach the client's network behind this connection. Assuming you went with a PKI setup. This is unlikely, but the client-side is double NAT'd behind an edge device, so if basic end-to-end IP communication still isn't working after making your corrections, it's possible that the client may need a static route on the edge device for the tunnel network.

@althaf said in Connection Change issue: tls key negotiation failed to occur within 60 seconds That error simply means the server did not respond. So either it is unable to reach the server via that connection or the server is blocking connections from that IP address. Steve

In the OpenVPN RAS Advanced Client Settings push your pfSense IP as DNS again together with Force DNS cache update: [image: 1553416285825-pfsense_push-openvpn-dns-server.png] You also need a Firewall Rule for the OpenVPN Client to reach pfSense DNS. For testing best practice is to put some any-any Rule in the OpenVPN Firewall tab. Once you have everything working tighten your Rules. -Rico

The closest thing I can find there is --show-gateway, which lists the IP of the gateway interface that OpenVPN uses to make its connections. I don't see any commands that give me the remote host information shown on status_openvpn.php in webconfigurator. edit: Success! I accomplished what I wanted by using the following: INTERFACEIP=`dig @resolver1.opendns.com ovpnc1 myip.opendns.com +short`

Some VPN providers offer port forwarding. Search Cyberghost's help/faq if they offer that.

I'd recommend you to change one sides subnet and run OpenVPN in default and recommended tun mode. -Rico

Will do, in the mean time I got something more stable using limiters on in and out at half our DSL capability. Seems like when the link is saturated, the copy get frozen and not when the limiters are reducing. Might very well be due to failover of our SDSL WAN to ADSL second link activates (automatically in suppose due to poor ping)

https://www.netgate.com/resources/videos/advanced-openvpn-on-pfsense-24.html Multi-WAN Tactics starting at around 40:05min. -Rico

I think I touch something but I do not know exactly what. But when this happens it's better to start again :). thanks!

FreeRadius and hand IP addresses (framed) out that you can use in firewall rules for the clients, I do it with IPsec so I can access everything and friends can only access the internet. Sort of pointless if all the users PCs the LAN side of pfSense are all on the same subnet. "andy" Cleartext-Password := "XXXXXXXX", Simultaneous-Use := "1", Expiration := "Apr 11 2027", NAS-Identifier == strongSwan Framed-IP-Address = 172.16.8.4, Framed-IP-Netmask = 255.255.255.0, Framed-Route = "0.0.0.0/0 172.16.8.1 1"

Give an idea about your configuration and post the full log as text not picture. -Rico

Thank you for your reply. When I check the widget, it only shows me the default gateway WAN_DHCP and does not show the openvpn gateway as a choice.

@viragomann "Second" P2 is the key word Solved, Thank you very much