I don’t know how to use the results from Google... :(

Yes, 3 boxes, but no, not connecting them together with OpenVPN (using IPSEC VTI for that). It's just that each site has different users, and if there's a snow day the'd need to work from home. With 2 of the boxes (one netgate, one white box) OpenVPN has been problem free. Just one has issues. I'm thinking it might be a bad install, and that I need to re-do the installation. This particular office had a netgate box fail when I upgraded to 2.4.4 (no anything on the serial terminal no matter what I did with the reset button) so I swapped in a spare 3-NIC PC, installed pfSense on that - and OpenVPN was working fine there, too. But I needed more NICs, so I bought another white box, installed pfSense - and everything is working except OpenVPN. I guess I know what I'm doing this weekend. Sigh...

I am having troubles with iOS as well. In my case, disabling compression on the server was the only fix. With LZ4 or LZO, I could connect and ping, but RDP would not work.

thanks i see i needed to add(enable) the interface even though it was auto created.

Add a CSO: VPN > OpenVPN > Client Specific Overrides Enter the common name that matches to the users certificate. Enter an "IPv4 Tunnel Network" by considering the stated hints.

Guys any update???? Your help will be appreciated

How do you know the Server side is working properly? When your Client side pfSense Internet access is working and you don't see anything else in the Logs, you have used a wrong IP/Port or the Problem is the Server side. Can you for example make Update checks for your pfSense to make sure the connectivity is working in general? -Rico

I think this is more of a OpenVPN problem rather than PFSense problem. Apparently, it isn't possible for OpenVPN server to listen on both IPv4 and IPv6 addresses. It can listen to ALL (meaning all IPv4 and IPv6 interfaces on server) OR a single IP address (IPv4 or IPv6). https://sourceforge.net/p/openvpn/mailman/message/34193818/ "AFAIK this is currently not possible - openvpn can either bind to ALL addresses (IPv4 and IPv6) or it can bind to a single address - either IPv4 or IPv6. " https://community.openvpn.net/openvpn/ticket/937?cversion=0&cnum_hist=5

create static addresses for the devices you want outside the tunnel. then create a Rule so those device travel over WAN instead of the PIA tunnel... this is how i operate my "smart" TV so i can stream

@konstanti Ok For example cisco side access-list 100 permit ip 172.70.70.0 0.0.0.255 100.100.100.0 0.0.0.255 pfsense side [image: 1546541458665-4e868b7e-4cfb-4231-8d39-2bc43d3da4b4-image-resized.png] Forgotten The network behind openvpn can be different if you use NAT . About this we must remember I gave an example , assuming that NAT is not being used

Nordvpn is the worst provider i have tried. and i have tried about 5-6 of the vpn services i suggest run away quickly i feel i can say this with confidence as i use the SAME exact settings with another provider and i get full speeds and no buffering 99% of the time

Please make sure to disable Block private networks and loopback addresses and Block bogon networks under Interfaces > WAN because you do double NAT. -Rico

You are absolutely right , this is only happening with some specific providers rest all are working fine without any issues. I know this is stupid, but is there any workaround / fix in order to overcome bandwidth throttling from ISP. I will change the default port & try - will let you know the status Traffic shaping is not activated on PfSense.

@johnpoz said in OpenVPN TAP TCP traffic not passing, ICMP works: All of which makes zero sense for a remote user or site to site. As a generalized statement without having any application-specific insight, this is just plain incorrect. I have a combination of tun and tap VPNs across multiple sites: there's rarely a time where using tun doesn't annoy me and interrupt my workflow, and never have I been able to notice a performance hit or any practically measurable or operational added latency from using tap. mDNS, and all sorts of layer 2 applications, both high and low bandwidth can be incredibly useful remotely. I'm not advocating that tap should by any means be thought of as the preferred option across the board, I'm simply saying there's no reason to wonder why someone may specifically want to use it - it has plenty of uses. For me I would not be able to work from home without it.

@sweden_cool said in Port Forwarding OVPN: [image: 1546187773616-nat-how-resized.png] Do you need everyone or can you remove two of them? You can remove the ISAKMP one. I'm not sure about the "pia group" one, but I guess that's from some tutorial ? Remove it or disable it. Keep it clean.

This is easily resolved with the "Avahi" package. Installed and enabled with default settings-- it will repeat the broadcast requests across all subnets, so devices on LAN network become discoverable to you while connected through OpenVPN network (different subnet). Just logging the answer I found for others. Thanks