@konstanti Ok For example cisco side access-list 100 permit ip 172.70.70.0 0.0.0.255 100.100.100.0 0.0.0.255 pfsense side [image: 1546541458665-4e868b7e-4cfb-4231-8d39-2bc43d3da4b4-image-resized.png] Forgotten The network behind openvpn can be different if you use NAT . About this we must remember I gave an example , assuming that NAT is not being used

Nordvpn is the worst provider i have tried. and i have tried about 5-6 of the vpn services i suggest run away quickly i feel i can say this with confidence as i use the SAME exact settings with another provider and i get full speeds and no buffering 99% of the time

Please make sure to disable Block private networks and loopback addresses and Block bogon networks under Interfaces > WAN because you do double NAT. -Rico

You are absolutely right , this is only happening with some specific providers rest all are working fine without any issues. I know this is stupid, but is there any workaround / fix in order to overcome bandwidth throttling from ISP. I will change the default port & try - will let you know the status Traffic shaping is not activated on PfSense.

@johnpoz said in OpenVPN TAP TCP traffic not passing, ICMP works: All of which makes zero sense for a remote user or site to site. As a generalized statement without having any application-specific insight, this is just plain incorrect. I have a combination of tun and tap VPNs across multiple sites: there's rarely a time where using tun doesn't annoy me and interrupt my workflow, and never have I been able to notice a performance hit or any practically measurable or operational added latency from using tap. mDNS, and all sorts of layer 2 applications, both high and low bandwidth can be incredibly useful remotely. I'm not advocating that tap should by any means be thought of as the preferred option across the board, I'm simply saying there's no reason to wonder why someone may specifically want to use it - it has plenty of uses. For me I would not be able to work from home without it.

@sweden_cool said in Port Forwarding OVPN: [image: 1546187773616-nat-how-resized.png] Do you need everyone or can you remove two of them? You can remove the ISAKMP one. I'm not sure about the "pia group" one, but I guess that's from some tutorial ? Remove it or disable it. Keep it clean.

This is easily resolved with the "Avahi" package. Installed and enabled with default settings-- it will repeat the broadcast requests across all subnets, so devices on LAN network become discoverable to you while connected through OpenVPN network (different subnet). Just logging the answer I found for others. Thanks

I have two wan gateway. I create pfsense openvpn client instance using wan1 gateway. When wan1 down I lose connection of pfsnse openvpn client. I want to up this openvpn connection via wan2 gateway (wan failover). [image: 1546272343877-vpn-interface.jpg]

TCP in TCP is far from ideal, as you are finding out. I would at least test using UDP for the tunnel and see if your issues go away there.

@marvosa I WILL SEND YOU THE NETWORK MAP SOON, ONE QUICK UPDATE THIS IS HAPPENING ONLY FOR SOME SPECIFIC ISP MY FIREWALL RULE FOR VPN IS ALLOW ALL I HAD CREATED SOME EASY RULE WHICH I HAD SEEN IN FIREWALL LOG FOR THOSE CONNECTIONS GOT BLOCKED.

I'm using Namecheap, which is listed in pfsense dydns drop down list, i've also tried the custom url from Namecheap, which also failed to update. I already have 127.0.0.0/8 in the NAT Outbound settings for AirVPN WAN interface. The credentials are correct since it updates when using the WAN interface.

High Availability would solve that. You would port forward OpenVPN traffic to the CARP VIP. If the primary goes down, the traffic will hit the secondary instead. XMLRPC sync would sync the OpenVPN server configurations between the two. It is an active/passive configuration though. The would be no "load balancing."

I should add, I have tried increasing and decreasing buffer size, I've tried switching UDP ports and removed cipher encryption all together. Nothing changes to download speed from my Nvidia Shield ethernet connected.

For Android no idea, with iPhone OpenVPN works like a charm for me. -Rico

And you will also have to specifically route the tunnel network to the pfSense interface in the VPC routing table. And pass it in security groups, disable source/dest check, and all that.

@ariban99 NEVER MIND. I had to restart the VPN and it works perfectly as you said. so NO server changes, just the client changes and its working now!! thank you

Hi Gertjan, We're on the process of upgrading the pfSense version soon, We're just waiting for the returned firewall. By the way I already fixed the issue, I just need to change one of the default settings in openVPN connect apps.