A reboot fixed it, but would be interesting what can cause this issue.

The problem still exists in 2.7.

If during the OpenVPN client connection the interface, specified in client's config, is down, the connection happens through another gateway (which could be a metered backup connection for example).

This is a major issue in my opinion.

UPD: "Do not create rules when gateway is down" option is checked BTW.

@mathais said in pfsense+ NordVPN slow speed:

What do you think about going to Torrent download sites and downloading Torrents without a VPN?

No need to use a VPN to access a torrent access point, right ?
Also, downloading something from a torrent, and "secure my network infrastructure" is imho somewhat contradictory.

@mathais said in pfsense+ NordVPN slow speed:

In France, we have HADOPI which tracks downloads.
So the VPN is useless?

I know. I've dealt ones with them. Received a first warning, and I knew it was coming as I discovered earlier that a night auditor was using one of the PC's at work (hotel !) to download 'Disney' movies during his working hours, night time. He told me : "don't worry, I only download "VO" (original, English spoken language - no french subtitles) movies so no risk". Well ... he was wrong. I received a message from HADO and he was fired for this.
He still didn't got the message afterwards, and had the great pleasure to meeting the "Disney lawyers" in court. That didn't went well at all.

On the other hand : I do something that is considered totally insane : I share 'my' (work) internet connection with an entire hotel == a whole bunch of people unknown to me, also known as my "clients". They can do whatever they want with the connection I offer. If things go downhill, no problem, the owner (the one that subscribed to the internet connection" will do some jail time or has to pay the fine.
Great. Basically, you can share your internet connection with everybody as long as you agree to assume all consequences - no exceptions.
But I discovered something : during my 20+ year of internet sharing, and ten (hundreds) of hotel clients later, I never received another HADOPI message again.
I do use pfBockerng on my hotel's captive portal access to block the most obvious IP and DNSBL destinations. That seems to do the trick, I'm not sure. Maybe people stopped doing illicit things while using a public hotel network ?
Or : right after connecting to the portal : they active their VPN.

@kstlan02
First off, it's not wise to use public IP ranges in the local network, even for docker.

Then I'm wondering, why don't you run the OpenVPN server on pfSense.

Do I have to do the port forwarding from the WAN to the LAN or do I have to do it from the WAN to the Docker container that is running OpenVPN?

"LAN address" is the wrong destination here for sure. This is an IP assigned to pfSense itself. Hence forwarding to it, is not that, what you want.

The question is then, how can pfSense reach the container?
I'd expect, that the container gets its traffic forwarded inside the VM. But don't know, how you did configure it.

So you have to forward the OpenVPN traffic either to the VM address or to the container IP. In the latter case, you would need to add a static route for it on pfSense of course.

@viragomann said in XG1537 and OpenVPN:

There are pfSense installation out there, which treats hundreds concurrent connections.

🖐 ☺

-Rico

@viragomann

I am unsure where are you going with this???
The routing table are being updated on the clients ends. Hence, the users are able to reach the LDAPS Server in the 10.101.xxx.xxx/24 subnet. Otherwise the authentication will fail since there is not LDAPS in pfSense.

If you would like to see the routes:

------- ----------------- ------- ----------- -------- -- 22 192.168.xxx.255/32 0.0.0.0 256 25 Ac 22 192.168.xxx.1/32 0.0.0.0 256 25 Ac 22 192.168.xxx.0/24 0.0.0.0 256 25 Ac 20 192.168.xxx.0/24 10.10.xxx.xxx 256 25 Ac 20 172.16.xxx.xxx/24 10.10.xxx.xxx 256 25 Ac 18 172.16.xxx.255/32 0.0.0.0 256 35 Ac 18 172.16.xxx.xxx/32 0.0.0.0 256 35 Ac 18 172.16.xxx.xxx/24 0.0.0.0 256 35 Ac 20 10.101.xxx.xxx/24 10.10.xxx.xxx 256 25 Ac 20 10.23.xxx.xxx/24 10.10.xxx.xxx 256 25 Ac 18 0.0.0.0/0 172.16.1.1 0 35 Ac

As youcan see, the routing table updates are working. The routes are present tin the routing table. But, on piece of information I forgot to provide, there are multiple VPN Servers running, unsure what the max number of VPN servers that pfSense can run concurrently.

The interesting route in the pfFW:

10.10.xxx.xxx/24 link#11 U 14 1500 ovpns3 10.10.xxx.xxx link#6 UHS 15 16384 lo0

Looking at the logs, set to level 4, the only one I see right now is "Clock Unsynchronized"
Other than that the VPN logs are cleaned and the same for the FW rules.

Thank you again for your patience and assistance.

@viragomann Hello, any benefits to pass clients via pfsense non-transparent proxy and than via openvpn client on pfSense to internet? Will this traffic catching if use non-transparent proxy? Benefits for security i mean

@elegantd said in VPN Connection Intermittently Causing DNS Failure:

Sorry had the wrong picture for OPenvpn server settings.

a710e000-6b0d-4645-b5c1-0605a333f4e4-image.png

Thanks for the information. I managed to solve the issue (been ok now for a fair few days) by restricting outgoing DNS requests over my WAN interface only. It is worth noting that I am using an OpenVPN client on PfSense, not a server.

Since having DNS go over WAN only, I have not had any hiccups. This is with the resolver forwarding DNS requests directly to remote DNS.

@adrianp918
You have to export the new client cert from pfSense and import it on the client.

On Windows this only succeed for me if I also imported the private key again. I.e. you have to export a PKCS12 archive from pfSense.
Also I had to remove the old cert before importing the new one.

Solved

Short answer: SNORT.

Long answer: SNORT was NOT blocking the formation of my VPN tunnels. I have NordVPN setup to use TCP. SO in effect I was creating a denial of service attack on my self! TCP looks for a response which a SNORT rule was blocking. I had SNORT set to drop on the WAN side. My firewall was being swamped by TCP response request that never were going to come. That is why I had CPU problems and my firewall was behaving extremely sluggish. All of this could be alleviated by a reboot. I was needing to do a reboot about once a day. I turned SNORT off and my problems went away. I will next just add my VPNS to a pass list.

A solution is to export the private key of the client from System > Certificates > Certificates > Select the user cert > Set a "export password" and click "Export Private Key" then copy/paste and overwrite the private key in the file exported from the OpenVPN Client Export plugin. If don't want to export unencrypted private key, the password-protected Viscosity bundle export and can be used to build the base of the config file and the private key can be replaced from the export from earlier.

@viragomann I would feel bad if I didn't ask, as the branch is on the other side of the country. Driving there because of a misconfiguration would be terrible. Thanks

@Spyderturbo007 said in DNS Over OpenVPN:

For example, there is a Synology on the other side of the VPN. I can ping 172.18.0.3, but can't ping it by DNS name of diskstationhbe.

This is only a host name. Consider to use FQDNs to access the remote site.