Agreed that would be the best option to be sure!

@Pippin: See here: https://forum.pfsense.org/index.php?topic=132534.msg728642#msg728642 ah, thanks and sorry for doubleposting! Greets Stephan

@Derelict: It turns out that Block private networks and loopback addresses on the WAN address was blocking access to the WAN from the VPN.  Is it a problem to disable this option? No it wasn't. That blocks connections into WAN from outside WAN from RFC1918 source addresses. You can run without those checked. Your correct it only loaded the one web page and then it wouldn't work anymore. I have no idea what else to look for.

Working for 8 hours without issues on UDP port 1197 with AES-256-CBC and SHA256. Seems it was an issue on the PIA side. Update: No issues since

As it happens, I just had to reboot because the cable ISP was doing planned maintenance. Yes, the routes are completely unaffected on the client.  Though I've never experienced the problem you're seeing. I noticed that the OpenVPN Client Export package allows separation of push statements by either a linefeed or a semicolon.  Whereas the OpenVPN Server settings only seem to permit the semicolon.  Should probably be consistent.

That error is from the client, not pfSense. Something else is already using the address/port it wants. Also your Windows OpenVPN client is very out of date and vulnerable. Uninstall that and install the latest version. If you installed it from the client export package, update your export package and then export a new installer. Use the 2.4 installer if you can.

@shetu: Another question - Does lan pc ip change to vpn subnet or not? My lan ip is 192.168.1.17. it is not changed. You mean the PCs IP?? That should be static and is not changed inside the LAN network. The outbound NAT rule you've added translates the address when packet go out the vpn interface. On the vpn server it is translated once more to the servers public IP. In the LAN rule you have permitted only TCP protocol. Change this to TCP/UDP and configure the pc to use a public DNS server to avoid DNS leaks. DNS also require UDP.

What interface is that openvpn running on? In your client config what are you pointing them too in your export of the config? If you want your wifi clients to use the vpn, then it should be listening on your wifi interface of pfsense, and NOT your wan.. [image: vpn.png] [image: vpn.png_thumb] [image: address.png] [image: address.png_thumb]

@johnpoz: "Openvpn supports ipv6 (arguably not very well), but since it does, I want to get it working, for the sake of getting it working." Not sure where you got that idea - I have openvpn on ipv6, even hand out ipv6 address to ipv4 clients.. You said: @johnpoz: Borked config.. You would never use /65 on anything.. /64 would be the correct prefix for any network/transit in ipv6. The /65 wasn't my idea. It was from the "IPv6 in OpenVPN" wiki https://community.openvpn.net/openvpn/wiki/IPv6. I tried using the /65 because I couldn't get it to work with a /64, I think because the route created by openvpn for the tun0 conflicted with the default route for eth0. You say Openvpn supports ipv6. I'm not disputing that, but while the software may support ipv6, it's hard to argue that the documentation for using openvpn with ipv6 is not sorely lacking. The "Bridging and Routing" wiki https://community.openvpn.net/openvpn/wiki/BridgingAndRouting mentions that openvpn supports ipv6, but then only provides examples for ipv4. I got the client and server fully working for ipv4 and I was also able to get it to hand out an ipv6 address to the client and the client and server to ping each other back and forth. However, I can't get the server to pass the ipv6 traffic. That's what I'm asking for help with. I'm asking here, because if pfsense needs to be configured for it to work, where better to ask about that than here? Also, for the record, quite a few people on the openvpn forum and the openvpn-users email list have admitted that the documentation for ipv6 is lacking because ipv6 is not widely used, so I don't think I'm alone in holding that opinion. @johnpoz: Drawing is pretty much useless from a network perspective.. Where are you networks in use - lets see a logical layer 3 drawing.  With networks and prefixes labelled.. You can obfuscate your ipv6 prefixes if you so desire.. You said: @johnpoz: I asked you for a drawing before, I would highly suggest you draw up your network so you can easy work through this stuff and makes it much easier to explain to someone trying to help you.  Either breakout the crayons and napkin or use of the multitude of FREE options for drawing basic network diagrams. Good thing I didn't use my napkin and crayons… I gave you a drawing that depicts the configuration in a manner that anyone familiar with virtualization should understand. I also explained each network (modem / lan, pfsense 2.3.4 / lan and pfsense 2.4 beta / lan have separate /56 prefixes and the lans are /64 subnets. Aside for packets from all three networks being visible on the NIC, the networks are completely independent. I've been using this configuration for several years with no problems. I have used the modem lan exactly once, to enable port bridging. The only devices on this network are the pvr and stb. Both of the pfsense networks are minimally simple. They each have one wan and one lan interface. Both use dhcp, dhcpv6 with assisted RA and unbound. Snort is also running on pfsense 2.3.4. The wan interfaces have pd only, no address, because that is only configuration the ISP supports. The lans have no subnets. The routing is all default. I haven't made any changes. I'm not going to post the prefixes. What information about the networks that would pertain to getting the openvpn server to work is missing or unclear? @johnpoz: Where is the vpn your trying to put in play - is it site to site between your pfsense, is it road warrior to one of them?  Is client from one of them?  Site to site to some other location, etc. I should have been more clear about this. I want the server to be used to provide a local routed gateway for a single client as if I'm at home, for use when I'm away from home - not a site to site bridge (i.e., it should work the same as any other vpn privacy service). As I already explained, it's working for ipv4, but not for ipv6. I'm asking for help to sort out why it's not working for ipv6. I can post the client and server configs or whatever. Just let me know what is needed.

Ok I finally found the solution. disabling squid proxy server was the the fix. Must be a misconfiguration in squid. EDIT: I can now use squid also. In squid settings under "Transparent Proxy Settings " -> "Bypass Proxy for These Source IPs" i put in my vpn client ip adresses.

So I have finally discovered the source of this problem. And I would like to share with you, if you encounter the same issue. Seems like one ISP was doing traffic shape, and from what I have saw seems like they are targeting UDP packages. I have not test it to be sure because I have changed both UDP to TCP and also the port number to another non official. In Portugal I have tested this VPN with MEO, NOS and Vodafone, and the ISP that I am talking belongs to Vodafone.

If setfib(1) was usable on pfSense and integrated to the GUI so that the FIBs could be managed easily you could use them for policy routing but only based on the destination addresses which would be fine assuming the NTP peers are known and don't change. This would of course require integration with the OpenVPN start/stop events to properly hook the custom FIBs when appropriate.

Thanks for your reply - I'm thinkin its probably too much effort, interesting method though. Thanks for this!

So a bit confused still.. So your using pfsense as just a openvpn server on what it counts as its WAN that is on rfc1918 space, ie this 192.168.0.175..  And you want to get to devices on 192.168.0/24 So you have this internet - publicIP wan ispdevice lan192.168.0.? –- your network 192.168.0/24 devices --- 192.168.0.175 wan pfsense So here is a problem for sure, maybe not all of them but for sure this is going to be an issue. So you want to go to say 192.168.0.100 some computer on your network..  What is its gateway I would assume your isp device 192.168.0.1 lets call it. If a ISP modem is in bridge mode but normally has a network of 192.168.0.0/24, and the main network for pfSense is 192.168.0.0/24 will that cause problems? I can connect to VPN and get internet access and access a few machines on the network when connected remotely but I can't access all machines and services on the LAN. For example there is a web application running on the LAN but I can't even ping it when connected via OpenVPN.

First of all thanks for reply…......... I am using Server-Client Configurations. Package Manager was working properly before configurations of OpenVPN. Can this be due to VPN Certificate ??? If yes then how it can be resolve?