Thanks a lot well, i thought there will be one instance in the server talking with many remote sites so now, i must have instances in the server as many as the number of remote sites so the topology in the clients settings is just for client-to-site it make sense, but it's a hell of work thanks again

Has anyone been able to get this working? i'm trying to configure a 3 cluster configurations for my 3 proxmox noeds. 2 proxmox nodes are in the same physical network and i have no issues clustering them up. my issue is when i try to add the 3rd node which sits in a remote location, i get the "waiting for Quorum" time out  error, im assuming this is due to the multicast traffic not being passed through the S2S tunnel I've configured the ovpn server via TUN / UDP. i have access to the remote side, and vise versa. any suggestions ?

One would be led to believe, but since it's a filtered bridge, I don't assign an IP to the LAN side of it.  I'm just saying it's showing up as 10, even though it's not set.  My locals (which are working) are 104.49... Regardless, I'm still where I was - All of my rules are working, folks can get in and out of my statics/servers, but OpenVPN client can connect but go nowhere.

@Pippin: Fix time on client side, cmos bat.? Push NTP to the client(s) … Client is a VM. The host had its time set improperly (ESXi). I set the time manually on the host because the NTP service wasn't starting properly. Not sure the deal there, will troubleshoot that eventually. What concerns me is the VM rebooted and even though it had NTP enabled it pulled time from the host and never updated itself. In order to fix it I logged in, went to system-> settings, saw the NTP was enabled, clicked "save" and the time updated. Trying to figure out why the pfsense VM didn't automatically update until I logged in and clicked "save", seems like it should've noticed that NTP and local time were off and auto-corrected without me intervening.

So if your routing table doesn't mention 20.0, then it really truly doesn't know how to get to it, and will send that traffic to default gateway. The openvpn server may very well push the route to 20.0 to the remote clients.  The clients will contact the specified gateway. However that doesn't mean the gateway (ie probably your pf box with the missing route), knows how to get to 20.0 Add a System / routing / static route if needed.

amazing..such a simple fix! thank you so much!

Awesome! I'm glad it worked for you. I don't know why the system gets out of sync but it's happened to me a few times and you can find threads back in 2013 with people having the same problem. I don't know if anyone's ever looked in to fixing it?

There's a few possibilities. You might try switching to a different PIA server, they are not all created equal. Here's their list. https://www.privateinternetaccess.com/pages/network/ Another potential issue, is your Nighthawk router running as an AP only (all services DHCP, DNS, QoS, NTP, etc. turned off at the Nighthawks WebGUI)? If it's trying to do a bunch of stuff it may be working against pfSense and causing issues. My guess is that you've already done this but I thought I'd ask. Last option, if neither of the above two work is that your CPU is probably the limiting factor at 1.6Ghz, if this is the case then you have two options. One, obviously buy a new CPU. The ASrock Apollo Lake SoC's are cheap, have the latest AES-NI, have higher clock speeds while remaining low power and fanless. Unless you need 4 cores for something else CPU intensive you are doing, I would recommend the J3355 for its high clock speeds and low cost. The other option is keep your existing hardware and create two OpenVPN client processes. All you do is create a new OpenVPN client, just mirror the one you already have, then go to System >  Routing > Gateway Groups and create a new group, select both of your VPN clients and set them both to tier 1. Finally, go to your firewall rules and for everything you want to use the VPN, select your gateway group as their gateway in advanced settings. What you are doing here is splitting your VPN into two streams, since OpenVPN is purely singlethread, this lets your CPU use two of its cores to process your traffic. By setting both of the clients to tier 1 your computer will balance the load between the two processes. This isn't a magic bullet, your per instance VPN total speed will not double, if your CPU maxes at 50Mbps and you do this then if only one computer is using the VPN, it will still noly get 50Mbps. But, if you have two computers each trying to use 50Mbps at the same time they will now each get the full 50Mbps. So even though it isn't a perfect solution, I still recommend you do it for another reason(s). PIA servers sometimes (rarely) go down completely and more often suffer from decreased performance during peak hours. If you configure two or more clients in this method and select a different PIA server for each, you can mitigate this shortcoming by spreading your traffic over multiple servers. Here's the thread where I learned of this, which links to another thread with more instructions if you're interested. https://forum.pfsense.org/index.php?topic=123927.msg690987#msg690987

Thank you! I'll definitely try it.

Thanks for the response.  I'm not looking to get the list of IPs… I'm looking to set it, and update the settings on a schedule based on DNS lookups.

Stop gap measure, check for missing route every hour, reinstate if missing. Ugly, but reduces stress until root cause found. Improvement suggestions welcome. #!/bin/sh # # check if 10.4.52.0 route has gone missing if [ "$(/usr/bin/netstat -r4 | grep 10.4.52)" ] then   echo 'Found 52, no further action' else   logger -p local3.warn 'Route 10.4.52.0 not found in route table'   echo 'Route 10.4.52.0 not found in routing table, added'   route add -net 10.4.52.0/24 10.4.9.2 fi

Under Windows some route is missing From VPN / OpenVPN / Client Export Utility (when the client export package is installed) Management Interface Use the OpenVPNManager Management Interface. This will activate management interface in the generated .ovpn configuration and include the OpenVPNManager program in the Windows Installers. With this management interface, OpenVPN can be used by non-administrator users.This is also useful for Windows Vista/7/8/10 systems where elevated permissions are needed to add routes to the OS. NOTE: This is not currently compatible with the 64-bit OpenVPN installer. It will work with the 32-bit installer on a 64-bit system. What I've found strange No, no you don't get to comangle two questions in one with insufficient detail. You said previously everything works great . Cannot ping is not great, it's broken.  It may not be allowing icmp on Firewall / Rules / OpenVPN.

You can browse direct to the pfSense in tunnel ip address, it is listening. You will need a Firewall / Rules / OpenVPN allow access to self  (same as anti-lockout rule on wan) From the example you list it would be https://192.168.204.1 You should also be able to browse to the pfSense inside LAN address https://192.168.20.1 from example. The server side router knows how to get to all of those addresses, as seen in Diagnostic / Routes.

Yes, can be done with NAT, and does work. Setup regular openvpn connection, in your choice of flavour. Additional changes… client - change port to alternate chosen 53, 21 etc, ie not 1194 server - if 53, set DNS Resolver/Forwarder to not listen on WAN, by selecting only LAN, OPT, localhost etc server - firewall / NAT / Port forward   interface WAN, protocol UDP, destination WAN address, destination port 53 (or 21 etc), redirect target IP x.x.x.x (WAN actual address, or an alias of it,  but not localhost), target port 1194 vpn then connects., or at least in my lab it does. YMMV. Not sure how it would work with dynamic public IP on server side. Now you can vpn from places that block most outbound ports, but allow common ports like 53 , 80 etc, or to make it less obvious you are using vpn.

Firewall / Rules / OpenVPN Add a rule to allow the traffic you want. Below first rule, add another rule to drop everything (else).

You could use NAT 1:1 on the pfSense box. NAT the VPN clients onto some useful network range, ie hide whatever remote address they're using.

You're right, the gateway. I didn't notice.

It's in a seperate pluggable package. System / Package Manager / Available Packages OpenVPN client export

I have your scenario working reliably on a 867 Differences I can see from my config to yours ip virtual-reassembly ip virtual-reassembly in ip nat inside source static udp 10.20.0.2 1194 x.x.x.170 1194 extendable ip nat inside source static udp 10.20.0.2 1194 interface GigabitEthernet0/0/0 1194 (Assuming 10.20.0.2 is your pfSense box, which it could only be with 252 mask) Plus you need the access-list or access-group permit udp 1194 stuff