well, pfSense probably hasn't created NAT rules for the vpn subnet. you could manually add them or you could assign an interface to your openvpn: i believe pfSense will add NAT automagically then (don't shoot me if i'm mistaken)

Opened bug ticket here. https://redmine.pfsense.org/issues/6580

found the problem: Jul 5 23:30:51 openvpn 19584 OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on May 16 2016 Jul 5 23:30:51 openvpn 19584 library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09 Jul 5 23:30:51 openvpn 19913 Could not retrieve default gateway from route socket:: No such process (errno=3) Jul 5 23:30:51 openvpn 19913 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts Jul 5 23:30:51 openvpn 19913 Initializing OpenSSL support for engine 'rdrand' Jul 5 23:30:51 openvpn 19913 Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file Jul 5 23:30:51 openvpn 19913 TUN/TAP device ovpns1 exists previously, keep at program end Jul 5 23:30:51 openvpn 19913 TUN/TAP device /dev/tun1 opened Jul 5 23:30:51 openvpn 19913 ioctl(TUNSIFMODE): Device busy: Device busy (errno=16) Jul 5 23:30:51 openvpn 19913 do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0 Jul 5 23:30:51 openvpn 19913 /sbin/ifconfig ovpns1 10.20.30.1 10.20.30.2 mtu 1500 netmask 255.255.255.0 up Jul 5 23:30:51 openvpn 19913 /usr/local/sbin/ovpn-linkup ovpns1 1500 1560 10.20.30.1 255.255.255.0 init Jul 5 23:30:51 openvpn 19913 Listening for incoming TCP connection on [AF_INET]86.126.1.236:1194 Jul 5 23:30:51 openvpn 19913 TCPv4_SERVER link local (bound): [AF_INET]86.126.1.236:1194 Jul 5 23:30:51 openvpn 19913 TCPv4_SERVER link remote: [undef] Jul 5 23:30:51 openvpn 19913 Initialization Sequence Completed Not able to get default gw. How to solve it now?

Darn, I think I finally found the culprit: I had an old IPSec config on those boxes (preferred VPN solution but never got it work reliably) which was inactive but not disabled. It seems as if this messes up some internal routing (not reflected by the routing table). It also seems that this is a regression in 2.3.? since 2.2.6 still doesn't have this problem! IIRC, the enable/disable implementation of IPSec changed in 2.3 so that would explain it. That was a mean one… Cheers

Hi All, Thanks to Nastov's problem description and Probie's response to that, i managed to get the issue fixed for my Customer mgmt-oVPN network. Things i had to change in comparison to the former V2.2.6 setup: General: Set topology to "Subnet", on both the server (hub) side and client (spoke) side, wherever i was not set to Subnet already. Server side: In the OpenVPN server config fill in the tunnel network as a /24 network (in Probie's example it would be: 10.9.9.0/24) In the Client Specific Override's i cleared the tunnel-network (<blank>) and left the ifconfig-push as it was before, including the dash. Client side: In the OpenVPN client config i also cleared the tunnel-network to <blank>. In this way, every client got it's unique tunnel IP-address (/24-/32) again and i was able to get the right traffic on the right VPN-tunnel for each spoke. Hooray!  8)</blank></blank>

It's a little unclear as to what type of scenario you're describing. Do you mean a typical "Road-Warrior" setup - a Remote Access OpenVPN server allowing guests on phones, laptops, etc. to connect remotely? If so, the server has one port that handles all of the clients connecting.  It typically can handle 30-100+ clients simultaneously (depending on your hardware) all through that one port.  What differentiates all the clients is they should each have their own certificate that proves their authenticity to the OpenVPN server. So you setup one OpenVPN server, and 25 certificates for your 25 users, not 25 ports.

TRANSLATION RULES: no nat proto carp all nat-anchor "natearly/*" all nat-anchor "natrules/*" all nat on re0 inet from 127.0.0.0/8 to any port = isakmp -> 71.xxx.xxx.xxx static-port nat on re0 inet from 10.10.8.0/24 to any port = isakmp -> 71.xxx.xxx.xxx static-port nat on re0 inet from 10.10.0.0/16 to any port = isakmp -> 71.xxx.xxx.xxx static-port nat on re0 inet from 10.10.8.0/24 to any port = isakmp -> 71.xxx.xxx.xxx static-port nat on re0 inet from 127.0.0.0/8 to any -> 71.xxx.xxx.xxx port 1024:65535 nat on re0 inet from 10.10.8.0/24 to any -> 71.xxx.xxx.xxx port 1024:65535 nat on re0 inet from 10.10.0.0/16 to any -> 71.xxx.xxx.xxx port 1024:65535 nat on re0 inet from 10.10.8.0/24 to any -> 71.xxx.xxx.xxx port 1024:65535 no rdr proto carp all rdr-anchor "relayd/*" all rdr-anchor "tftp-proxy/*" all rdr-anchor "miniupnpd" all FILTER RULES: scrub on re0 all fragment reassemble scrub on re1 all fragment reassemble scrub on ovpns1 all fragment reassemble anchor "relayd/*" all anchor "openvpn/*" all anchor "ipsec/*" all block drop in log quick inet from 169.254.0.0/16 to any label "Block IPv4 link-local" block drop in log quick inet from any to 169.254.0.0/16 label "Block IPv4 link-local" block drop in log inet all label "Default deny rule IPv4" block drop out log inet all label "Default deny rule IPv4" block drop in log inet6 all label "Default deny rule IPv6" block drop out log inet6 all label "Default deny rule IPv6" pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state block drop log quick inet proto tcp from any port = 0 to any label "Block traffic from port 0" block drop log quick inet proto udp from any port = 0 to any label "Block traffic from port 0" block drop log quick inet proto tcp from any to any port = 0 label "Block traffic to port 0" block drop log quick inet proto udp from any to any port = 0 label "Block traffic to port 0" block drop log quick inet6 proto tcp from any port = 0 to any label "Block traffic from port 0" block drop log quick inet6 proto udp from any port = 0 to any label "Block traffic from port 0" block drop log quick inet6 proto tcp from any to any port = 0 label "Block traffic to port 0" block drop log quick inet6 proto udp from any to any port = 0 label "Block traffic to port 0" block drop log quick from <snort2c>to any label "Block snort2c hosts" block drop log quick from any to <snort2c>label "Block snort2c hosts" block drop in log quick proto tcp from <sshlockout>to (self) port = ssh label "sshlockout" block drop in log quick proto tcp from <webconfiguratorlockout>to (self) port = https label "webConfiguratorlockout" block drop in log quick from <virusprot>to any label "virusprot overload table" pass in quick on re0 inet6 proto udp from fe80::/10 port = dhcpv6-client to fe80::/10 port = dhcpv6-client keep state label "allow dhcpv6 client in WAN" pass in quick on re0 proto udp from any port = dhcpv6-server to any port = dhcpv6-client keep state label "allow dhcpv6 client in WAN" pass out quick on re0 proto udp from any port = dhcpv6-client to any port = dhcpv6-server keep state label "allow dhcpv6 client out WAN" block drop in log quick on re0 from <bogons>to any label "block bogon IPv4 networks from WAN" block drop in log quick on re0 from <bogonsv6>to any label "block bogon IPv6 networks from WAN" block drop in log on ! re0 inet from 71.xxx.xxx.xxx/24 to any block drop in log inet from 71.xxx.xxx.xxx to any block drop in log on re0 inet6 from fe80::2e0:4cff:fe68:27d5 to any block drop in log quick on re0 inet from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8" block drop in log quick on re0 inet from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8" block drop in log quick on re0 inet from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12" block drop in log quick on re0 inet from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16" block drop in log quick on re0 inet6 from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7" pass in on re0 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN" pass out on re0 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN" block drop in log on ! re1 inet from 10.10.0.0/16 to any block drop in log inet from 10.10.1.1 to any block drop in log on re1 inet6 from fe80::1:1 to any pass in quick on re1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server" pass in quick on re1 inet proto udp from any port = bootpc to 10.10.1.1 port = bootps keep state label "allow access to DHCP server" pass out quick on re1 inet proto udp from 10.10.1.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server" pass quick on re1 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "allow access to DHCPv6 server" pass quick on re1 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "allow access to DHCPv6 server" pass quick on re1 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "allow access to DHCPv6 server" pass quick on re1 inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "allow access to DHCPv6 server" block drop in log on ! ovpns1 inet from 10.10.8.0/24 to any block drop in log inet from 10.10.8.1 to any block drop in log on ovpns1 inet6 from fe80::2e0:4cff:fe68:27d5 to any pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback" pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback" pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback" pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback" pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself" pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself" pass out route-to (re0 71.xxx.xx.xxx) inet from 71.xxx.xxx.xxx to ! 71.xxx.xxx.xxxx/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself" pass out route-to (ovpns1 10.10.8.1) inet from 10.10.8.1 to ! 10.10.8.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself" pass in quick on re1 proto tcp from any to (re1) port = https flags S/SA keep state label "anti-lockout rule" pass in quick on re1 proto tcp from any to (re1) port = http flags S/SA keep state label "anti-lockout rule" pass in quick on re1 proto tcp from any to (re1) port = ssh flags S/SA keep state label "anti-lockout rule" anchor "userrules/*" all pass in log quick on openvpn inet all flags S/SA keep state label "USER_RULE: OpenVPN vpn.hostname.tld wizard" pass in quick on re0 reply-to (re0 71.xxx.xx.xxx) inet proto udp from any to 71.xxx.xxx.xxx port = openvpn keep state label "USER_RULE: OpenVPN vpn.hostname.tld wizard" pass in quick on re1 inet from 10.10.0.0/16 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule" pass in quick on re1 inet proto tcp from any port = domain to 127.0.0.1 port = domain flags S/SA keep state label "USER_RULE: Forced DNS Redirection" block drop in log quick on re1 inet proto tcp from 10.10.1.5 to 71.xxx.xxx.0/24 flags S/SA label "USER_RULE: Block IP cam outbound traffic" pass in quick on re1 inet from 10.10.0.0/16 to 10.10.8.0/24 flags S/SA keep state label "USER_RULE" pass in quick on ovpns1 reply-to (ovpns1 10.10.8.1) inet all flags S/SA keep state label "USER_RULE: Default allow OpenVPN to any rule" anchor "tftp-proxy/*" all No queue in use</bogonsv6></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c>

Oh just to clarify. The inactivity timeout photo simply details what happens when a connection has been established and then it just timesout sometimes (not all the time…) for some strange reason.

Most likely it wasn't… And you thought it was.. Not going to work with those 2 issues you described..

On TCP it will fail to connect to the server with fragment 1426;mssfix in advanced options (doesnt matter what MTU I set) 1426 being the highest I can go when connected to the TCP vpn and pinging google.com -l 1426. TCP failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT) UDP (mtu was set to 1400 at the time of this test) Mon Jul 04 17:19:48 2016 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1602', remote='link-mtu 1606' Mon Jul 04 17:19:48 2016 WARNING: 'mtu-dynamic' is present in remote config but missing in local config, remote='mtu-dynamic' Mon Jul 04 17:20:01 2016 Bad LZO decompression header byte: 0 Mon Jul 04 17:20:11 2016 Bad LZO decompression header byte: 0 Mon Jul 04 17:20:21 2016 Bad LZO decompression header byte: 0 Mon Jul 04 17:20:31 2016 Bad LZO decompression header byte: 0 Mon Jul 04 17:20:41 2016 Bad LZO decompression header byte: 0 Mon Jul 04 17:20:50 2016 [Beko] Inactivity timeout (–ping-restart), restarting Mon Jul 04 17:20:50 2016 SIGUSR1[soft,ping-restart] received, process restarting Mon Jul 04 17:20:53 2016 UDPv4 link local (bound): [undef] Also, when not connected to a VPN I can't ping -l 1500 from my client either but speeds are fine.

Dear All, I have troubleshoot the issue with my self and SSL VPN working very perfect now i can access remote internet and internal network through internet with high speed it is working with same speed as i getting in local LAN i did not feel any difference. this is great thing in pfsense i salute to their Developers. Regards, Noor.

Disregard!! This doc fixed it =] https://secure-computing.net/wiki/index.php/OpenVPN/Routing I added an additional line in to my openvpn server config "Custom options" and modified "Advanced" under client specific overrides << = removed = added OpenVPN server "Custom options" push "route 192.168.5.0 255.255.255.0"; push "route 192.168.11.0 255.255.255.0"; >> route 192.168.6.0 255.255.255.252 Client Specific Override "Advanced" << push "route 192.168.6.0 255.255.255.252"; << push "route 192.168.11.0 255.255.255.0"; >> iroute 192.168.6.0 255.255.255.252 After i did this; I now see the following when running netstat -rn 192.168.5.0/24    192.168.5.2        UGS      ovpns1 192.168.5.1        link#8            UHS        lo0 192.168.5.2        link#8            UH      ovpns1 192.168.6.0/30    192.168.5.2        UGS      ovpns1 Everything works perfectly now =]

I was able to finally resolve my issue. After trying to use telnet, ping and tracert commands with no success I finally figured out that I was missing the outbound PIAVPN interface NAT rule for my DMZ source IP range. Even though this did not help to send out mail outbound from my mail server, I was able to use the commands to figure out what worked. Finally I used the mail forwarder in hmailserver to a out.myprovider.com 1025 server from my ISP. Now I happy to say I can send out mail with "don't pull routes" deselected.

Baby steps.

After several months of troubleshooting work with Cisco engineers and even escalating to their Nexus developers the culprit could not be found… However, upgrading the pfSense to the latest 2.3.1 version SOLVED the problem!  :o I hope someone could explain what was changed in the 2.3.1-RELEASE (amd64), built on Tue May 17 18:46:53 CDT 2016 in regards to the OpenVPN code to make it work.

Yep - Very common affliction.  Its a good idea to go with the 192.168.x.x - for both the Xs pick a random number between 2 and 254 or so. The reason I asked about admin rights its because its always a good idea to right click the install icon for openvpn and run as admin - and then always run the program as admin after from then on.  Saves lots of grief. Anyway - Sounds like you already have it worked out.  Enjoy.