The problem did turn out to be the provider, just for the record.  2.1.4 is fine at least regarding this issue.

@lokeshjango:

hie guys

i have configured strong vpn in my pfsense using open vpn setting. i basically want to set up my pfsense machine as a gateway so that all intranet traffic should go through my newly setup vpn interface in pfsense. as of now in system log openvpn showing no error. but after configuring from my intranet/LAN machine i am not able to access internet. i am not finding any solutions.

https://forum.pfsense.org/index.php?topic=29944.0 and https://forum.pfsense.org/index.php?topic=59589.0

please help me as i am stuck on this point ..

one more doubts i have just come in mind , how will configure my lan machine after configuring vpn in pfsense, i mean gateway?

I think I may have solved this with help from Zack__ on IRC. I'll update this when confirmed.

Looks like your PF has difficulties to route from OVPN client to LAN.

Check your FW rules ?

Check this thread for having a smoother GW failure handling for small Alix architecture :

https://forum.pfsense.org/index.php?topic=73243.15

Try not to ping Google as the server could response from a far location and produce high pings. Pinging too far can transform a ISP routing failure into a false link failure (seen from PF).
So try to ping something close to you (geographically and/or in terms or router hop), but not your ISP GW : some routers (like Cisco does) are known to drop some ICMP ping replies (even if not under heavy load) and thus produce false high response time or false loss.

Is the vpn gateway in the same subnet as the vpn tunnel?
Your vpn address is 10.200.5.x, but in the route command you used 10.200.4.0/24. These would be different subnets.

What is your OPT1 interface? You have used the LAN address in rules there, but this is the address on LAN interface and will have no effect in these rules.

Strange but I just happened to notice that the vmware router was configured to simulate a slow link. Changed it to unlimited and the copy started to work. Happy for that but it still doesn't explain the firewall logs though. Will have to try and figure that out separately.

Thanks for the reply.

Found it!!!

Obviously, the office doesn't route my home LAN addresses. So I have to use outbound NAT with the IP address assigned to me.
Once I had created a NAT outbound rule for interface OpenVPN, that NATs all my LAN traffic over the "Interface address", things started working like a charm. Nice, happy camper! :)

Cheers,
Jan

Then you'll also have to provide info about your BGP config on each node. That's not a typical VPN configuration and should have been disclosed in the original post.

If you have any/any on both sides, it's probably a routing issue, but we need the .conf files from both sides to troubleshoot effectively.

@jimp:

Are you running those commands from the ssh shell, or from Diagnostics > Command? They should be run from the shell (ssh or console)

thank you,
i've logged in using SSH.

@johnpoz:

You do understand that is just the little export wizard thing, its is not openvpn.  When you say openvpn is missing from your settings that seems more involved than the export wizard package having issues.

exactly,
i mean the openvpn was already installed, after the update my exisiting client just stops working.
so tried to export it again but it gone. and can't reinstall it

Since that port is on the remote side, not local, it does not conflict. That's like asking if you can access two different web servers at the same time since they both use port 80. :-)

In your OpenVPN client settings, don't set your local port to 1194, only the remote port.

I've configured an oubound NAT to nat my LAN clients accessing 172.21.0.0/16 to the OpenVPN connection IP, and it fixes my problem.

hi again…

I found these :

1st question:
while in my setting, user authentication is done with an external software which communicates with openvpn via PAM, I was wondering if I can setup an openvpn server without having to define user backend.

found out that creating an openvpn server with the "+" icon (not using the wizard) I can define "Server mode: Remote Access (SSL/TLS)" and not be forced to define an backend authentication scheme. So adding in the client conf the directive "auth-user-pass" the client asks me for credentials and those are pushed in the PAM…
it works fine till now

2nd question:
in the above setting (with user backend defined…), in server.conf lines "user nobody" and "group nobody" are commented (when I uncomment them user authentication fails). Isn't there a security problem ?

with the above modifications, the users connect's as a local pfsense user (haven' t try more than one simultaneous connections).
Uncommenting "user nobody" and "group nobody" directives in server.conf (via command line tool) and restarting the server, the user login fails with:

openvpn[48542]: TCP connection established with [AF_INET]x.x.x.x:1499 openvpn[48542]: x.x.x.x:1499 WARNING: Failed running command (--tls-verify script): could not execute external program openvpn[48542]: x.x.x.x:1499 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned openvpn[48542]: x.x.x.x:1499 TLS Error: TLS object -> incoming plaintext read error openvpn[48542]: x.x.x.x:1499 TLS Error: TLS handshake failed openvpn[48542]: x.x.x.x:1499 Fatal TLS error (check_tls_errors_co), restarting

though I haven't changed anything in the setup…

any suggestions on this error, or any advice on the use of "user nobody", "group nobody" directives ?

regards

I have one openVPN (transnational, Europe) between 16/8Mbit DSL and 100/100 MBit fibre where the maximum I get is 200-300 kBit (no joke, most time around 56 kbit, reminds me of some times very long ago ;-) ). Very frustrating latencies, apparently the NSA has only limited capacity on that route :-D