Thanks for the clarification.
For me the easiest rule to follow is:
If you have more than one instance, assign all instances and don't use the openvpn tab.

For sake of helping others having the same problem, this is not a rules issue. It was a NAT'ng issue. Make sure you select MANUAL NAT when you want to "kinda bridge" openvpn… if not it won't work.

hi,

From your client config, you are using Blow Fish cipher.

openvpn config of client:
dev tun
persist-tun
persist-key
cipher BF-CBC
tls-client
client
resolv-retry infinite
remote x.x.x.x 1194 udp
tls-remote ZGopenVPNsvr
pkcs12 pfsense2-udp-1194-vpn.p12
tls-auth pfsense2-udp-1194-vpn-tls.key 1

BlowFish is one of the ciphers which is very light in CPU load, so it is definitely not the CPU load is the problem.

One suggestion is that, you can put your client 1 PC directly into your GB LAN at your external server's LAN, preferably with a public IP address and access to your server via OpenVPN, this way, you can actually see what is the max bandwidth or transfer rate you can get. If you can get a good decent transfer rate, it means that there is nothing wrong with your OpenVPN setup (client/server), it must be something from the internet (e.i. your ISP Verizon?) ; I am not sure if there could be a max CAP for UDP port 1194??
If you can't get a decent transfer rate, then you can trouble shoot the Open VPN config.

I would normally benchmark our setup this way, to see what the max bandwidth we can get out of our boxes, before we put them at the client end.

regards,

Appreciate your folks assistance. I've managed to track down the issue. Weirdly enough it was some leftover IPSec configuration that conflicted with the VPN tunnel. All I had to do was remove it from the client and immediately it worked.

Thanks!

More Screenshots


Just as you posted your reply vielfede, I seemed to have fixed my own issue. Under "IPv4 Local Network/s" I removed the opposite spoke's subnet. I then rebooted all of the units and everything seemed to run perfectly fine. Thanks for your tip, though! I'll read through that anyhow so that I can become more familiar with OpenVPN.

I can confirm it has todo with heavy traffic.

Any help with traffic shaping is much apprechiated.

Congrats!

Keep in mind that rules on an interface are incoming to that interface.  By making an "any" to "any" rule on WAN or VPN you let anything through to anything.  ( this took me a few times to get across to myself…)

For a box only dealing with clients on the lan side and no servers (no reason to allow someone on the outside acess to the inside) there should never be any rules for other than the LAN interface.

Thx interesting to know,  I checked my VPN but no mention of IPSEC support it does support AES 256 though.

Am going to give pfsense a go soon as I get the settings,  see if its what I would like to use more long term.

Ok. I wasn't thinking it through very well. From your response it looks as though I need to force all traffic from the client through the tunnel in order for them to be recognized as coming from my IP when connected to the VPN. Otherwise, it sees their home WAN IP as what is trying to connect. Is that correct?

Also, here's my current setup pertaining to OpenVPN:

I firewall rules allowing all OpenVPN traffic through the WAN and all OpenVPN traffic through the LAN. I don't have the Redirect Gateway option checked as shown in the second attachment on the original post. I have Advanced Outbound Nat turned on with a rule allowing OpenVPN on our LAN (had to implement AON due to outbound pptp VPN).

Thanks so much for your help.

That works fine just add routes to each of the client sites for all of the other networks.

For example on 192.168.6.1, make sure it has a route for .1.x, .2.x, and .3.x.

If you're on 2.1 it's as easy as entering them separated by a comma in the "IPv4 Remote Networks" box:
192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24

I can't access that image either, but the way that I did it was to add an advanced option to the rule that passes traffic through the interface - the advanced option specifies the gateway as being the VPN interface dynamic gateway.

Hi together,

As i remember,
there was an fix-package available for openvpn-tap. Never needed to use tap before on pfSense.
The System is a fresh and clean 2.1-installation, even one day ago.
Peer is an mikrotik device with RouterOS 6.4, where other windows-clients are able to connect successfully.

Thanks in advance for replies.

@Nadar:

@Fevan:

1st post and no experience compared to the guys around here but I did use airvpn with my tomato openvpn client with Asus router and never had this issue.

This forum/thread is about OpenVPN and pfSense (an open source firewall/router++). How does pfSense come into play with your setup? More specifically, we're discussing terminating the VPN tunnel in the firewall/router, not using a client. Using a client through pfSense is probably completely unproblematic.

oh my bad I thought op was having disconnection issues with airvpn and pfsense.  Thought the settings on openvpn on the AirVPN forums may help him.

Good news to hear however using a client through pfsense is hopefully all working well,  I plan on going through the same route when I can figure out the basics !

anyone help me?

I use a tun device for my OpenVPN server. Not sure if that changes anything.