Start your own thread, it's unlikely to be the same issues others have hit. While symptoms may be similar, there are numerous possible causes that can look the same, and trying to diagnose multiple people's issues in a single thread is not feasible.

Just to close this off, I got it working as desired using a simple Peer-Peer OpenVPN, and then added a bridge from VPN to OPT1 at both ends. Client CPE & Juniper VRF can reach each other with perfectly.

The only remaining challenge was the size of IPSEC packets from the client. Control packets were small, but Data often exceeded the payload maximum inside the OpenVPN tunnel. Eventually I used tun-mtu & fragment options to split packets >>1400 bytes across two OpenVPN UDP packets.

LAN interfaces are completely separate and only used for local access to the PfSense GUI.

PfSense OpenVPN.jpg

@hr1sha thank you for your responses, yea I have tried TCP and working just fine but performance worsens. ISP does not blocking un-obfuscated TCP connection with an SSL/TLS key configuration for some reason.

worked perfectly, thanks so much..

just noticed a warning about link-mtu is used inconsistently, local=link-mtu1537, remote=link-mtu1534. Just searching it up now..

thanks again for sorting this!

@willjohn
A VPN in itself will not change anything - it just moves your connection to a different node in an encrypted tunnel. It may disguise your identity or location but you can still make connections from it to a potential source of malware, viruses etc.

☕️

@hajdeo said in WEBGUI access from VPN:

@viragomann I want to access it from the internet. I don't have a public public IP, this way I can access pfsense webgui directly using the client. I already had it set up this way once, but I had to reset the router and I can't get it set up

hi frien...is done :) my opsense webgui is accessable from internet, just added this to port forwarding :)
e7e5fa37-cc9c-4533-b4b3-ca40006f3bc5-image.png

Do you think, is possible add rule to access another LAN IP adress (where is plex) from internt through this VPN connection?

@michaelschefczyk
I Did not touch any NAT Here.

Simply add a Interface gate way from the Interface Assignments Menu first and add Then Select and add a VPN, Enable it without any setting here you will get a new Gateway. At Firewall Rule from your LAN, Add a new rule with S: Lan Net > D: Network VPN Address >> Specific VPN Gateway from first step.
3f1daa6c-cf0c-4418-ab35-1625fa15f8d0-image.png

Have a look on the Latency, and how the App works, go for a pcap.

If the start use 10k queries to the DB, on lan site no problem but on VPN site with 20-30ms it takes Min to start.

@Tetz
Yes, all my sites are having this issue since at least v23.05 or possibly one version prior. However, turning off DCO does resolve the issue.

I can confirm after several days of work that the VPN has been rock solid and speedy with the 'redirect all traffic' box unchecked since I killed that sneaky DHCP server on my AP.

Glad this forum is here!

was able to get this going.. the one part that i missed was in the Client Specific Overrides on the server side. I didn't realize that the entry had to be named the exact name of the client certificate, not just a random name. Soon as i re-read that and changed, everything worked as it was supposed to. Hopefully this helps someone in the future.

@viragomann

You are awesome!! That did the trick. I didn't have "remote networks" on my server config only "local networks" so I kept the the route in the custom options and it worked.

@netg8ter
So you have to configure the switch for 802.1q VLAN before.

Look here for details:
Switch Overview
Configuring the Switch Ports

@Gertjan said in OpenVPN server crashes when client closes connection:

OpenVPN server and client version don't need t be identical, but, as they stated on the OpenVPN web site : recent 2.5.x OpenVPN version won't work with really ancient OpenVPN clients and vise versa.

That's a valid point to consider this not a bug.

I found a solution!
I reconfigured VPN to Server mode:
Remote Access ( SSL/TLS + User Auth )
After that everything worked as it should. Perhaps my experience will be useful to someone

@Ghost-0 The "x factor" in this scenario is the other end of the VPN, if you don't control both ends. I believe OpenVPN uses only one CPU core. If a core in your router isn't being maxed out, then it's likely pfSense is not the bottleneck.

ZFS is in general better than UFS but it's the file system so is unlikely to help with VPN throughput.

@hudri
Yes, whatever port you're using.
If you're running multiple services behind pfSense consider the forward all incoming traffic and configure the pfSense firewall accordingly. Some modems call this "exposed host" or "DMZ".

Consider that UDP port 1194 is possibly not allowed on public wifi hot spots if you want to use that. You can configure your OpenVPN to listen on a commonly used port like 443.

To go around such restriction I'm running two servers on my home pfSense. On on UDP 1194 and the other on TCP 587.
The client is configured to automatically attend to connect to the second if the first doesn't response within 10 seconds.

Note that OpenVPN over a UDP port is faster than TCP:

@p1ter Does this command work in the 2.6.0 version?

Because for me, with command entered in advanced, the credential not validated.