@mimu

I'm using the OpenVPN server just as access for myself for remote administration.
So, multiple connections, for me, is a rare thing.

Still, I've set :

be7e33ae-4fa9-4c02-b4c0-ff20980e0612-image.png

because : why not.

I guess (OpenVPN doc should explain more), as soon as a 'client' tries to connect, a 'slot' is allocated.
If you have many 'clients' that try, and these are just scripted scanners looking for less protected (NON TLS) VPN access, slots can allocated fast.
Again : I guess.

I've not (never) seen "I/O wait events" in my OpenVPN logs.
I'm using two OpenVPN servers , port 1194 and port 1195. Both are completely separated, and work fine both. Both servers use TLS, and no user+pasword.

@parushev
Is CARP working well? Check the system log for regarding entries.

Is the OpenVPN server down on the secondary?

Do you have a single router or is it an HA system as well?

How are your pfSense boxes connected to it? Is there a switch or another device in between?

Are they installed on bare metal or virtualized?

Note: When a device is talking to the CARP VIP, it resolves the VIP and get the CARP MAC address and send the packet to this. However, pfSense uses its real interface address (WAN in your case), when replying.
Some devices don't love this behavior. Maybe you're affected of this.

@viragomann Unfortunately, I lost access and won't be able to regain access until I revisit the site tomorrow. I didn't implement any rules on my OpenVPN server; I only selected the boxes while installing OpenVPN with the wizard to create the required rules. OpenVPN had been working before I enabled the interface and then changed the interface's name. I never implemented any rules under the interface OPT1 tab. The only rule that is implemented is under the OpenVPN tab and I believe it's just IPv4 with * in all the fields.

@viragomann said in OpenVPN troubleshooting and Firewall / Rule / OpenVPN vs OPT1:

Consider that rules on interface group have priority over ones on member interfaces. So if there is a pass rule allowing any to any, rules on member interfaces would not have any affect.

So then enabling the OpenVPN interface creates an interface group? The single OpenVPN tab that is created when you setup the wizard is a member interface? (I don't know if this OpenVPN tab is their prior to the wizards use as I didn't look before I used the OpenVPN wizard.)

@viragomann said in OpenVPN troubleshooting and Firewall / Rule / OpenVPN vs OPT1:

What is the purpose of the other tab then?

I'm trying to understand the difference between the rules associated with the tab created when you enable the OpenVPN interface in assignments and the rules made under the tab that is purely labeled OpenVPN.

@tank330 Never resolved the issue..the mute-reply warnings are still there. Just clutters up the logs...

@dbadovsky
Yeah, it has to be in the client specific file, mentioned above.

Nice that you got it sorted.

All sorted now, a couple of badly configured alias's were the issue and have now been rectified. all is working now as desired.

I want to post the critical take away I learned from this discussion for others searching in the future. I did find other discussions but they were very detailed and specigfic to the person's situation very much like this one is, so it is hard to know what are the specifc parts from the ones that apply to everyone. So here just to call it out, the key takeaway that taught me what I needed is.

Check the gateway status (Status -> Gateways) for the VPN Client interface. That will tell you if you have a client configuration problem or not. I ultimately did but the Status -> OpenVPN page indicated it was fine and it actually wasn't.

@johnpoz

It doesn't look like my load is that significant. It's been like this since this box has been running.
947788aa-a1a3-4669-ab8b-c0d3ad215875-image.png

@n8lbv

You are main focusing one point from several available.

Entire pfSense is multi or single core
Underlying system FreeBSD WAN part ist single or multicore pending on the
usage of PPPoE or not. (PPPoE = single queue not
PPPoE = multi queues) One queue per each CPU
core is able to use OPNvpn package is taking advantage of multi CPU
cores usage or not.

It all plays together and not something alone.
You may be able to tune some things here in the game
according to your hardware and use case, like;

mbuf amount mbuf size queues amount queues length queues size

@viragomann Thank you very much for your answers, in particular I did not consider that the error could be in the official tutorial of ProtonVPN, probably I will set up the variant "Client - pfsense - ProtonVPN" with DNS over HTTPS.

@gokulapandi
Yes should work for A and C.
But if you restrict access on B to certain subnets as well, you need to add the same rule as you have at A on the interface connected C and that one you have at C on the interface connected to A.

@tangooversway
Presumably the VPN server pushes the default route to you.
This is a pretty common setting of VPN services.

To avoid it go to the VPN client settings and add a check at "Don't pull routes".
After that you have to create policy routing rules to direct the desired traffic out through the VPN.

Also, with my own OpenVPN setup, I didn't have to switch interfaces in the NAT rules. With the BrandX, it didn't work at all until I switched them.

What do you mean with "switch interfaces in the NAT rules"?
Basically you need to add outbound NAT rules for your internal subnets on the VPN interface, if you want to pass out upstream traffic. But there is nothing to switch. Existing rules (automatic) should stay in place.

@mhassman In our case, as I seem to recall from a few years ago now, the service was running but people couldn't connect until the service was restarted. I am not finding my notes in a quick search though. The weekly restart was just a sledgehammer approach to fixing it.

@roberto-bianchi Yes, is not compatible right now.
We need to stick with 2.5.x line until someone fix this issue.
I have the same situation and I'm testing pfsense 2.7-dev and some case.
Hope to soon see the solution here, regards!!!

@marvosa said in Site-to-site up but not routing, can't use a /30 or /24 tunnel?:

No tunnel network defined, need to add 10.152.0.0/24 in the "IPv4 Tunnel Network" box

I think there's some misunderstandings and misleading info on the tunnel network for a site to site. It shouldn't be needed unless someone is using a /30 topology. It should get the tunnel network from the server.

Regardless, before yesterday's patch, the tunnel network setting wouldn't accept anything less than a /30.

Hmm, so you weren't seeing kernel panics as shown in the linked bug?:
https://redmine.pfsense.org/issues/13938

I'm not aware of anything that would prevent an OpenVPN tunnel passing traffic whilst still connecting. Do you have any logs from the failure situation? When you tested did you see traffic coming over the tunnel?

@johnpoz

@johnpoz said in Using pfSense as OpenVPN Client:

What your trying to do requires some basic understanding of routing, dns, etc. So no you wouldn't follow some vpn guide to connect to their service and route all your traffic out it..

I think I should not have listened to the people who told me, "Sure, this is easy to do and only takes a few hours." OpenVPN wasn't that hard to set up, in the long run, but dealing with the firewall rules and NAT to redirect ONLY the LAN traffic that is either responding to requests from within the VPN or that is only going to the VPN turns out to take a lot more than I thought it would from trying to remember what I was doing 15-20 years ago.