@viragomann Thank you, that is the response we were looking for. We will put the OpenVPN segment on a new vlan, it's a /24 subnet with lots of devices, so impractical to do a static route for them all. What you are saying makes complete sense. Thank you!

@travis-fleming
No, pfSense also nat outbound traffic on WAN if there is a gateway stated in the interface settings.

So go to Interface > LAN and check if there is a gateway stated in the IP configuration.
If so and there is no reason to have it, remove it and pfSense will not nat outgoing traffic.

@viragomann Thank you, i will swap those around and give that a shot... Going to feel dumb if that works. lol

@gabriel_rocha
A reason for the error you get could be that the client gets no response from the server, could be that he cannot reach it at all.

After you have rechecked the server settings, best to start is to check the log. If there isn't any line of the attemption to connect sniff the traffic on the WAN (Diagnostic > packet capture) to see if the clients requests arrive there.
Enter the port you've set for the server into the port filter, start the capture and try to connect from outside.
Do you see any packets from the client?

@troubleshooting74 said in openvpn connect mac monterey:

WAN UDP4 / 1194
(TAP) x.x.x.x.x

Is it running in tap mode?

@michaellacroix
Exact 👍

@123123 said in ExpressVPN setup by beginner for beginners:

(like if ExpressVPN updates the .ovpn files or something like that)

Or the OpenVPN version used by pfSense changes !
Or the OpenVPN version used by Express changes.
For the normal Express clients, this is a none-issue as they 'just have to upgrade their Express VPN client and done.
When you use an VPN ISP with pfSense, you don't use their client.
You and I and many others do things 'the hard way, also known as 'manually'.
When the version changes, parameters can get declared 'not wanted' - and new parameters can get added.
For some, there will be a pfSense GUI equivalent so you handle their usage with some ease.
For some, the custom option box is needed.

Right now, pfSense ans Express seems to be in sync, as my custom options box contains the bare minimum :

d1c73da8-26ee-41e2-9ecf-0dae66705b2d-image.png

I'm pretty sure these parameters, fragment and mssfix, the decimal values, are not optimal.

VPN performance on pfSense is great if you configure and tune it properly. It's even better on Plus.

It helps if you have hardware that supports acceleration and use algorithms which are accelerated by that hardware.

A lot also depends on your ISP. The upload and download speed (claimed and actual tested speed), WAN type (PPPoE, DHCP/Static, etc), MTU, and so on. Also if your client is on another ISP their WAN speeds matter, too. As well as along the whole path between the two sites.

All that said, SMB is notoriously crappy over non-local networks so it's a poor way to judge speed. Definitely run tests with something like iperf (between the client and the target server, NOT to the firewall itself!).

@jknott Hello JK, I have edited the text for better understanding. Anyway...
I would have to enable the openvpn interface to create manual routes.
But I am more interested on "why" it creates route for a 2001:: address and not for a fc00:: or fd00:: addresses.

@dominikhoffmann
Best to check the logs for hints on both ends: system, OpenVPN
Ensure that the OpenVPN log level is set to a proper value. 3 might be sufficient for this issue.

Hi ! I have the same issue since upgrade on the client side. (before it worked )

this is the log before when it's worked :

/sbin/ifconfig ovpnc4 10.10.2.2 10.10.2.1 mtu 1500 netmask 10.10.2.1 up /usr/local/sbin/ovpn-linkup ovpnc4 1500 0 10.10.2.2 10.10.2.1 init

and after the upgrade :

/sbin/ifconfig ovpnc4 10.10.2.2/-1 mtu 1500 up FreeBSD ifconfig failed: external program exited with error status: 1

@blazestar pretty sure auth should drop stuff as well, you don't actually need to be using tls-crypt.. just tls-auth should work? Notice link I pointed too is about tls-auth..

@viragomann I've actually tried it both ways...Tunnels are fine, routing tables are correct, but full ping response one way, and response only to the tunnel address the other way.
So decided to use shell and run fsck on both units. One had minor inconsistencies which cleaned up, the other is exiting with notice "LOST 2 DIRECTORIES/UNEXPECTED SOFT UPDATE INCONSISTENCY".
My probable next step will be to contact NetGate for the files necessary to reformat SSD and do a bare metal install....sigh...

@johnpoz thanks for all of the info. I have read it, but it is late here in Blighty (UK) so it might take me a while to mull this over. Information like this helps us newbies (i.e. me) a lot and is appreciated.

first, try openvpn because that is well established and wire guard is new. the ProtonVPN service website should have setup instructions and OpenVPN config files that you can use.

@gertjan this fixed issue for me

Updating the linker file manually fixed it for me. Run: ``` kldxref /boot/kernel

on both SG-3100

restarted OpenVPN service on both router

Thanks for quick reply.

@prunch

I don't understand the question.
You think the connection to your LAN isn't safe ?

@gertjan awesome, it worked.
thank you very much for your knowledge, clear instructions, and patience. hope you have a great day.
also thank you @chpalmer @viragomann for helping out

@nospam
Maybe this helps: https://redmine.pfsense.org/issues/13424