@troubleshooting74 said in openvpn connect mac monterey: WAN UDP4 / 1194 (TAP) x.x.x.x.x Is it running in tap mode?

@michaellacroix Exact

@123123 said in ExpressVPN setup by beginner for beginners: (like if ExpressVPN updates the .ovpn files or something like that) Or the OpenVPN version used by pfSense changes ! Or the OpenVPN version used by Express changes. For the normal Express clients, this is a none-issue as they 'just have to upgrade their Express VPN client and done. When you use an VPN ISP with pfSense, you don't use their client. You and I and many others do things 'the hard way, also known as 'manually'. When the version changes, parameters can get declared 'not wanted' - and new parameters can get added. For some, there will be a pfSense GUI equivalent so you handle their usage with some ease. For some, the custom option box is needed. Right now, pfSense ans Express seems to be in sync, as my custom options box contains the bare minimum : [image: 1680954856745-d1c73da8-26ee-41e2-9ecf-0dae66705b2d-image.png] I'm pretty sure these parameters, fragment and mssfix, the decimal values, are not optimal.

VPN performance on pfSense is great if you configure and tune it properly. It's even better on Plus. It helps if you have hardware that supports acceleration and use algorithms which are accelerated by that hardware. A lot also depends on your ISP. The upload and download speed (claimed and actual tested speed), WAN type (PPPoE, DHCP/Static, etc), MTU, and so on. Also if your client is on another ISP their WAN speeds matter, too. As well as along the whole path between the two sites. All that said, SMB is notoriously crappy over non-local networks so it's a poor way to judge speed. Definitely run tests with something like iperf (between the client and the target server, NOT to the firewall itself!).

@jknott Hello JK, I have edited the text for better understanding. Anyway... I would have to enable the openvpn interface to create manual routes. But I am more interested on "why" it creates route for a 2001:: address and not for a fc00:: or fd00:: addresses.

@dominikhoffmann Best to check the logs for hints on both ends: system, OpenVPN Ensure that the OpenVPN log level is set to a proper value. 3 might be sufficient for this issue.

Hi ! I have the same issue since upgrade on the client side. (before it worked ) this is the log before when it's worked : /sbin/ifconfig ovpnc4 10.10.2.2 10.10.2.1 mtu 1500 netmask 10.10.2.1 up /usr/local/sbin/ovpn-linkup ovpnc4 1500 0 10.10.2.2 10.10.2.1 init and after the upgrade : /sbin/ifconfig ovpnc4 10.10.2.2/-1 mtu 1500 up FreeBSD ifconfig failed: external program exited with error status: 1

@blazestar pretty sure auth should drop stuff as well, you don't actually need to be using tls-crypt.. just tls-auth should work? Notice link I pointed too is about tls-auth..

@viragomann I've actually tried it both ways...Tunnels are fine, routing tables are correct, but full ping response one way, and response only to the tunnel address the other way. So decided to use shell and run fsck on both units. One had minor inconsistencies which cleaned up, the other is exiting with notice "LOST 2 DIRECTORIES/UNEXPECTED SOFT UPDATE INCONSISTENCY". My probable next step will be to contact NetGate for the files necessary to reformat SSD and do a bare metal install....sigh...

@johnpoz thanks for all of the info. I have read it, but it is late here in Blighty (UK) so it might take me a while to mull this over. Information like this helps us newbies (i.e. me) a lot and is appreciated.

first, try openvpn because that is well established and wire guard is new. the ProtonVPN service website should have setup instructions and OpenVPN config files that you can use.

@gertjan this fixed issue for me Updating the linker file manually fixed it for me. Run: ``` kldxref /boot/kernel on both SG-3100 restarted OpenVPN service on both router Thanks for quick reply.

@prunch I don't understand the question. You think the connection to your LAN isn't safe ?

@gertjan awesome, it worked. thank you very much for your knowledge, clear instructions, and patience. hope you have a great day. also thank you @chpalmer @viragomann for helping out

@nospam Maybe this helps: https://redmine.pfsense.org/issues/13424

Solved! Followed a lot of rabbit holes down until I found these: https://serverfault.com/questions/1064935/openvpn-server-connexion-ok-but-no-access-to-remote-lan which lead to: https://openvpn.net/community-resources/how-to/#expanding-the-scope-of-the-vpn-to-include-additional-machines-on-either-the-client-or-server-subnet Main take away was that I needed to add push "route [Local LAN subnet] 255.255.255.0" to the advanced configuration on the server setup. Still reading a bit more to understand how this worked, but I'm able to ping my local machine as well as remote into it. Happy days.

@rcoleman-netgate Hello Sir, Yes, i make some trial and error and i notice that the issue comes when i let pfsense generate the shared key ! While i use another vpn instance already existing with copy , and edit the settings, is working ! Also this is happening on the client side ! both pfsense on 2.6 version. Is this a bug or i'm doing something wrong ? I just exchanging the generated key with copy paste. If generated on server, client is not accepting it and cause this error. If key generated on client, and copy to server, server gets the error ! I will try 2-3 things and let you know.

@johnpoz Thanks, John, I'll give that a try. In the mean time, I am trying to get a site-to-site VPN established between two Netgate boxes (one with a dynamic ip address) but I'm not having much success :-( The VPN connects but no traffic flows through it yet...

Actually do not know, still analyzing, that's the setting I changed and it seems to be stable now, cross-client (windows, linux, android, ...). Also changed the DNS servers to both VPN network x.x.x.1 and vlans CARP IPs (the vlans reachable throguh VPN), to be HA proficient. Do not know why I do need the DNS entries to reach other IPs in the remote networks (not hostnames, just IPs...). Thank you very much!