@parkerask_centuryci I had to remove the line to bring up my secure tunnels again today. Right now I have removed it till we can find a way to have the tunnels come back after the Firewall reboots in the morning. I do not want to have to do an hours work for it to come back for the day.

@viragomann

Nothing unusual AFAIK... (note that I grabbed the raw log so its chronological order (oldest lines first)

May 29 07:43:34 pfsense openvpn[73684]: Validating certificate extended key usage May 29 07:43:34 pfsense openvpn[73684]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication May 29 07:43:34 pfsense openvpn[73684]: VERIFY EKU OK May 29 07:43:34 pfsense openvpn[73684]: VERIFY OK: depth=0, CN=gateway1.nordvpn.com May 29 07:43:34 pfsense openvpn[40473]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1633', remote='link-mtu 1634' May 29 07:43:34 pfsense openvpn[40473]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo' May 29 07:43:34 pfsense openvpn[40473]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key May 29 07:43:34 pfsense openvpn[40473]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key May 29 07:43:34 pfsense openvpn[40473]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512 May 29 07:43:34 pfsense openvpn[73684]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1633', remote='link-mtu 1634' May 29 07:43:34 pfsense openvpn[73684]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo' May 29 07:43:34 pfsense openvpn[73684]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key May 29 07:43:34 pfsense openvpn[73684]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key May 29 07:43:34 pfsense openvpn[73684]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512 May 29 07:46:45 pfsense openvpn[56921]: VERIFY WARNING: depth=0, unable to get certificate CRL: CN=gateway2.nordvpn.com May 29 07:46:45 pfsense openvpn[56921]: VERIFY WARNING: depth=1, unable to get certificate CRL: C=PA, O=NordVPN, CN=NordVPN CA7 May 29 07:46:45 pfsense openvpn[56921]: VERIFY WARNING: depth=2, unable to get certificate CRL: C=PA, O=NordVPN, CN=NordVPN Root CA May 29 07:46:45 pfsense openvpn[56921]: VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA May 29 07:46:45 pfsense openvpn[56921]: VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA7 May 29 07:46:45 pfsense openvpn[56921]: VERIFY KU OK May 29 07:46:45 pfsense openvpn[56921]: Validating certificate extended key usage May 29 07:46:45 pfsense openvpn[56921]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication May 29 07:46:45 pfsense openvpn[56921]: VERIFY EKU OK May 29 07:46:45 pfsense openvpn[56921]: VERIFY OK: depth=0, CN=gateway3.nordvpn.com May 29 07:46:45 pfsense openvpn[56921]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key May 29 07:46:45 pfsense openvpn[56921]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key May 29 07:46:45 pfsense openvpn[56921]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512 May 29 08:38:45 pfsense openvpn[56921]: write UDPv4: No route to host (code=65) May 29 08:38:45 pfsense openvpn[73684]: write UDPv4: No route to host (code=65) May 29 08:38:45 pfsense openvpn[40473]: write UDPv4: No route to host (code=65) May 29 08:38:46 pfsense openvpn[73684]: write UDPv4: No route to host (code=65) May 29 08:38:46 pfsense openvpn[40473]: write UDPv4: No route to host (code=65) May 29 08:38:46 pfsense openvpn[56921]: write UDPv4: No route to host (code=65) May 29 08:38:46 pfsense openvpn[40473]: write UDPv4: No route to host (code=65) May 29 08:38:46 pfsense openvpn[73684]: write UDPv4: No route to host (code=65) May 29 08:38:46 pfsense openvpn[56921]: write UDPv4: No route to host (code=65) May 29 08:38:47 pfsense openvpn[40473]: write UDPv4: No route to host (code=65) May 29 08:38:47 pfsense openvpn[73684]: write UDPv4: No route to host (code=65)

The internet was down during that time because the VPN ceased to function.... Other than that, I dont think I had an outage, and the WAN was still up and connecting fine....

There's an ISP cable modem upstream of pfsense but its in dumb mode (bridge mode) and has been for many years without issues....

@lasouris Our documentation has plenty of recipes:

IPsec

IPsec Site-to-Site VPN Example with Pre-Shared Keys IPsec Site-to-Site VPN Example with Certificate Authentication IPsec Remote Access VPN Example Using IKEv2 with EAP-MSCHAPv2 IPsec Remote Access VPN Example Using IKEv2 with EAP-RADIUS IPsec Remote Access VPN Example Using IKEv2 with EAP-TLS Configuring IPsec IKEv2 Remote Access VPN Clients IPsec Remote Access VPN Example Using IKEv1 with Xauth IPsec Remote Access VPN Example Using IKEv1 with Pre-Shared Keys Routing Internet Traffic Through a Site-to-Site IPsec Tunnel

OpenVPN

OpenVPN Site-to-Site Configuration Example with SSL/TLS OpenVPN Site-to-Site Configuration Example with Shared Key OpenVPN Remote Access Configuration Example Adding OpenVPN Remote Access Users Installing OpenVPN Remote Access Clients Authenticating OpenVPN Users with FreeRADIUS Authenticating OpenVPN Users with RADIUS via Active Directory Connecting OpenVPN Sites with Conflicting IP Subnets Routing Internet Traffic Through A Site-To-Site OpenVPN Tunnel Bridging OpenVPN Connections to Local Networks OpenVPN Site-to-Site with Multi-WAN and OSPF

@chrisjmuk Not too difficult to do.
Use OpenVPN tap tunnel and do not assign a tunnel address. I do this with a trunk port because I needed 3 vlans going over to the second server.

Follow this guide:

https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-bridged.html

it was on a pc build. My mistake was to not choose a "tls-crypt, tls1.2" airvpn server. only those works on pfsense.

@jimphreak Is your pfSense an ARM Box or PC Build? I can't get it working on my SG-2100.

My AirVPN posting How To Set Up pfSense+ for AirVPN.

@apollo17 Is your pfSense an ARM Box or PC Build? I can't get it working on my SG-2100.

My AirVPN posting How To Set Up pfSense+ for AirVPN.

Is your pfSense an ARM Box or PC Build? I can't get ii working on my SG-2100.

My AirVPN posting How To Set Up pfSense+ for AirVPN.

@hidepp Not really. I have no idea what you want to allow or deny, only you do.
But to start, set both OpenVPN interfaces to allow all, then trim them down as needed.
Always the easiest way to start.

@viragomann It is all working now! Thank you!

@hispeed So I tried this in my lab last night and could not get it working although it should.
To be honest, you're wasting your time. Just do a peer to peer with a /31 and be done with it.
But if you want to keep trying....
First, you do not need a CSO with only one client connecting. As I said, get rid of it. Not doing any good.
Second, with remote access as the type, you're basically creating a "road warrior" vpn. Typically meant for one client to connect to one site. It doesn't enable other clients on the remote network access to the vpn. That's why I say just do the peer to peer as it's meant to be used. But you can configure a remote access for the entire remote LAN, see here:

https://community.openvpn.net/openvpn/wiki/HOWTO#IncludingmultiplemachinesontheclientsidewhenusingaroutedVPNdevtun

Again, I tried it, it's a waste of time when there's an option made explicitly for what you want.
The biggest problem with remote access is the config doesn't give you the option to set "Remote IPv4 Networks" and peer to peer does.

By the way, that error you're seeing has to do with the certificates. Did you create all certs on the server, then export the needed certs to the client, or did you create certs on server and create certs on client?

Problem solved for now:
The problem was solved when I deleted the VPN server I created and created it again. (VPN>openvpn> servers)

Later I realized that; If you add the openVPN interface from the interface section, this problem happens. Even if you delete the related interface later, the problem is not solved. However, when I delete the server from VPN>openVPN and add it again, it is fixed.

To everyone
thank you

@panpanpramuk
What is the goal of the OpenVPN client?
A connection to a VPN provider? Did you set up the client accordingly to a guide? Which? Did you do all steps?

What is your intention? Do you want to route all traffic over the VPN or only particular?

Solved Adding push "route 10.4.0.0 255.255.255.0" on
VPN >> OpenVPN >> Client Specific Overrides >> Origen >> Edit >> Advanced >> ADD

push "route 10.4.0.0 255.255.255.0"