@viragomann sorry, still don't understand, how to stop traffic from passing to normal gateways and pass it to openvpn client instead; don't capture general idea

@dimskraft

Use the same command on pfSense ;)

55c83b55-c7a9-4f0e-a804-bfeb184198ee-image.png

Your (old now) pfSEnse 2.5.1 is using (I don't recall any more) OpenVPN 2.5.2 ?

2.5.x on the client side, and 2.4.x on the server side (probably time to upgrade your docker and pfSEnse) should work.
But there is a but.
If you use mixed versions on both sides, you should really read the changelogs : https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25, just to make sure you not using an option that changed somewhat.

Did the phone app test work ?

What about an easy bare bone setup with certs, just a user/password + no -or minimal) crypto) stuff.
That is, if you control the server side and have access to the server log file.

@bob-dig Thank you for all your help!

BTW I updated to 2.6 AND I will make a back up of my config once I have everything back up. PFBlocker is next. :)

Try all of the below but none is working:

Disabling 'Dynamic IP' setting Upgraded to latest pfSense version 2.6.0 Enabled the following
4df3f129-3a62-4349-ba1d-ab25758f97bd-image.png

Looks like there is bug in pfSense?

@viragomann

I think after some googling and a few coffees I found my solution: https://forum.netgate.com/topic/127814/pfsense-only-openvpn-server-with-only-single-interface-wan

I haven't tested it yet, but it must be almost this problem.

Thank you!

@alexparedes
Did you also update the client?
Which client is it?

Also check the server logs for hints on what is failing.

after review, this is coming from older version with the EXIT NOTIFY... how can i fix old upgraded router without having EXIT NOTIFY ?

powershell command ? re-make the tunnel ?
thanks !

I get even worse results ...

Machine A (pfSense 2.6.0):

time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-128-gcm 2022-02-26 19:22:27 Cipher negotiation is disabled since neither P2MP client nor server mode is enabled 0.192u 0.000s 0:00.19 100.0% 601+171k 1+0io 0pf+0w

Machine B (pfSense 2.6.0):

time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-128-gcm 2022-02-26 19:22:35 Cipher negotiation is disabled since neither P2MP client nor server mode is enabled 0.587u 0.023s 0:00.61 98.3% 618+176k 0+0io 0pf+0w

I spent most of the day trying to reach reasonable speeds, and this is the result:

iperf3 -c 172.16.16.1 -R Connecting to host 172.16.16.1, port 5201 Reverse mode, remote host 172.16.16.1 is sending [ 5] local 172.16.16.2 port 53032 connected to 172.16.16.1 port 5201 [ ID] Interval Transfer Bitrate [ 5] 0.00-1.00 sec 6.10 MBytes 51.2 Mbits/sec [ 5] 1.00-2.00 sec 8.03 MBytes 67.4 Mbits/sec [ 5] 2.00-3.00 sec 7.28 MBytes 61.1 Mbits/sec [ 5] 3.00-4.00 sec 7.60 MBytes 63.8 Mbits/sec [ 5] 4.00-5.00 sec 6.77 MBytes 56.8 Mbits/sec [ 5] 5.00-6.00 sec 7.17 MBytes 60.1 Mbits/sec [ 5] 6.00-7.00 sec 8.87 MBytes 74.4 Mbits/sec [ 5] 7.00-8.00 sec 7.41 MBytes 62.2 Mbits/sec [ 5] 8.00-9.01 sec 7.54 MBytes 62.9 Mbits/sec [ 5] 9.01-10.00 sec 6.44 MBytes 54.3 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.14 sec 73.4 MBytes 60.7 Mbits/sec 91 sender [ 5] 0.00-10.00 sec 73.2 MBytes 61.4 Mbits/sec receiver

😞

@jknott said in OpenVPN Not working after update:

Are there changes in the new version (again) that cause earlier versions to fail?

There are always some pesky minor changes, that's why "just updating" pfSense == updating OpenVPN creates "OpenVPN Not working after update".

The "OpenVPN server" is just a process that listens on a port, typically UDP/1194. That's just a firewall rule, no nat needed.

When the connection doesn't work, that is because the 'client' doesn't understand the 'server', or the other way around.

@gertjan

That setting doesn't work for me in the issue I've been having.

I also have encountered this issue. What occurs is that pfSense sometimes gloms the options together when OpenVPN is restarted, causing a syntax error. So

pull-filter ignore "ifconfig-ipv6" pull-filter ignore "route-ipv6"

becomes

pull-filter ignore "ifconfig-ipv6"pull-filter ignore "route-ipv6"

You can workaround this problem by adding a comment marker at the end of each affected line, like:

pull-filter ignore "ifconfig-ipv6" # pull-filter ignore "route-ipv6" #

@viragomann sorry how do I do that? How do I get to the configuration file?

Basically, when doing a whatmyip, I want a WAN address of my VPN endpoint, not my actual IP address at home.

Also, I would expect to see the VPN route reflected in a tracert if I'm not mistaken.

Thanks