@viragomann That fixed the problem, thank you very much!
It looks like only VPNUnlimited has this issue, PureVPN and VPNSecure do not require to select "Don't pull routes"

@lesquestionsdetoto Hi, any idea ?

@stephenw10 said in I need to restart the OVPN tunnels after a pfSense reboot:

Does the client get the correct routes?
Do you see blocked traffic?

@jimp I will try, thanks you!

Looks like the issue was pfBlocker. Every time I tried to make rule changes I would get notice that there wasn't enough memory to load the rules. Pulling out pfBlocker and having it clean out the config fixed it. I've never seen pfBlocker affect anything other than WAN. Threw me for a loop.

@marci and what does the fqdn resolve too, from your ping its resolving to that

ping www.digitec.ch PING www.digitec.ch (198.18.0.75) 56(84) bytes of data.

So clearly your never going to be able to go there if its resolving to such an IP.

The other question is how and the F are you getting any response from that IP?

64 bytes from 198.18.0.75 (198.18.0.75): icmp_seq=1 ttl=63 time=18.3 ms

I guess its possible your ISP has such a network internal to their network.. That would be bad practice for sure. But it is possible - but the bigger question is how/why your resolving the fqdn to that IP in the first place? That site for sure is not being hosted on such an IP. Even if was recently decided to make that public space now, kind of how 1.1.1.1 was once not valid public IP space, and now is.

In the current state of deployment if that was the case - it wouldn't work for pretty much anyone because it is still listed as bogon (which do not route on the public internet - or atleast are not suppose to). And if that is the case - why has arin not updated to reflect that it is now owned by company xyz, vs still listing it as special use space.

if I had to take a guess to why it works when you connect via your phone to some vpn, is your phone (different dns, doh maybe) or the vpn dns is resolving it to the correct IP, while how you have pfsense setup its not resolving correctly.

But no your not going to get there if it resolves to that 198.18 address. Since it is not valid IP, nor is even suppose to route on the public internet.

@romanvekil said in pfSense OpenVPN on VPS client not access internet:

here wireshark listening vpn interface form pc when connected

Would like to know if you can see these packets on pfSense OpenVPN interface likewise. I suspect, you can't.
In this case, I'd recommend to tear down the OpenVPN server and start from scratch.
Have read some threads here in the past, where people complaining similar issues and never got it working.

Please close the topic. It was Debain 10 Iptables and nftables conflict.

@viragomann yah, figured out what the issue was. seems like because the routing policy was set to *, it was messing up where to send the traffic. Once I explicitly set the gateways for each of the VLAN's, it worked.

@droidus said in Connection Help:

I am using the openvpn app

❓
OpenVPN connect? This is what I use and it writes a verbose log file.
d93e8af4-5f11-4e0c-8793-9103176cc8fc-image.png
It can be displayed by hitting the upper right icon.

@beno44

🤡 🤙

change the topic and add [solved]

@shawntanderson

Use client specific override your vpn clients will then get the same ip

BrNp

@droidus
You will have to configure it as custom type.

@cielak221 You are testing with two different peers in your speedtest. I'd use the same one so I can actually compare the speeds - we don't know if the "blackburn tech" has just a slower connection.

I'd also post my VPN config as otherwise one doesn't know what you have configured. Downgrading from 2.5.2 to 2.4.5 is nonsense, too. OpenVPN is OpenVPN - just because their documentation isn't up to date doesn't mean you have to downgrade your security. That's utter nonsense. Why should I downgrade my firewall to an older/less secure release to use some "cool VPN security".
You don't have to downgrade your PC/installed version of the OpenVPN Client to 2.4.x either so why should you have to with pfSense? :)

Just flew over their guide to setup - don't see anything that shouldn't work with pfSense 2.5.2 besides setting up nonsense options like supplying "remote-random" but only using one remote for their server. So I'd just follow the guide and check what the service will post in the logs and modify the client settings accordingly. I'm certain things like

remote-random tls-client persist-key persist-tun

are unneccesary as they are set by pfSense itself - no need to put them in adv. options. Also using the WebUI cert as a "dummy" is nonsense too. With 2.5.2 you can simply select "none" and just supply user/pass, that's what they do anyway as the never install/import an actual client certificate (so that won't be checked by their servers and is void). Setting the MTUs and MSSFIXes is fine I guess. Always depends on your end of the line. With a bad ISP or overhead that values could also be lower.

I'd recommend to delete the VPN entry, upgrade to 2.5.2 again, make sure everything else (including a speedtest) is working as expected and then re-create their VPN again on 2.5.2. Shouldn't be too hard.

Cheers
\jens

Edit: Also: check https://support.nordvpn.com/Connectivity/Router/1626958942/pfSense-2-5-Setup-with-NordVPN.htm instead of your 2.4.5 link :)

Edit 2: please stop their guide after setting up the OpenVPN. The rest of it is just stupid if the tunnel doesn't work in the first place as you are guided to "cripple" your system to only ever use NordVPN ressources e.g. DNS servers etc etc and will destroy a working IPv6 configuration or the normal default LAN any any rule. For someone not knowing about policy based routing, DNS resolver internals or problems etc. that writeup is a pretty guide to destroy your working configuration and centralise everything over their infrastructure.

SOLVED: the Client certificate was not present, apparently the OpenVPN configuration Wizar only create a "Server Certificate", so the user one have to be created manually.

alt text

@brunoforestier

you changed your tunnel IP ?

and if solved please mark als solved
brNP