VPN connects, can't ping or connect to remote subnet

  • The tl;dr version is on the client side I get  manager: (tap0): new Tun device (/org/freedesktop/NetworkManager/Devices/5) and cannot get it to use TAP.

    I get no warnings or errors connecting.

    The client config is (as created from pfSense wizard):
    dev tap
    cipher AES-256-CBC
    auth SHA1
    resolv-retry infinite
    remote xxx.xxx.xxx.xxx 1194 udp
    lport 0
    verify-x509-name "xyz.com" name
    pkcs12 firewall-udp-1194-user.p12
    tls-auth firewall-udp-1194-user-tls.key 1
    ns-cert-type server

    My local subnet is
    Remote is

    I get assigned and the routing tables update as expected (I think).

    ip r

    default via dev eno1 proto static metric 100
    xxx.xxx.xxx.xxx via dev eno1 proto static metric 100 dev tap0 proto kernel scope link src metric 50 dev eno1 proto kernel scope link src metric 100

    The ovpn wizard created firewall rules:
    IPV4 UDP * * WAN Address 1194 * none
    IPV4 * * * * * * none

    I can not connect in any way to any remote IP.


    PING ( 56(84) bytes of data.
    From icmp_seq=1 Destination Host Unreachable


    traceroute to (, 30 hops max, 60 byte packets
    1  magneto (  3045.336 ms !H  3045.300 ms !H  3045.297 ms !H

    magneto is my local machine, exists on the remote network.

    Back to the tl;dr:
    I think the fact that "tap0" is actually a tun device is my issue.

    Any ideas are appreciated!

  • Your openvpn client export package is up-to-date?

    On your ovpn server, tun is selected for "Device mode" near the top? Maybe something isn't saved right in your config, try re-saving it and then re-downloading your ovpn config from client export…

  • Redoing the config wizard resulted in the same config.

    The server config in pfsense is set to tap for mode. Interface is WAN, bridge interface is LAN.

    I found a guide that had me do the following:

    1. Interfaces –-> (assign)
    2. add an interface by pressing the "+" button
    3. in the drop down box next to the OPT1 interface that was created choose the open vpn server instance we just created
    4. goto Interfaces ---> OPT1
    5. Enable the interface and give it a Description
    6. goto Interfaces ---> (assign)
    7. choose the Bridges tab and then click the "+" button to add a bridge
    8. Hold the CTRL button and highlight both your LAN interface and the renamed OPT1 interface we just created.

    I then restarted OpenVPN...and got the same result. It connects, but is useless.

  • so, you are actually wanting to use tap mode? Why do you need that if I may ask?  It is fairly uncommon and a bit trickier to make work, will not work for mobile devices and has several other caveats etc. Much better to stick with tun unless you really need broadcast traffic to traverse the tunnel for some reason…

Log in to reply