Instability and High Resource Usage on pfSense 24.11 with OpenVPN + OSPF (Site-to-Site Failover)
-
Hi all,
we're running a site-to-site setup between two locations (Rome and Perugia) using OpenVPN tunnels in Peer to Peer (SSL/TLS) mode. We're also using FRR/OSPF to dynamically manage routing and enable failover between two tunnels (each with different cost).
After updating the pfSense firewall in Rome to 24.11, we started experiencing the following issues:
Problems observed:High resource usage (CPU/RAM) on the pfSense in Rome when both tunnels are active OSPF becomes unstable or slow to switch routes when one tunnel degrades OpenVPN clients reconnect frequently or delay during transitions We've seen intermittent "No route to host" errors in logs Crash reports in /vpn_openvpn_client.php and /vpn_wg_settings.php (after trying to test WireGuard as alternative)🧪 What we’ve done:
Verified all OpenVPN and FRR configurations Ran multiple tests (ICMP, MTR, speedtest-cli) from both locations Confirmed that the issue appears mostly on the Rome firewall, particularly when the tunnel over Fastweb MPLS is active Switched tunnel priority via OSPF cost — the one with Fastweb always results in latency and routing instability Tried to configure WireGuard, but ran into PHP crash (possibly due to WireGuard package instability on 24.11)
Setup summary:pfSense Plus 24.11 on both ends (Rome and Perugia) OpenVPN clients on Perugia, OpenVPN server on Rome 2 tunnels: one over internet connection (Meshcom), one over Fastweb MPLS OSPF for routing and automatic failover Manual outbound NAT, rules per tunnel, static port enabled
Questions:Is anyone else experiencing resource or routing issues after the 24.11 upgrade using OpenVPN + OSPF? Is there a known issue with OpenVPN tunnel handling in 24.11? Should we avoid using FRR + OpenVPN on this release? Would switching to WireGuard improve stability?We’d be grateful for suggestions or similar experiences. I can also provide logs, configs, or test outputs if needed.
Thanks in advance!
Vincenzo
-
Hi all,
I’ve read through the thread and wanted to add some clarification based on the on-site intervention I handled yesterday at the Perugia office.
In my opinion — and based on the tests I performed — the issue is not related to OSPF or dynamic routing, which is working consistently according to the current configuration.
The real bottleneck appears to be entirely due to the performance of the two OpenVPN tunnels connecting to Rome. During troubleshooting, I compared the actual throughput over:
MPLS and Meshcom (fiber) connections → both showed high and stable bandwidth
versus the OpenVPN tunnels, where I observed significantly reduced performance (about 1/10th of the available bandwidth) and noticeable instability
In particular:
there’s high latency and significant jitter
on-site operators confirmed serious issues with VoIP audio, with stuttering and delays — classic symptoms of tunnel congestion
To restore connectivity, I implemented a temporary workaround with a single tunnel using a different protocol, which is currently stable, although not redundant.
I’m happy to discuss or run further tests if needed, but based on all observed data, the issue points clearly to degraded OpenVPN throughput, not OSPF behavior or routing logic.
Best regards,
Luca -
For reference, the site-to-site environment we had set up between the two locations was based on this official Netgate configuration:
[OpenVPN + OSPF Site-to-Site Setup]This is the exact topology and integration model that was implemented, that worked flawlessly until the upgrade to 24.11, which further supports the conclusion that the issue lies with the OpenVPN tunnel performance rather than OSPF itself.