Jump to content
Not connected, Your IP:

Pfsense will no longer connect

Recommended Posts

I'm not sure where to ask this but I'm having issues with my PFSense router using openvpn. It was working fine up until the servers that I was using went down for maintance. Ever since then, I can't get a connection.
I've regenerated the config assuming the certificates had expired but nothing I do can't get a connection. I've looked at the logs and I can't see a real reason for the failure.

Also as a side note, I have to use TCP over UDP as I'm with Virgin Media in the UK. For whatever reason, Virgin media routers can't handle the UDP traffic on a hardware level (I'd get 2 down, 0.2mbps up) but on TCP I'd get 120/34 mbps (with 480/36 native) and reduce native down to 1-2 down and 0.01 up.

Am I being dumb or have I missed something?

AirVPN Conf.txt PFSense Conf.pdf PFSense Logs.txt

Share this post

Link to post

You may have an MTU (maximum packet size in bytes) issue when you use UDP.  I don't know pfSense, but perhaps somewhere in it you can set OpenVPN's fragment parameter, which I believe (per the googleable OpenVPN 2.5 man page) should be your WAN MTU less the UDP and IP overhead, so if MTU=1500, perhaps fragment should be set to (no more than) 1472?  I am NOT an expert here, so I hope someone with a clue will chime in.

If you set fragment too high, everything will freeze or get erratic on occasion or leave you with miserable speeds.  Lower is safer, but you lose some efficiency.  Just to see if this is the problem though, try setting it to 1300 just to see what happens.  If suddenly things work with much better speed, overlarge UDP packets were the issue.  Then you can experiment with larger values.  A binary search on the 1300 to 1500 range should home in on an acceptable value without too much misery.

If you can't set fragment, perhaps you can set OpenVPN's MTU parameter itself (but expect warning messages).  It should be less than the WAN MTU by enough to allow for encapsulation overhead and UDP overhead, which here in my setup  with WAN MTU=1500 and using the ChaCha20-Poly1305 Data Cipher, translates to OpenVPN MTU=1434.  Again though, smaller is safer but less efficient.  Make it one byte too large and everything will freeze.

Understand though that what will work depends on your ISP and your network setup.  There is no universal answer, and in fact what your ISP's network will support can be different on different days.  There is much online about how to determine a good value, but frankly it is a confusing mess, to say the least.  I doubt this note will be any better.  Good luck though.

Share this post

Link to post

you are using Entry Point 3 configuration within Pfsense (TLS KEY USAGE).    is this what you are choosing when generating the files ?

I would change your fallback to 256 GCM.   and add Polycha to your list of usable data algorithims... for obvious reasons 

Share this post

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Security Check
    Play CAPTCHA Audio
    Refresh Image

  • Create New...