So I've been messing around for a while trying to use a VPN through pfSense (as a client) and didn't have a lot of success. Setting up the VPN is fairly straight forward but I could never get a stable connection. But I finally figured out what the problem is and thought I'd share it with everyone in case someone else was having similar problems.
This isn't going to be a guide on setting up a VPN client of pfsense (although if anyone wants I can probably write one up) Most VPN services have a guide for setting it up. This will just explain the problem I was having and how I solved it.
The problem I was having with my VPN was that the connection would drop all the time, especially when it was under load. This made it pretty much unusable. But I couldn't figure out what the problem was. I messed around with the keepalive option for openvpn aswell as the ping-restart but neither of these seemed to have any effect. I thought it might have been a problem with packet fragmenting so I messed around with the MTU and MSS settings but this also had no effect.
The problem turned out to be caused by pfsense's gateway monitoring daemon. You have probably seen the gateway quality info on the main page of the pfSense webUI. Well the program which gives you that info, apinger, isn't just for displaying info. It is used in multi-WAN setups to switch traffic to a different gateway when the quality drops. In a single WAN configuration it will restart the connection which will cause openVPN to restart aswell. It does this when the latency or packet loss reaches a preset limit, this is when the status changes from a green 'online' to a yellow 'latency', i think the default is around 400ms.
There are three ways to fix this, although I've only tried two. The first and simplest is to disable gateway monitoring. This will stop the gateway quality info aswell though. To do it go to system>routing and edit both the WAN and VPN gateway and check the 'disable gateway monitoring' box.
The next option is to change the thresholds for when apinger will restart the gateway. To do this go in to the gateway settings and click advanced. You want to put something high in here to prevent apinger from restarting the gateway, here are the settings I use:
latency threshold: 3000 - 4000
packet loss threshold: 30 - 40
Probe interval: 2
Down: 30
This way the connection should only restart if the gateway really is down, and not just because the ping took too long to complete.
The third option is to prioritize ICMP traffic. I haven't tried this but if you have the traffic shaper set up just make a rule for ICMP traffic and put it in the highest priority queue. This should prioritize pings and prevent apinger from reporting high latency and restarting the gateway.
Anyway, just thought I'd share this. If anyone wants any help setting up a VPN on pfsense just let me know.