Modified the pivpn install script and set the CN for one location to be different.

It seems pfsense computes identical hashes otherwise and gets confused which is which.

@nortel

Does your device have the correct date & time set ?

If so ...
I would check if the message : error=certificate has expired , is valid

From the pict , it seems like the client is a Windows pc w. OpenVPN client installed.
What is the other (Server) end ?
A pfSense you control ?

I'll try updating the OpenVPN client. I saw the new v3. It looks like a Windows version of the iOS client and seems feature limited. Not sure if anyone here has used it before. Maybe it's just the GUI is nicer looking and the "innerds" are still high-tech. :)

@denverdesktopssupport said in Can't connect to 3rd Party VPN Service using OpenVPN.:

@viragomann following this article. 192.168.35 is LAN

the interface is enabled.

https://support.privadovpn.com/kb/article/510-pfsense-openvpn-setup/

@viragomann Yes, This problem only appeared after changing the public IP of dyndns. Absolutely nothing was changed, just changed the DynDNS IP

Sorry to break open this thread again.

Linux OpenVPN has the parameter --txqueuelen which does not exist in OpenVPN for BSD. Apparently it makes a lot of difference on long distance connections.

BSD apparently has the parameter fixed to 50 i read somewhere else.

https://serverfault.com/questions/686286/very-low-tcp-openvpn-throughput-100mbit-port-low-cpu-utilization

@cmos_battery In your settings under VPN -> OpenVPN -> Server ; does it say this?

https://imgur.com/fUgdRch.png

@jknott said in OpenVPN Optimization (peer id):

I just tried the test described in the 2nd link. The 1st & 3rd runs are with AES-NI enabled and the 2nd and 4th without.

[2.5.2-RELEASE][root@firewall.jknott.net]/root: openssl speed -elapsed aes-128-cbc
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128 cbc for 3s on 16 size blocks: 25636690 aes-128 cbc's in 3.03s
Doing aes-128 cbc for 3s on 64 size blocks: 6645567 aes-128 cbc's in 3.02s
Doing aes-128 cbc for 3s on 256 size blocks: 1666553 aes-128 cbc's in 3.01s
Doing aes-128 cbc for 3s on 1024 size blocks: 419373 aes-128 cbc's in 3.02s
Doing aes-128 cbc for 3s on 8192 size blocks: 52444 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 16384 size blocks: 26180 aes-128 cbc's in 3.01s
OpenSSL 1.1.1k-freebsd 25 Mar 2021
built on: reproducible build, date unspecified
options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-128 cbc 135319.44k 141037.53k 141843.14k 142404.29k 143207.08k 142606.34k
[2.5.2-RELEASE][root@firewall.jknott.net]/root: openssl speed -elapsed aes-128-cbc
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128 cbc for 3s on 16 size blocks: 25330588 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 64 size blocks: 6627583 aes-128 cbc's in 3.01s
Doing aes-128 cbc for 3s on 256 size blocks: 1673390 aes-128 cbc's in 3.02s
Doing aes-128 cbc for 3s on 1024 size blocks: 417364 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 8192 size blocks: 53873 aes-128 cbc's in 3.09s
Doing aes-128 cbc for 3s on 16384 size blocks: 26240 aes-128 cbc's in 3.02s
OpenSSL 1.1.1k-freebsd 25 Mar 2021
built on: reproducible build, date unspecified
options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-128 cbc 135096.47k 141021.19k 141689.00k 142460.25k 143012.49k 142562.87k
[2.5.2-RELEASE][root@firewall.jknott.net]/root: openssl speed -elapsed aes-128-cbc
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128 cbc for 3s on 16 size blocks: 26072625 aes-128 cbc's in 3.08s
Doing aes-128 cbc for 3s on 64 size blocks: 6763860 aes-128 cbc's in 3.09s
Doing aes-128 cbc for 3s on 256 size blocks: 1672403 aes-128 cbc's in 3.02s
Doing aes-128 cbc for 3s on 1024 size blocks: 421159 aes-128 cbc's in 3.02s
Doing aes-128 cbc for 3s on 8192 size blocks: 52262 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 16384 size blocks: 26208 aes-128 cbc's in 3.00s
OpenSSL 1.1.1k-freebsd 25 Mar 2021
built on: reproducible build, date unspecified
options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-128 cbc 135524.71k 140277.32k 141972.28k 143010.76k 142710.10k 143130.62k
[2.5.2-RELEASE][root@firewall.jknott.net]/root: openssl speed -elapsed aes-128-cbc
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128 cbc for 3s on 16 size blocks: 25433637 aes-128 cbc's in 3.01s
Doing aes-128 cbc for 3s on 64 size blocks: 6800719 aes-128 cbc's in 3.09s
Doing aes-128 cbc for 3s on 256 size blocks: 1663307 aes-128 cbc's in 3.01s
Doing aes-128 cbc for 3s on 1024 size blocks: 417174 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 8192 size blocks: 51998 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 16384 size blocks: 26190 aes-128 cbc's in 3.01s
OpenSSL 1.1.1k-freebsd 25 Mar 2021
built on: reproducible build, date unspecified
options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-128 cbc 135293.74k 141041.75k 141566.87k 142395.39k 141989.21k 142660.81k
[2.5.2-RELEASE][root@firewall.jknott.net]/root:

If I'm reading that right, it appears there's a very slight, but probably not significant benefit to enabling it.

@jknott said in Client crypto hardware.:

I have a Lenovo E520 ThinkPad, with i3 CPU, which I bought about 10 years ago.

Apparently, that computer is too old to support RDRAND. It first appeared with the Ivy Bridge CPU, which became available around the time I bought my ThinkPad.

@bingo600 A change from 3 (recommended) to default did the trick. Thanks for that.

@viragomann,
Thanks for your interest in helping. However, PIA has confirmed that what it calls a "dedicated IP" is very different from a static IP and can be used only with PIA software, which is not available for pfSense. So this thread can be closed. I'm no longer pursuing that solution and will rely on DDNS.

@corsairwall32
Add a firewall rule to the top of the LAN rule set for allowing traffic to this destination IP. Open the advanced options, go down to gateway and select the WAN gateway.
So the traffic will be directed out to WAN.

@ryu945 Found nothing on a Netgate forum search. Took a few hours but finally found the solution here. Needs a client specific override with the common name and the desired ip/subnet as an "advanced" entry i.e. ifconfig-push 192.168.98.5 255.255.255.248

@pandafy

ok, sorry I'm out can't get the benefit, but that's just me.
of wanna doing something essential on pfS like openVPN with a pretty good webIF outside of pfS
good luck NP

@JKnott , I uninstalled the network printer driver. Then, i manually re-installed the printer using it's static LAN IP. Windows re-used the existing driver and i was able to print locally as if nothing happened.

Then, I tested if i was able to find my printer when connected via OpenVPN and, what do you know?, It worked flawlesly!!!!!! Just as you suggested.

Now I'm able to print from withing the LAN and when connected via OpenVPN.

Also, your comment: "Those require multicast and that doesn't normally pass through a router" made me think, will the SMB share be discoverable if I specify a host override for its server under the DNS resolver settings?

As it turns out, it does!!!!!. Now all my shares and printers are discoverable when connected to the LAN via OpenVPN tunel.

I hope my experience and report can help somebody else having these issues and
thank you so much for pointing me into the right direction.

@viragomann thanks for the clarification.
There you have it, i was indeed overthinking it.