@nortel Does your device have the correct date & time set ? If so ... I would check if the message : error=certificate has expired , is valid From the pict , it seems like the client is a Windows pc w. OpenVPN client installed. What is the other (Server) end ? A pfSense you control ?

I'll try updating the OpenVPN client. I saw the new v3. It looks like a Windows version of the iOS client and seems feature limited. Not sure if anyone here has used it before. Maybe it's just the GUI is nicer looking and the "innerds" are still high-tech. :)

@denverdesktopssupport said in Can't connect to 3rd Party VPN Service using OpenVPN.: @viragomann following this article. 192.168.35 is LAN the interface is enabled. https://support.privadovpn.com/kb/article/510-pfsense-openvpn-setup/

@viragomann Yes, This problem only appeared after changing the public IP of dyndns. Absolutely nothing was changed, just changed the DynDNS IP

Sorry to break open this thread again. Linux OpenVPN has the parameter --txqueuelen which does not exist in OpenVPN for BSD. Apparently it makes a lot of difference on long distance connections. BSD apparently has the parameter fixed to 50 i read somewhere else. https://serverfault.com/questions/686286/very-low-tcp-openvpn-throughput-100mbit-port-low-cpu-utilization

@cmos_battery In your settings under VPN -> OpenVPN -> Server ; does it say this? https://imgur.com/fUgdRch.png

@jknott said in OpenVPN Optimization (peer id): I just tried the test described in the 2nd link. The 1st & 3rd runs are with AES-NI enabled and the 2nd and 4th without. [2.5.2-RELEASE][root@firewall.jknott.net]/root: openssl speed -elapsed aes-128-cbc You have chosen to measure elapsed time instead of user CPU time. Doing aes-128 cbc for 3s on 16 size blocks: 25636690 aes-128 cbc's in 3.03s Doing aes-128 cbc for 3s on 64 size blocks: 6645567 aes-128 cbc's in 3.02s Doing aes-128 cbc for 3s on 256 size blocks: 1666553 aes-128 cbc's in 3.01s Doing aes-128 cbc for 3s on 1024 size blocks: 419373 aes-128 cbc's in 3.02s Doing aes-128 cbc for 3s on 8192 size blocks: 52444 aes-128 cbc's in 3.00s Doing aes-128 cbc for 3s on 16384 size blocks: 26180 aes-128 cbc's in 3.01s OpenSSL 1.1.1k-freebsd 25 Mar 2021 built on: reproducible build, date unspecified options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr) compiler: clang The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes aes-128 cbc 135319.44k 141037.53k 141843.14k 142404.29k 143207.08k 142606.34k [2.5.2-RELEASE][root@firewall.jknott.net]/root: openssl speed -elapsed aes-128-cbc You have chosen to measure elapsed time instead of user CPU time. Doing aes-128 cbc for 3s on 16 size blocks: 25330588 aes-128 cbc's in 3.00s Doing aes-128 cbc for 3s on 64 size blocks: 6627583 aes-128 cbc's in 3.01s Doing aes-128 cbc for 3s on 256 size blocks: 1673390 aes-128 cbc's in 3.02s Doing aes-128 cbc for 3s on 1024 size blocks: 417364 aes-128 cbc's in 3.00s Doing aes-128 cbc for 3s on 8192 size blocks: 53873 aes-128 cbc's in 3.09s Doing aes-128 cbc for 3s on 16384 size blocks: 26240 aes-128 cbc's in 3.02s OpenSSL 1.1.1k-freebsd 25 Mar 2021 built on: reproducible build, date unspecified options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr) compiler: clang The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes aes-128 cbc 135096.47k 141021.19k 141689.00k 142460.25k 143012.49k 142562.87k [2.5.2-RELEASE][root@firewall.jknott.net]/root: openssl speed -elapsed aes-128-cbc You have chosen to measure elapsed time instead of user CPU time. Doing aes-128 cbc for 3s on 16 size blocks: 26072625 aes-128 cbc's in 3.08s Doing aes-128 cbc for 3s on 64 size blocks: 6763860 aes-128 cbc's in 3.09s Doing aes-128 cbc for 3s on 256 size blocks: 1672403 aes-128 cbc's in 3.02s Doing aes-128 cbc for 3s on 1024 size blocks: 421159 aes-128 cbc's in 3.02s Doing aes-128 cbc for 3s on 8192 size blocks: 52262 aes-128 cbc's in 3.00s Doing aes-128 cbc for 3s on 16384 size blocks: 26208 aes-128 cbc's in 3.00s OpenSSL 1.1.1k-freebsd 25 Mar 2021 built on: reproducible build, date unspecified options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr) compiler: clang The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes aes-128 cbc 135524.71k 140277.32k 141972.28k 143010.76k 142710.10k 143130.62k [2.5.2-RELEASE][root@firewall.jknott.net]/root: openssl speed -elapsed aes-128-cbc You have chosen to measure elapsed time instead of user CPU time. Doing aes-128 cbc for 3s on 16 size blocks: 25433637 aes-128 cbc's in 3.01s Doing aes-128 cbc for 3s on 64 size blocks: 6800719 aes-128 cbc's in 3.09s Doing aes-128 cbc for 3s on 256 size blocks: 1663307 aes-128 cbc's in 3.01s Doing aes-128 cbc for 3s on 1024 size blocks: 417174 aes-128 cbc's in 3.00s Doing aes-128 cbc for 3s on 8192 size blocks: 51998 aes-128 cbc's in 3.00s Doing aes-128 cbc for 3s on 16384 size blocks: 26190 aes-128 cbc's in 3.01s OpenSSL 1.1.1k-freebsd 25 Mar 2021 built on: reproducible build, date unspecified options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr) compiler: clang The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes aes-128 cbc 135293.74k 141041.75k 141566.87k 142395.39k 141989.21k 142660.81k [2.5.2-RELEASE][root@firewall.jknott.net]/root: If I'm reading that right, it appears there's a very slight, but probably not significant benefit to enabling it.

@jknott said in Client crypto hardware.: I have a Lenovo E520 ThinkPad, with i3 CPU, which I bought about 10 years ago. Apparently, that computer is too old to support RDRAND. It first appeared with the Ivy Bridge CPU, which became available around the time I bought my ThinkPad.

@bingo600 A change from 3 (recommended) to default did the trick. Thanks for that.

@viragomann, Thanks for your interest in helping. However, PIA has confirmed that what it calls a "dedicated IP" is very different from a static IP and can be used only with PIA software, which is not available for pfSense. So this thread can be closed. I'm no longer pursuing that solution and will rely on DDNS.

@corsairwall32 Add a firewall rule to the top of the LAN rule set for allowing traffic to this destination IP. Open the advanced options, go down to gateway and select the WAN gateway. So the traffic will be directed out to WAN.

@ryu945 Found nothing on a Netgate forum search. Took a few hours but finally found the solution here. Needs a client specific override with the common name and the desired ip/subnet as an "advanced" entry i.e. ifconfig-push 192.168.98.5 255.255.255.248

@pandafy ok, sorry I'm out can't get the benefit, but that's just me. of wanna doing something essential on pfS like openVPN with a pretty good webIF outside of pfS good luck NP

@JKnott , I uninstalled the network printer driver. Then, i manually re-installed the printer using it's static LAN IP. Windows re-used the existing driver and i was able to print locally as if nothing happened. Then, I tested if i was able to find my printer when connected via OpenVPN and, what do you know?, It worked flawlesly!!!!!! Just as you suggested. Now I'm able to print from withing the LAN and when connected via OpenVPN. Also, your comment: "Those require multicast and that doesn't normally pass through a router" made me think, will the SMB share be discoverable if I specify a host override for its server under the DNS resolver settings? As it turns out, it does!!!!!. Now all my shares and printers are discoverable when connected to the LAN via OpenVPN tunel. I hope my experience and report can help somebody else having these issues and thank you so much for pointing me into the right direction.

@viragomann thanks for the clarification. There you have it, i was indeed overthinking it.

see extract from log ug 18 12:03:17 openvpn 61300 OpenVPN 2.5.2 amd64-portbld-freebsd12.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jun 24 2021 Aug 18 12:03:17 openvpn 61300 library versions: OpenSSL 1.1.1k-freebsd 25 Mar 2021, LZO 2.10 Aug 18 12:03:17 openvpn 61612 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Aug 18 12:03:17 openvpn 61612 WARNING: experimental option --capath /var/etc/openvpn/server1/ca Aug 18 12:03:17 openvpn 61612 TUN/TAP device ovpns1 exists previously, keep at program end Aug 18 12:03:17 openvpn 61612 TUN/TAP device /dev/tun1 opened Aug 18 12:03:17 openvpn 61612 ioctl(TUNSIFMODE): Device busy (errno=16) Aug 18 12:03:17 openvpn 61612 /sbin/ifconfig ovpns1 10.0.1.1 10.0.1.2 mtu 1500 netmask 255.255.255.0 up Aug 18 12:03:17 openvpn 61612 /usr/local/sbin/ovpn-linkup ovpns1 1500 1621 10.0.1.1 255.255.255.0 init Aug 18 12:03:17 openvpn 61612 UDPv4 link local (bound): [AF_INET]51.75.92.46:1194 Aug 18 12:03:17 openvpn 61612 UDPv4 link remote: [AF_UNSPEC] Aug 18 12:03:17 openvpn 61612 Initialization Sequence Completed Aug 18 12:07:06 openvpn 61612 event_wait : Interrupted system call (code=4) Aug 18 12:07:08 openvpn 61612 /usr/local/sbin/ovpn-linkdown ovpns1 1500 1621 10.0.1.1 255.255.255.0 init Aug 18 12:07:09 openvpn 61612 SIGTERM[hard,] received, process exiting Aug 18 12:10:20 openvpn 35855 Options error: --server directive network/netmask combination is invalid Aug 18 12:10:20 openvpn 35855 Use --help for more information. Aug 18 13:28:10 openvpn 28137 DEPRECATED OPTION: ncp-disable. Disabling cipher negotiation is a deprecated debug feature that will be removed in OpenVPN 2.6 Aug 18 13:28:10 openvpn 28137 Options error: --server directive network/netmask combination is invalid Aug 18 13:28:10 openvpn 28137 Use --help for more information. Aug 18 14:18:46 openvpn 80616 DEPRECATED OPTION: ncp-disable. Disabling cipher negotiation is a deprecated debug feature that will be removed in OpenVPN 2.6 Aug 18 14:18:46 openvpn 80616 Options error: --server directive network/netmask combination is invalid Aug 18 14:18:46 openvpn 80616 Use --help for more information. Aug 18 14:51:33 openvpn 16749 DEPRECATED OPTION: ncp-disable. Disabling cipher negotiation is a deprecated debug feature that will be removed in OpenVPN 2.6 Aug 18 14:51:33 openvpn 16749 Options error: --server directive network/netmask combination is invalid Aug 18 14:51:33 openvpn 16749 Use --help for more information. Aug 18 14:56:40 openvpn 16513 DEPRECATED OPTION: ncp-disable. Disabling cipher negotiation is a deprecated debug feature that will be removed in OpenVPN 2.6 Aug 18 14:56:40 openvpn 16513 Options error: --server directive network/netmask combination is invalid Aug 18 14:56:40 openvpn 16513 Use --help for more information. Aug 18 14:57:22 openvpn 33554 DEPRECATED OPTION: ncp-disable. Disabling cipher negotiation is a deprecated debug feature that will be removed in OpenVPN 2.6 Aug 18 14:57:22 openvpn 33554 Options error: --server directive network/netmask combination is invalid Aug 18 14:57:22 openvpn 33554 Use --help for more information. Aug 18 14:58:31 openvpn 40653 Options error: --server directive network/netmask combination is invalid Aug 18 14:58:31 openvpn 40653 Use --help for more information. Aug 18 15:08:15 openvpn 31653 Options error: --server directive network/netmask combination is invalid Aug 18 15:08:15 openvpn 31653 Use --help for more information. Aug 18 15:12:39 openvpn 98194 Options error: --server directive network/netmask combination is invalid Aug 18 15:12:39 openvpn 98194 Use --help for more information. Aug 18 15:12:58 openvpn 55110 Options error: --server directive network/netmask combination is invalid Aug 18 15:12:58 openvpn 55110 Use --help for more information. Aug 18 15:21:13 openvpn 23712 Options error: --server directive network/netmask combination is invalid Aug 18 15:21:13 openvpn 23712 Use --help for more information. Aug 18 15:22:13 openvpn 71847 Options error: --server directive network/netmask combination is invalid Aug 18 15:22:13 openvpn 71847 Use --help for more information.

@viragomann I guess my question was how can we setup a ddns without exposing the real wan ISP IP. But i dont think that is possible as the vpn profile file will need a remote url that points to your wan ip

@viragomann said in Adding additional route to OpenVPN Client: So this network is on another location connected to the office network via IPSec? Yes, correct. I have figured it out already, basically I just need to add another Phase 2 entry on the IPsec tunnel. [image: 1629283600858-phase2-entry.png] So now I can reach the remote site over OpenVPN. Thanks @viragomann @marvosa