https://docs.netgate.com/pfsense/en/latest/book/monitoring/firewall-states-reset.html -Rico

@techsalot said in Home VPN: I want to get IPs that are on the same subnet as my other devices. For why? Makes no sense to do this.. RDP doesn't need L2 discovery.. there would be no reason to be on the same network as you lan to rdp to stuff. "My problem is none of the guides I have seen are specific enough." You walk through the wizard following the bouncing ball.. You then export your certs and configs for your clients via the vpn export package. https://docs.netgate.com/pfsense/en/latest/book/openvpn/using-the-openvpn-server-wizard-for-remote-access.html Here some advice trying to follow some guide that says click here, do this.. Isn't helping you learn anything.. Nor helping you understand anything... And when it stop working for whatever reason.. You will have not have clue 1 to what is the problem. What exactly do you not understand about spinning up a vpn server on pfsense? Have you read through the book about openvpn? https://docs.netgate.com/pfsense/en/latest/book/openvpn/index.html Now again back to this.. My problem is none of the guides I have seen are specific enough. Why? What part are you confused about? Point to a guide or guides you have read through and what parts - exactly are confusing you?

@Bekoj said in TLS Error : something wrong with Certificates ?: installed pfsense brand new in 2.4.5 version installed pfsense brand new in 2.4.5 version hmmm, next time I'll ask first... @Gertjan "Oooohhhh. And you're telling that now ?" Yes, we went around a bit, the point is, it's okay

@Bob-Dig I need to get some work done right now and I don't know enough to figure this out quickly so I just did a factory reset and I'm just going to use the IVPN app on my computer today… Really frustrating but… No choice right now. Thanks for trying to help!!

Thanks for your help Netblues, helped to understand better what I need to do

@nikkon thanks you for the information!

@jordiSL said in Poor perfomance over OpenVPN: FW: Super Micro XG-1537 You mean, like original Netgate hardware (XG-1537)? @jordiSL "I get is 30Mbps" Yes, it seems low... (This gives me almost 10x higher speed (M11SDV-4C-LN4F), so your device also needs to know this speed) interesting to read this: https://docs.netgate.com/pfsense/en/latest/book/hardware/hardware-sizing-guidance.html two things I'm thinking about now: loader.conf.local (flow control (FC), EEE, hw.igb.rx_process_limit="-1" hw.igb.tx_process_limit="-1, etc.) https://docs.netgate.com/pfsense/en/latest/hardware/tuning-and-troubleshooting-network-cards.html https://calomel.org/freebsd_network_tuning.html @jordiSL "The client fiber is 300Mbps which I'm connected." incorrectly configured this side or incorrect measurement method... BTW: OpenVPN dslreports.com (on 500/200 - ISP): [image: 1596809326215-c7581716-ed59-4378-b5c7-5617a6c24f44-image.png] and what about these? ifconfig igb0 -rxcsum -rxcsum6 -txcsum -txcsum6 -lro -tso -vlanhwtso (igb, IX, em, etc.)

Then its something with the switches.. Do they have gateways set? Do they allow access from other than their own network.. Are their masks set correctly.. What is your tunnel network, if they are set for say 10/8 and think your coming from a local IP, they won't send answer back to gateway, etc.

Thank you very much! That works perfect!

@dotdash Thank you for this helpful hint. I did this: VPN - openvpn - Client Specific overriedes - add common name: xxx IPv4 Tunnel network: 192.168.10.200/24 (network 192.168.10.x is the ipv4-tunnel I also use for my other "normal" users without fixed ip address) IPv6-Tunnel network: fd73:123:456:2::200/64 (network fd73:123:456:2 is the ipv6-tunnel I also use for my other "normal" users without fixed ip address) Now I can create firewall rules (Firewall/Aliases/Edit) specific for my clients.

Ok this is "solved", if you can call it that. I gave up trying to get OpenVPN running on the Robustel. I instead used a OpenWRT based router to connect to the very same pfSense, had it working in under 10 minutes.

Here is a utube from Lawrence about Suracata and encryption. I am not a IT pro. Maybe some can let me know if you find this accurate? https://www.youtube.com/watch?v=7gZYbIr_Qj4

Figured it out on my own, had to reach the pfSense Book, some googling, and testing on a standalone station. Forum was not much help, honestly. What I did: Put a deny all IPv4+6 right above the default OpenVPN allow any any rule Only permitted the ports needed to allow file sharing and AD authentication (Google them. It should be 135, 137-139, 88, 445, etc. if you have older equipment) I then made an alias for my client IP, Internal IPs I need to manage, and ports for that management. So ports 3389,22,80,443, etc. It's whatever you need for your situation. When making new users for other clients I forced them to a single IP within the Client Specific Override and made sure to allow random ports for concurrent connections Make new users and assign them into groups if they need special access, like IT needs to RDP to a server etc. DO NOT USE THE SAME USER ACCOUNT FOR ALL CLIENTS, you can do this but it's a liability, hard to manage, and have organized logging. If it's just a few people, I can understand it, but for 50-100? make the users or link to an authentication server That got me up and going for the most part, I had to work with legacy VMWare, so I had to reinvent the wheel with some of the virtual networking/bridging. TIP: Read the pfSense Book first for any questions you have Understand the rule processing order Group interface rules are in a higher order than your interface rules, so filter the group first, the interface LAN should be filtered afterwards to follow suit. This is just what I did to fix my problem, I've found decent guides with these links and this documentation... (see below) https://docs.netgate.com/manuals/pfsense/en/latest/the-pfsense-book.pdf https://chrislazari.com/pfsense-setting-up-openvpn-on-pfsense-2-4/ https://www.informaticar.net/openvpn-on-pfsense-enable-access-to-the-lan-resources/ keep in mind that the last two links do not highlight security after making it work, that's what the pfSense book is there to provide. Read page 172 and finish that chapter to understand it. Then, like I said, test it yourself and verify your rules work. I wasn't able to find a direct answer for my question and struggles, so I'm hoping this helps someone too. I've attached pictures too because maybe I'm wrong and there's a better way to do it. [image: 1596549869660-filteredopenvpngroup.png] If this is wrong, feel free to correct me and give me a better solution. Thanks

Well, this morning everything is back to normal... I have no clue about what happened, but anyway sorry for the noise.

@viragomann wow, that was it. when I checked the "Don't pull routes" option, that was exactly what I needed to get it to work. Now, VLAN 10 goes through the WAN and VLAN 50 goes through the VPN. Thanks very much!

@velupazhani You have to add an additional (or multiple if needed) phase 2 to the IPSec configuration for the OpenVPN tunnel. In the OpenVPN server settings add the network(s) behind the IPSec to the "Local networks" to push the route to the clients.

The solution to my problem was to ditch policy-based IPSec and switch to route-based IPSec. This reduces the number of phase 2 entries by a lot but requires more static routes. IMHO it's better this way because there's no intransparent mix of different ways of routing packages between their destinations. Now everything is just in the routing table.