@heper Thank you

@ddbnj If I packet capture on the remote side, I can see ping packets coming over after I turned off the cloud NAT (SNAT) function. However, when using BGP, if I capture packets on the cloud interface on the local side, BGP is not sending any requests out. BGP is sending out requests on my other openvpn client interfaces as appropriate. [image: 1656955146404-localbgp-working.jpg] [image: 1656954967294-closter-neighbors.jpg] But not on the openvpn client connected to OpenVPN cloud.

@gertjan Will do so. @gertjan, thank you very much for all your help. Take care.

@johnpoz I found somewhere on the web that it is useful to install the 'openresolv' package. This helped :) Thank you for your activity on the forum and quick support on any issue :)

The way I see it I have two choices. I can get a second external IP address and link the client IP address as a second policy condition, although I doubt my ISP will want to hand out IPv4 hens teeth and I am not keen on trail blazing IPv6. My other option is to set up a second RADIUS server which is a bit clunky as well. Fortunately at this stage I only need two different types of VPN's I forgot to mention this is Windows Server RADIUS (NPS). Maybe I need to set up FreeRADIUS and use the rules from the man pages, or use LDAP?

@vbianconi88 I'm not following what you're saying in number 1 so I'll skip that. Number 2, select "other" then enter your DDNS in the box it gives you.

@m229m Either set up the OpenVPN server on the router (default gateway) or set up a transit network on the router and move the VPN server into it. Your setup ends up in asymmetric routing issues.

@jimp Sorry, you were right, it was my config error, now it works correctly (pear to pear SSL / TLS) no bugs. Thanks

@nogbadthebad said in Problem with Virtual Address: I'm at a loss why Surfshark said talk to Netgate ... Because that’s an easy way for the first level support to get rid of an onerous customer.

Attributed this to Windows Update KB5013887. Once removed, OpenVPN performance is back to normal.

@rolster said in Multi-Hop OpenVPN: I have an OpenVPN installation running between my head office for Business "A" and the Head Office for Business "B". It works really well and does what I want it to do. In both businesses, I have multiple sites that also need to connect across the OVPN tunnel, but we don't the necessay L3 routing in place to get their traffic to each of the head offices. In my head, I believe that this should be possible, by installing a PFS OVPN client at each site. The local traffic can be forwarded into the LAN interface without issue. I want the traffic to travel via the WAN interface to the LAN interface of the successfully connected installation, then travel through the working inter-site tunnel to the partner business. I think it should be "do-able", but haven't got it working yet. Any tips or advice? So you have a site to site tunnel between A and B? How are the "multiple sites" connected? Just to A, just to B, between both? I don't know what PFS is, do you mean pfSense? If so, yes, that would work, but not necessary. Any OpenVPN client would work. What JKnott means is you just need the correct static routes between sites. The OpenVPN config will add them if done right.

@viragomann I was able to open the .exe as an archive in 7-zip and just rename the .ovpn as you don't even need to run in it as a command - rename is an option when right-clicking on the file whilst having the it open as an archive. Thanks again for pointing me in the right direction!

@viragomann actually I use an alias with my various subnets, including the tunnel subnets, so I believe it is covered. I also use an interface for my OpenVPN servers and don't use the "general" OpenVPN tab as such. That way I have some idea what is going on by doing things manually. I need to do a bit more digging into this.

@postuser49 Try to use AES-256-GCM cipher. The CBC is a known as less performant. You can find further tuning hints on Netgate's VPN Scaling page.

@whitefed0ra are you still having connection problems with PIA? I'm asking because my PIA also stopped on PFsense 2.60... After reading several posts, I was told that using TLS keys are going to be removed in PFsense v2.70. If this is true, I don't know yet and first must be determined. Until then, my VPN is offline.

@viragomann Thanks, I see now the part of Remote Networks that I didn't see before. After some more testing, I decided to try using WireGuard as an alternative. Problem fixed in 10 minutes.

I agree, pfSense could be much easier. But it is not a consumer product, it is for the enterprise and those are the ones who are willing to pay the money its cost.