Well, today I think I figured it out. Tested with existing config over cellular: T-Mobile - Didn't Work Verizon - Worked I suspect maybe this is an MTU size issue of OpenVPN? Is there a way to lower the MTU on the OpenVPN server under pfSense? I know there is a way in the client, but wondering if I can force a lower MTU on the server itself.

I would still not consider that ideal for OpenVPN. You have to deliver the config and other settings (TLS key, etc) so using you may as well send along the CA in the bundle to be validated for added security. Sure, you could omit the CA since the OS bundle should consider ACME trusted, but I fail to see any advantage in doing so for OpenVPN. You could also argue it's less secure since any other OpenVPN server using an ACME cert would also appear to be valid to the client, though validating the cert CN and using TLS keys help there, it's still knocking down an extra layer of authentication between the server and client. Contrast that against the IKEv2 user auth scenerio above, where all you need to do is enter/match settings without delivering anything to the client. It's more convenient in that case, though some of the same security arguments still apply.

@bcruze Hi bcruze - thanks for the reply. Do you need a pic of the DNS resolver? I have it like I mentioned on my original post. [image: 1548428995755-0aaaf54b-aca4-4091-8ff1-8d451cb714eb-image-resized.png] [image: 1548429029498-32b56c59-9787-4835-a4df-ba3a6265353d-image-resized.png] Local host is also highlighted in the network interfaces. [image: 1548429100231-52184be5-63ee-47dc-91c4-407bdb483cc6-image-resized.png] You see here the two VPN interfaces highlighted. Nothing else is checked on this page and custom options box is blank. On the advanced settings: The only options checked are: [image: 1548429216486-6a8e50ea-458f-4692-a906-c603f66c47c6-image-resized.png] [image: 1548429240018-a6462338-cb53-4c56-890d-8e0fdc09963c-image-resized.png] Everything else is set at default values. Is this helpful? Thanks again!

I also discovered turning on fast-io is doing nothing for speed in 2.4.4

Someday, someone will create a REAL speed test which measures the speed to 5-6 various sites (i.e. microsoft, nike, porsche, etc). dslreports was once awesome. I really trusted them. Now that I'm using Firefox and all the anti-tracking toys, their site doesn't work very well. It doesn't take a genius to figure out why. (I simplified that, but you get the point) As an example, I get a bunch of Snort alerts when trying to run dslreports/speedtest now. Sensitive Data was Transmitted Across the Network 138:5 SENSITIVE-DATA Email Addresses 139:1 (spp_sdf) SDF Combination Alert I'm assuming these are false alarms, but I don't know enough about Snort to know for sure. At least, why does a speed test have to be throwing false alerts? Anyway, unless someone can explain these to me, I've retired dslreports. I have to admit, speed tests don't mean that much. Having a Porsche that breaks 200mph doesn't really matter 99.999% of the time. My biggest concern these days is with all the anti-tracking apps, like pfBlocker, Snort, uMatrix, Ublock, Squid (for http virus), and so on, all these start adding up to more and more latency. 800 MB/s doesn't matter as much as not taking 5 seconds for a site to load. That's even harder to measure... but it can be.

I've posted right in the other thread and then saw this one here. Maybe my posting there can help you...check it out. -Rico

@madcry Yeah, right. You can add this option here (Openvpn server settings) [image: 1548341617765-0470d3af-ec5f-4d8e-93ba-2cb928c4b231-image-resized.png]

Noobs moment, I'm trying to get ipvanish working on pfsense. is there an up to date guide for this?

@derelict Yes I do. I took it from Netgate video. so far it is the only solution that worked for me, so I'll take it :)

How about posting your server config and export client config file? -Rico

thanks Rico, its work. :)

How would you route traffic without adding some kind of router to this LAN? -Rico

@konstanti I disabled the first rule still not working

@fergomez1980 said in OpenVPN cant connect static routes: Static Routes in LAN 192.168.0.0/24 + Gateway in LAN 172.26.0.199 (ip alias of router to connect at that network) 192.168.1.0/24 + Gateway in LAN 172.26.0.199 (ip alias of router to connect at that network) Other than your current openvpn problem this sort of setup also screams asymmetrical traffic flow.. If you have a network that you get to via a downstream router, then this downstream router should be connected via a transit network no using a network that has hosts on it. So lets say lan device wants to talk to an IP on these networks.. does it have a host route - or send its traffic to pfsense? The return traffic will just go direct to client from the downstream router = asymmetrical. But as mentioned by viragomann, you will need routes on your downstream router on how to reach the tunnel network(s) you use for your openvpn clients.. Or no you will never be able to get there without doing source nat.

@rico hello I just finished configuring ssl/tls openvpn all working fine, but I couldn't understand in the server there is a section "Local Networks" what exactly this is for. Because without it I don't see any issues???? Also my cpu support AES-NI - Hardware crypto AES-CBC,AES-XTS,AES-GCM,AES-ICM [image: 1548063058905-2019-01-21_3-29-53-resized.jpg] My pfSense box also have Chelsio T580-SO-CR witch I believe support Crypto offload, but I am not sure how to use that function OpenVPN seems to support only "cryptodev" I have to set to AES-NI and BSD Crypto Device in order to get any crypto offload on the OpenVPN. Even so I get much better performance on the bare metal then VM, but I am sure with my setup that's not it !!!!! Also the million dollar question is HOW TO: OpenVPN Site-to-Site with DNS In the past I tried to setup Bind with no luck seems I need to study more and I have to go with build in unbound for now My sites are subdomains like: site1.myco.local site2.myco.local site3.myco.local Is there a way I can resolve without adding the hosts to each site manually Thank you EDIT: Is this section of client specific Overrides can be the key to be resolved by other clients [image: 1548266210891-2019-01-23_11-53-21-resized.jpg]

Some further digging and this seems to be a metric issue. If I change the metric for the TAP adapter on both clients they can find each other and everything works, but not otherwise. Is there a way to have Windows push all of the broadcast traffic down the VPN without having to manually change the adapter metric setting? Perhaps some setting I can push though the OpenVPN server that ensures 255.255.255.255 requests go down the VPN?

@lansmurf said in ExpressVPN interface is up but gateway is down: The only problem I stil have is that althought the interface and the gateway are up and working. Dpinger cannot ping the VPN server. I have set the Data payload to 1 but I still don't get a ping… If I enter 8.8.8.8 to monitor I get a huge packetloss >40%...  Maybe someone can give me advise at this point to get better monitoring results? (I guess this is important for load balancing if you enter multiple gateways to diffenrent VPN servers) A bit late, but replying in case it might help someone. I had same problem with Dpinger and packet loss. Solved it by enabling Hardware Crypto in openvpn client. Now I can use external IP to monitor if VPN gateway is online. Of course, your hardware needs to support this.

@jimp Thank you jimp! Works now.