@4xTroy My OpenVPN tunnel works fine without doing that. I only have "push "route 0.0.0.0 0.0.0.0";push "route-ipv6 ::/0"" in Additional configuration options.

The interface used by the firewall to originate this OpenVPN client connection so typically this would be WAN. In my case for some Sites it is not directly WAN but some Gateway Group containing different WANs. I've never thought about switching it to any internal Interface like LAN or OPT...why did you do that? Just leave it as default. -Rico

Your problem looks like the one "reneg-sec 0" solves. Is this option in the client's config too?

@Rico sadly doesn't seem to solve the issue. I deployed the OpenVPN on ubuntu behind the firewall and forwarded the port, now I got it working. I am not sure why it's not working, to be honest, but the fact that it worked for a while and that its very slow without using any resources makes me believe something is unstable there, possibly with how my hosting solution manages VM's. Anyway thank you for all the help.

workin with a splitt tunnel too ? not yet tested (tomorrow on the toDo list) mybe some time for coffee can be safed #staySafe

hey folks i'm the one who is not willing to pay for useless fancy stuff that keeps me off work when i need it cuz i have not patched my OS and a fancy tool is keepin / shuttin me off the vpn airports are not that lovely when u travel a lot !

Ok, fired up a virtual box and topology subnet for pfS shows inet 172.16.25.1 --> 172.16.25.2 while on Linux inet 172.16.25.1 --> 172.16.25.1 . Then I remembered something about topology in FreeBSD and found it: "Repair topology subnet on FreeBSD 11" https://sourceforge.net/p/openvpn/mailman/message/35478475/ So I guess it's related to that for why it's different. But don't know it's related to OPs "the user can't access the 192.168.5.0 ressources if the OpenVPN roadwarrior DHCP gives the 10.0.8.2"

You're confusing site-to-site/remote access VPNs on pfSense (servers) with VPN service clients. A VPN server on pfSense would use a server certificate from a self-signed internal CA as its server certificate. A VPN client on pfSense would use a certificate provided by the server. If that's a VPN provider, the VPN provider would give you a certificate. (If it's something like PIA, that's up to them. If you are connecting to another pfSense, it would be a user certificate made on that remote pfSense server).

@kiokoman said in pfSsh.php playback not stopping clients: op OpenVPN client # Thank you so much! Works now.

@derekmarch said in Is it possible to setup a gateway group of VPN connections that will only connect when needed: Can I somehow configure it so if a VPN server drops below the configured threshold it connects me to a different server, verifies that it meets the threshold requirements, connects me through that server then disconnects the original server? I am also interested in a solution for this problem. Does anybody know, how to set up the system for that?

@Gertjan yup thats true.. thats why i switch straight away..

@Rico word! i do not need to unserstand why i would do this ;) CSO local networks but here in ausrtia a lot of things are possible ;)

@johnpoz said in Slow Speeds with OPENVPN: 4ms to google - that pretty slick ;) Here's mine. PING 8.8.8.8 (8.8.8.8): 56 data bytes 64 bytes from 8.8.8.8: icmp_seq=0 ttl=56 time=26.496 ms 64 bytes from 8.8.8.8: icmp_seq=1 ttl=56 time=12.179 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=56 time=11.206 ms 64 bytes from 8.8.8.8: icmp_seq=3 ttl=56 time=10.219 ms 64 bytes from 8.8.8.8: icmp_seq=4 ttl=56 time=13.817 ms 64 bytes from 8.8.8.8: icmp_seq=5 ttl=56 time=9.764 ms 64 bytes from 8.8.8.8: icmp_seq=6 ttl=56 time=8.719 ms 64 bytes from 8.8.8.8: icmp_seq=7 ttl=56 time=10.771 ms 64 bytes from 8.8.8.8: icmp_seq=8 ttl=56 time=10.745 ms 64 bytes from 8.8.8.8: icmp_seq=9 ttl=56 time=17.773 ms 64 bytes from 8.8.8.8: icmp_seq=10 ttl=56 time=7.366 ms 64 bytes from 8.8.8.8: icmp_seq=11 ttl=56 time=11.967 ms 64 bytes from 8.8.8.8: icmp_seq=12 ttl=56 time=15.246 ms 64 bytes from 8.8.8.8: icmp_seq=13 ttl=56 time=10.638 ms 64 bytes from 8.8.8.8: icmp_seq=14 ttl=56 time=8.609 ms 64 bytes from 8.8.8.8: icmp_seq=15 ttl=56 time=10.193 ms 64 bytes from 8.8.8.8: icmp_seq=16 ttl=56 time=8.295 ms 64 bytes from 8.8.8.8: icmp_seq=17 ttl=56 time=10.942 ms ^C --- 8.8.8.8 ping statistics --- 18 packets transmitted, 18 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 7.366/11.941/26.496/4.300 ms It appears to be a bit better than yours. I'm on a 75/10 plan on cable modem.

@JKnott said in Remote Employee & Remote PBX: @easysimpleit I have done that with a different firewall and it worked fine. I set it up with Talkswitch PBX and Adtran router. Once a VPN is set up, it's no different than any other IP connection. This would or should work if I’m allowing all traffic over the tunnel. I have it setup as a split tunnel and at the moment only internal resources are accessible. Is their anything special I need to do to allow that? The PBX is not local to our network, it’s a remote server outside our environment or control. Thank you

@JKnott I'm going to restate you're response as I understand it. Based on your experience the IP is configured on the tunnel and you don't understand why I'm implying the VPN connection would be receiving a DHCP address. Based on my read of the Netgate documents it notes a TAP bridging setup would allow the VPN client to obtain a DHCP address on the network it's attaching to. [image: 1586701720343-ng-doc.png] https://docs.netgate.com/pfsense/en/latest/book/openvpn/bridged-openvpn-connections.html This wording seems to be similar to OpenVPN's - **There are two methods for handling client IP address allocation: Let OpenVPN manage its own client IP address pool using the server-bridge directive, or configure the DHCP server on the LAN to also grant IP address leases to VPN clients.]** https://openvpn.net/community-resources/ethernet-bridging/ Also when one goes into the OpenVPN Server to edit it [if I remember correctly you do not see these options on creation] [image: 1586702057787-pfsrv.png] Based on what I've read I believe I'm using the correct terminology in explaining what I'm trying to do. If you feel otherwise could you help me understand your perspective. Thanks,

client specific override and firewall rules for the client i guess invert may be the best guess have a look here for the cso https://forum.netgate.com/topic/152171/openvpn-and-static-ip-for-all-clients/9

@Rico Thanks for suggestion. That works really nicely. Just like having a DHCP server handing out "static" IP addresses, in the OpenVPN subnet. I give you a thumbs up.

Yes the netmasks are all /24. For now it is 1 peer for testing. But in the future i would like to have the possibility to add more clients. The following is what I'm trying to accomplish: [image: 1586624098701-test.png]

@stephenw10 tested it with some older android clients right now without the ifconfig-push not working on device added the lines working maybe / pretty shure it is the client not the config on the Server