i've read that KVM & freebsd don't mix well, performance wise. have you browsed this? https://forum.pfsense.org/index.php?topic=88467.0

@0x10C in the OpenVPN Client you could try to increase the TCP/UDP socket send and receive buffers size, adding at bottom of the "Custom options" these two lines: sndbuf 524288; rcvbuf 524288 About the OpenVPN capability of the CPU you could run the simple OpenVPN benchmark formula referenced here: https://forum.pfsense.org/index.php?topic=105238.msg616743#msg616743 in the Reply #9 message If I execute the command on my router with a Celeron N3150 I get 27.41 real        25.62 user        1.77 sys (3200 / 27.41) = 117 Mbps OpenVPN performance (estimate) This value perfectly fits to the result of the speed test [image: speedt1.png] [image: speedt1.png_thumb]

Hello, First thank you for responding, it's a tricky subject and I appreciate all the help I can get. Now onto the topic : First of all, the OpenVPN tunnel is not only a site-to-site server but a remote access one too (meaning sometimes I only want to connect to the OVPN IP, not the private subnets this machine has access to). The tunnels are on a /20 but the LANs are on another, so no risk of collision. Our network plnning has been made to be a little future proof hence the /20. On the PKI, good idea but no, maintaining it properly would cost more of my time than I can allocate to it, automating the renewal of a shared key is no big deal. I was looking for a list of advanced options I can give to OpenVPN to assign a specific client-side tunnel IP belonging to the /20 in accordance to our naming scheme without letting the OpenVPN server choose it.

ok, thanx, but i decided degrade to 2.2.4 version (stable).

Ok, that's solved but ive followed almost every tutorial I can find and i cannot get traffic through this VPN. I've tried the Alias route, traffic leaves apparently but it looks like it dosent know how to get back. Infact every method I try looks that way. Traffic leaves the pipe and never comes back. I created the manual nat rules. I currently have the Alias setup. What am I Missing?

hehe divsys seems to be more than from time to time ;)  I would say that is the vast majority of user problems is wrong cert..  What I don't get is the wizard as you stated takes you by the hand and its really pretty freaking impossible to mess it up. My guess is they are not using the wizard..  Which makes no sense to me either.. Maybe their needs to be a wizard for creating the user certs as well?  So they show up in the export util..

Yes, 172.16.30.0/26 and 172.16.30.0/24 are different networks. Glad it's working.

That's a good thing to do when using a VPN I have seen DNS leaks when using ipv6- think its UDP related but not sure

In the firewall logs you only you the origin source IP, that's the VPN clients IP. You can do a packet capture (in Diagnostic menu) on LAN interface. There you will see the translated address.

I know site 2 site must define remote side lan networks Technically this statement is true, but that's not what I said to do.  I said the remote sites need to define the tunnel network of HQ's remote access server I'm using public IP(4g) remote access connect to HQ I'm not sure why this matters.  Please provide a network map and elaborate.

Better try to draw a diagram with you hw config maybe I understand something wrong with what you want to achieve…

The OP hasn't posted his config and responded in 5 days.  I guess we'll assume he figured it out.

Hi, I have a similiar configuration and have reconfigured my OpenVPN a few days ago according to this document : https://doc.pfsense.org/index.php/Multi-WAN_OpenVPN. It seems to be working. If I disconnect my first WAN connection on the OpenVPN Server side, the Client reconnects after a short time via the second link. If the first link is back up, when I disconnect the second link, the client switches back to the first link. With this configuration the client side won't reconnect automaticaly if the primary gets back online again..it stays on the second connection as long as it is available or until you reconnect the client side, but this is exactly how I want it to work.

The client is working just fine. I can't access my vpn server through the client interface. But you mean that it could be issues with sending tls packages within the client interface to my own vpn server? Still don't get why the traffic goes over random ports.. If I only could get it to use specific ports..

@networknut: Have you tried the connection by hostname and by the clients VPN IP to find out if the problem is the NetBIOS? Yes I have So it doesn't work in both ways? @networknut: I did a trick on my VPN server: I push the default route to the clients, but with a high metric, so it doesn't override the clients default route. So if windows has configured a gateway for an network interface it handles the connection as reliable. Can you be so kind as to provide an example of how you went about doing that? In the server advanced configuration section > custom options field I entered push "route-metric 512";push "route 0.0.0.0 0.0.0.0" However, the metric option entered here is also applied for any route, which are pushed to the clients, but no matter since there is no other route for this destination on the client with lower metric. So the route option could as well be set by entering "0.0.0.0/0" in the Locale Network(s) field above.