@Bambos This is surely the case

@Gertjan Thank you for your time. Brief, competent and clear. Most likely my solution is to use the DUO Security platform first, and then, if successful, deploy my own server. Because I have a large number of VPN servers that require increased security Thank you very much again! Have a nice day.

@viragomann said in Can't access to Proxmox from outside (OpenVPN client): o limit the rule to a single IP, enter the IP with a /32 mask. Effectively ! Thanks again for your support.

@Gertjan said in OpenVPN Server dco: so its really hidden ? i checked this. only in my windows connect app: [image: 1739441903821-433cb667-86dd-4934-aee9-06dfb0bed48f-image.png]

@johnpoz is there a custom package (OVPN) implemented with this feature ?

@Aadrem said in OpenVPN Slow Only on One Specific Client (2.5G/1G Network): Super Micro 1537 with a CPU that never exceeds 10% load, pfSense is waiting on the WAN interface for traffic that comes in. Other VPN users have no issue, and you're pfSense handles them just fine. Just this 'one more' shows issues ? So, the issue isn't pfSense, the VPN server ..... but the client, or the connection to/from the client. What happens if you swap the VPN client config between 2 of your VPN users ? @Aadrem said in OpenVPN Slow Only on One Specific Client (2.5G/1G Network): (2.5 Gbps download / 1 Gbps upload). They are not on mobile 5G or a limited connection No need to mention this, if you already know the hard sealing : (1 Gbps download / 300 Mbps upload) That said, the "problematic clients are a MacBook Pro and a OnePlus" have the connection "(2.5 Gbps download / 1 Gbps upload)" all for themselves ? Or is this connection shared with others ? ISPs do sell their speeds measured with special conditions : like sun, Mars Earth and Jupiter aligned. @Aadrem said in OpenVPN Slow Only on One Specific Client (2.5G/1G Network): The issue does NOT occur when using 5G or FTTC connections, only on this specific FTTH connection. Ah : That's useful info. The issue points to that network and the ISP.

@Gertjan in case anyone has this issue, i found the solution. besides removing the DNS line remove the TLS key from Custom options under advanced configuration towards the bottom of the openvpn client. then go to the top and select USE A TLS KEY, then uncheck automatically generate a key and paste your key from your server here. then for TLS Key Usage Mode change it to TLS encryption and authentication. now it works after saving the changes!

@viragomann Sorry for that. Yes, it looks like there was a misconfiguration here. I had to change my default gateway it was still setup to be the 10.0.0.1 that the switch comes with. I thought it would be set from DHCP but i guess it wasn't. It's all working now! Thanks!

@poldus What do you consider as "static" here? The above shows the client log. But what shows the server log? Does the server even see any VPN packet? Are you aware, that shared key OpenVPN is deprecated these days? Do you really intend to setup a tap client?

@guillaume14 Ensure all related states are flushed. If the no-nat rule still isn't applied, there might something wrong in its settings, so that it doesn't match. Ensure that the protocol and the destination port are correct if stated.

@rajukarthik its just the normal openvpn community edition. [2.7.2-RELEASE][admin@test.mydomain.tld]/root: openvpn --version OpenVPN 2.6.8 amd64-portbld-freebsd14.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] [DCO] library versions: OpenSSL 3.0.12 24 Oct 2023, LZO 2.10 Yeah it is a bit dated, sure that will update when 2.8 drops.. but its not the access server version. As to soc2 - As to the just community edition, prob not - since really the user of said edition can pretty much do anything they want with the config, were with the AS and Cloud versions of their server being more strictly controlled in what can be configured. Those 2 versions are not free, so sure they can get certification of meeting specific standards, etc. But I doubt they would run through such trouble with audits of controls, etc. for something the user might easy override even a config change. If you really want to make sure its soc2 compliant - I would run either of those on something other than pfsense. I have not heard of anything about being able to run say the as version on pfsense. I run an as version on one of my vpses - you can run it for free for max of 2 concurrent connections. Which for me is plenty for my use case.