@viragomann Ok, done. Now everything works normally. [image: 1593705588494-screen-shot-2020-07-02-at-22.59.32.png] Because of the rules in the VPN tab: [image: 1593705824280-screen-shot-2020-07-02-at-23.03.19.png] Why did you give up? why you so easy to give up???

Thank you Gerjan. I added float to the client config and the errors went away. I actually didn't expect the fix to be that easy.

Still running it on my homelab without a problem but yeah in a busy setting that can hurt ;)

perfect Rico, thank you very much, I learned a lot

Thank you all guys for you kind help. it's really appreciated

Hi Jim, thank you for your time. I've supposed that the problem is the php library. I'll move to build and use a new CA. Thanks, Dario.

@Derelict Only from pfsense. Not from any clients. The routes show up in the pfsense route table with the gateway as the tunnel link address. Could it be an issue that the default destination is at the top of the entire list? Another interesting thing is that a trace route command to the other side of the tunnel gets only as far as the local gateway on the side you are trace routing from.

So finally installed the OpenVPN Access Server and it works, meaning, I did everything right on the client side, but still everything could be messed up on the server side, if I roll my own on a ubuntu machine. Again, if anyone got a good and working tutorial for that, would be appropriated.

don't worry - i've sorted it.

@fertig said in Disabled static route deletes OpenVPN's routes: @Derelict said in Disabled static route deletes OpenVPN's routes: Workaround: delete them. Don't set them to disabled. You should not be using static routes for OpenVPN routes anyway. Let OpenVPN maintain them using Remote Networks. if you're using a separate OpenVPN-gateway, you'll have to use static routes to this gateway That is a static route to a gateway, not into OpenVPN. Two entirely different things. if you're migrating away from such a gateway, while you're testing the OpenVPN on the pfSense, you'll allways disable the routes temporarly, to get back quickly. This is the normal way of doing in my opinion... Especially because you don't get the VPN working - as the routes are allways deleted. This is a complete unexpected behaviour. Anyway, I filled a bug report Good deal. That's the way to get developer eyes on it.

@dmd1234498 No, that's not noteworthy if the VPN server isn't at the other side of the globe. There are only some more hops to the webserver.

okay i switched to bgp instead and added the p2 and now it works.. go fig.

@Derelict Hi, yes your reply is correct. Basically no extra configurations are needed. However, there is a caveat: If I enable Force all client-generated IPv4 traffic through the tunnel option and clients rely on DNS service to find the IP of the OpenVPN server, after rebooting my pfsense firewall, all the OpenVPN clients could permanently lose their connections (both VPN and Internet connections). I end up calling colleagues to reboot all clients physically to re-establish the connection.

Be sure that User Authentication Settings on the OpenVPN client configuration page not empty: [image: 1593080671359-screenshot-from-2020-06-25-13-23-52.png] Fill in the username and password fields

@Massimo-S sorry, i reply miself now it works correctly i've disabled the option "dynamic IP" in the OpenVPN server settings page the vpn remote clients now see/ping all LAN servers and services massimo

@Tenou They can only use an address within the tunnel range. So, you write your rules accordingly. If needed, you can even restrict the address range by using a longer subnet mask, to the point where there's only one address that will work. Also, if you're worried about that sort of thing, then you should be implementing other security beyond just VPN addresses. For example, if you're on a corporate network, you might be using Active Directory or similar to restrict what users can access.

Start here focus on the "Science and technology" explanation. If needed, you could also look up the "IP" word. What @Rico was saying : use a RFC1918 type IP. Not the other ones.