@beno44 change the topic and add [solved]

@shawntanderson Use client specific override your vpn clients will then get the same ip BrNp

@droidus You will have to configure it as custom type.

@cielak221 You are testing with two different peers in your speedtest. I'd use the same one so I can actually compare the speeds - we don't know if the "blackburn tech" has just a slower connection. I'd also post my VPN config as otherwise one doesn't know what you have configured. Downgrading from 2.5.2 to 2.4.5 is nonsense, too. OpenVPN is OpenVPN - just because their documentation isn't up to date doesn't mean you have to downgrade your security. That's utter nonsense. Why should I downgrade my firewall to an older/less secure release to use some "cool VPN security". You don't have to downgrade your PC/installed version of the OpenVPN Client to 2.4.x either so why should you have to with pfSense? :) Just flew over their guide to setup - don't see anything that shouldn't work with pfSense 2.5.2 besides setting up nonsense options like supplying "remote-random" but only using one remote for their server. So I'd just follow the guide and check what the service will post in the logs and modify the client settings accordingly. I'm certain things like remote-random tls-client persist-key persist-tun are unneccesary as they are set by pfSense itself - no need to put them in adv. options. Also using the WebUI cert as a "dummy" is nonsense too. With 2.5.2 you can simply select "none" and just supply user/pass, that's what they do anyway as the never install/import an actual client certificate (so that won't be checked by their servers and is void). Setting the MTUs and MSSFIXes is fine I guess. Always depends on your end of the line. With a bad ISP or overhead that values could also be lower. I'd recommend to delete the VPN entry, upgrade to 2.5.2 again, make sure everything else (including a speedtest) is working as expected and then re-create their VPN again on 2.5.2. Shouldn't be too hard. Cheers \jens Edit: Also: check https://support.nordvpn.com/Connectivity/Router/1626958942/pfSense-2-5-Setup-with-NordVPN.htm instead of your 2.4.5 link :) Edit 2: please stop their guide after setting up the OpenVPN. The rest of it is just stupid if the tunnel doesn't work in the first place as you are guided to "cripple" your system to only ever use NordVPN ressources e.g. DNS servers etc etc and will destroy a working IPv6 configuration or the normal default LAN any any rule. For someone not knowing about policy based routing, DNS resolver internals or problems etc. that writeup is a pretty guide to destroy your working configuration and centralise everything over their infrastructure.

SOLVED: the Client certificate was not present, apparently the OpenVPN configuration Wizar only create a "Server Certificate", so the user one have to be created manually. [image: Capture.jpg]

@brunoforestier you changed your tunnel IP ? and if solved please mark als solved brNP

@gertjan I took a look at the OpenVPN access server documentation and logs. The connection issue is due to a TLS error. I have spent some time looking into it and learned more about the access server. Long story short, I decided to switch from the access server to a pfSense OpenVPN server. Main reason is that I found the amount of configuration options in the OpenVPN access server quite limited. I managed to set up get connected to the pfSense OpenVPN server quite easily but I encountered a new problem. I can not connect to certain websites. I will make a new thread for this

@jknott I finally solved creating another phase2 in ipsec, now works fine. As described here: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/multiple-subnets.html Thanks again for help. bye.

We ran into a similar issue with pfSense 2.5.1 running OpenVPN with RADIUS and 2FA/MFA. For us, the fix adding these options in the OpenVPN Client Export tool under Additional configuration options : reneg-sec 0 hand-window 120 auth-nocache Now, our 2FA/MFA with RADIUS works very well.

@deanfourie It looks like you are trying to import Client/Server certificate on the CA page. Please read https://docs.netgate.com/pfsense/en/latest/certificates/index.html and watch https://www.netgate.com/resources/videos-certificate-management-on-pfsense-24

@cerberus2022 said in OpenVPN route to remote network: I am working on deploying PFSense and i will be using it as a openvpn server for remote workers. Is this the default gateway in the local network or is there another router? Do you set up an access server for road warriors or a site2site? You're talking about "remote workers" but also stated a "remote site". All of the remote sites are set up on a different firewall that they connect to that sits on LAN at 192.168.45.3 . What does this mean?

@umm12 I was part of the pfsense team before and I using pfsense for about 100 different projects now. But it is not possible to use two way/side SSL for openvpn in this job. You can use a shared certificate for all your clients that if clients do not have that certificate can not enter your service with a username and password. thanks

@viragomann Yes, that's true. I will experiment with ssh. Thank you for your help and time!

Here are both firewall rules[image: 1631598942401-server.png] [image: 1631598946819-client.png] Please be note: the client internet connection is 5G router, no static IP

@kom Ahh good point, hadn't thought of that. Thank you for the response. It's much appreciated!!

I'm guessing that there are limitations or bugs when trying to use a TAP interface in a peer to peer setup. Or maybe you have to add in some custom settings to make it work. Either way, I had to go with layer 3 TUN mode and use a dedicated PC client to relay DHCP and bridge the layer 2 traffic via a 2nd VPN connection using remote access. This method doesn't scale well and is a bit over complicated, but it does what I need for now.

Try using Ivacy's Netherlands VPN. I've never came across any of the problems mentioned. I get fast internet speeds with no throttling, be it for torrenting or streaming or any other purpose.

It had to do with cipher differences between the two versions. https://community.openvpn.net/openvpn/wiki/CipherNegotiation Had to edit some settings in both server and client side.