@jknott said in OpenVPN Optimization (peer id): I just tried the test described in the 2nd link. The 1st & 3rd runs are with AES-NI enabled and the 2nd and 4th without. [2.5.2-RELEASE][root@firewall.jknott.net]/root: openssl speed -elapsed aes-128-cbc You have chosen to measure elapsed time instead of user CPU time. Doing aes-128 cbc for 3s on 16 size blocks: 25636690 aes-128 cbc's in 3.03s Doing aes-128 cbc for 3s on 64 size blocks: 6645567 aes-128 cbc's in 3.02s Doing aes-128 cbc for 3s on 256 size blocks: 1666553 aes-128 cbc's in 3.01s Doing aes-128 cbc for 3s on 1024 size blocks: 419373 aes-128 cbc's in 3.02s Doing aes-128 cbc for 3s on 8192 size blocks: 52444 aes-128 cbc's in 3.00s Doing aes-128 cbc for 3s on 16384 size blocks: 26180 aes-128 cbc's in 3.01s OpenSSL 1.1.1k-freebsd 25 Mar 2021 built on: reproducible build, date unspecified options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr) compiler: clang The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes aes-128 cbc 135319.44k 141037.53k 141843.14k 142404.29k 143207.08k 142606.34k [2.5.2-RELEASE][root@firewall.jknott.net]/root: openssl speed -elapsed aes-128-cbc You have chosen to measure elapsed time instead of user CPU time. Doing aes-128 cbc for 3s on 16 size blocks: 25330588 aes-128 cbc's in 3.00s Doing aes-128 cbc for 3s on 64 size blocks: 6627583 aes-128 cbc's in 3.01s Doing aes-128 cbc for 3s on 256 size blocks: 1673390 aes-128 cbc's in 3.02s Doing aes-128 cbc for 3s on 1024 size blocks: 417364 aes-128 cbc's in 3.00s Doing aes-128 cbc for 3s on 8192 size blocks: 53873 aes-128 cbc's in 3.09s Doing aes-128 cbc for 3s on 16384 size blocks: 26240 aes-128 cbc's in 3.02s OpenSSL 1.1.1k-freebsd 25 Mar 2021 built on: reproducible build, date unspecified options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr) compiler: clang The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes aes-128 cbc 135096.47k 141021.19k 141689.00k 142460.25k 143012.49k 142562.87k [2.5.2-RELEASE][root@firewall.jknott.net]/root: openssl speed -elapsed aes-128-cbc You have chosen to measure elapsed time instead of user CPU time. Doing aes-128 cbc for 3s on 16 size blocks: 26072625 aes-128 cbc's in 3.08s Doing aes-128 cbc for 3s on 64 size blocks: 6763860 aes-128 cbc's in 3.09s Doing aes-128 cbc for 3s on 256 size blocks: 1672403 aes-128 cbc's in 3.02s Doing aes-128 cbc for 3s on 1024 size blocks: 421159 aes-128 cbc's in 3.02s Doing aes-128 cbc for 3s on 8192 size blocks: 52262 aes-128 cbc's in 3.00s Doing aes-128 cbc for 3s on 16384 size blocks: 26208 aes-128 cbc's in 3.00s OpenSSL 1.1.1k-freebsd 25 Mar 2021 built on: reproducible build, date unspecified options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr) compiler: clang The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes aes-128 cbc 135524.71k 140277.32k 141972.28k 143010.76k 142710.10k 143130.62k [2.5.2-RELEASE][root@firewall.jknott.net]/root: openssl speed -elapsed aes-128-cbc You have chosen to measure elapsed time instead of user CPU time. Doing aes-128 cbc for 3s on 16 size blocks: 25433637 aes-128 cbc's in 3.01s Doing aes-128 cbc for 3s on 64 size blocks: 6800719 aes-128 cbc's in 3.09s Doing aes-128 cbc for 3s on 256 size blocks: 1663307 aes-128 cbc's in 3.01s Doing aes-128 cbc for 3s on 1024 size blocks: 417174 aes-128 cbc's in 3.00s Doing aes-128 cbc for 3s on 8192 size blocks: 51998 aes-128 cbc's in 3.00s Doing aes-128 cbc for 3s on 16384 size blocks: 26190 aes-128 cbc's in 3.01s OpenSSL 1.1.1k-freebsd 25 Mar 2021 built on: reproducible build, date unspecified options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr) compiler: clang The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes aes-128 cbc 135293.74k 141041.75k 141566.87k 142395.39k 141989.21k 142660.81k [2.5.2-RELEASE][root@firewall.jknott.net]/root: If I'm reading that right, it appears there's a very slight, but probably not significant benefit to enabling it.

@jknott said in Client crypto hardware.: I have a Lenovo E520 ThinkPad, with i3 CPU, which I bought about 10 years ago. Apparently, that computer is too old to support RDRAND. It first appeared with the Ivy Bridge CPU, which became available around the time I bought my ThinkPad.

@bingo600 A change from 3 (recommended) to default did the trick. Thanks for that.

@viragomann, Thanks for your interest in helping. However, PIA has confirmed that what it calls a "dedicated IP" is very different from a static IP and can be used only with PIA software, which is not available for pfSense. So this thread can be closed. I'm no longer pursuing that solution and will rely on DDNS.

@corsairwall32 Add a firewall rule to the top of the LAN rule set for allowing traffic to this destination IP. Open the advanced options, go down to gateway and select the WAN gateway. So the traffic will be directed out to WAN.

@ryu945 Found nothing on a Netgate forum search. Took a few hours but finally found the solution here. Needs a client specific override with the common name and the desired ip/subnet as an "advanced" entry i.e. ifconfig-push 192.168.98.5 255.255.255.248

@pandafy ok, sorry I'm out can't get the benefit, but that's just me. of wanna doing something essential on pfS like openVPN with a pretty good webIF outside of pfS good luck NP

@JKnott , I uninstalled the network printer driver. Then, i manually re-installed the printer using it's static LAN IP. Windows re-used the existing driver and i was able to print locally as if nothing happened. Then, I tested if i was able to find my printer when connected via OpenVPN and, what do you know?, It worked flawlesly!!!!!! Just as you suggested. Now I'm able to print from withing the LAN and when connected via OpenVPN. Also, your comment: "Those require multicast and that doesn't normally pass through a router" made me think, will the SMB share be discoverable if I specify a host override for its server under the DNS resolver settings? As it turns out, it does!!!!!. Now all my shares and printers are discoverable when connected to the LAN via OpenVPN tunel. I hope my experience and report can help somebody else having these issues and thank you so much for pointing me into the right direction.

@viragomann thanks for the clarification. There you have it, i was indeed overthinking it.

see extract from log ug 18 12:03:17 openvpn 61300 OpenVPN 2.5.2 amd64-portbld-freebsd12.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jun 24 2021 Aug 18 12:03:17 openvpn 61300 library versions: OpenSSL 1.1.1k-freebsd 25 Mar 2021, LZO 2.10 Aug 18 12:03:17 openvpn 61612 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Aug 18 12:03:17 openvpn 61612 WARNING: experimental option --capath /var/etc/openvpn/server1/ca Aug 18 12:03:17 openvpn 61612 TUN/TAP device ovpns1 exists previously, keep at program end Aug 18 12:03:17 openvpn 61612 TUN/TAP device /dev/tun1 opened Aug 18 12:03:17 openvpn 61612 ioctl(TUNSIFMODE): Device busy (errno=16) Aug 18 12:03:17 openvpn 61612 /sbin/ifconfig ovpns1 10.0.1.1 10.0.1.2 mtu 1500 netmask 255.255.255.0 up Aug 18 12:03:17 openvpn 61612 /usr/local/sbin/ovpn-linkup ovpns1 1500 1621 10.0.1.1 255.255.255.0 init Aug 18 12:03:17 openvpn 61612 UDPv4 link local (bound): [AF_INET]51.75.92.46:1194 Aug 18 12:03:17 openvpn 61612 UDPv4 link remote: [AF_UNSPEC] Aug 18 12:03:17 openvpn 61612 Initialization Sequence Completed Aug 18 12:07:06 openvpn 61612 event_wait : Interrupted system call (code=4) Aug 18 12:07:08 openvpn 61612 /usr/local/sbin/ovpn-linkdown ovpns1 1500 1621 10.0.1.1 255.255.255.0 init Aug 18 12:07:09 openvpn 61612 SIGTERM[hard,] received, process exiting Aug 18 12:10:20 openvpn 35855 Options error: --server directive network/netmask combination is invalid Aug 18 12:10:20 openvpn 35855 Use --help for more information. Aug 18 13:28:10 openvpn 28137 DEPRECATED OPTION: ncp-disable. Disabling cipher negotiation is a deprecated debug feature that will be removed in OpenVPN 2.6 Aug 18 13:28:10 openvpn 28137 Options error: --server directive network/netmask combination is invalid Aug 18 13:28:10 openvpn 28137 Use --help for more information. Aug 18 14:18:46 openvpn 80616 DEPRECATED OPTION: ncp-disable. Disabling cipher negotiation is a deprecated debug feature that will be removed in OpenVPN 2.6 Aug 18 14:18:46 openvpn 80616 Options error: --server directive network/netmask combination is invalid Aug 18 14:18:46 openvpn 80616 Use --help for more information. Aug 18 14:51:33 openvpn 16749 DEPRECATED OPTION: ncp-disable. Disabling cipher negotiation is a deprecated debug feature that will be removed in OpenVPN 2.6 Aug 18 14:51:33 openvpn 16749 Options error: --server directive network/netmask combination is invalid Aug 18 14:51:33 openvpn 16749 Use --help for more information. Aug 18 14:56:40 openvpn 16513 DEPRECATED OPTION: ncp-disable. Disabling cipher negotiation is a deprecated debug feature that will be removed in OpenVPN 2.6 Aug 18 14:56:40 openvpn 16513 Options error: --server directive network/netmask combination is invalid Aug 18 14:56:40 openvpn 16513 Use --help for more information. Aug 18 14:57:22 openvpn 33554 DEPRECATED OPTION: ncp-disable. Disabling cipher negotiation is a deprecated debug feature that will be removed in OpenVPN 2.6 Aug 18 14:57:22 openvpn 33554 Options error: --server directive network/netmask combination is invalid Aug 18 14:57:22 openvpn 33554 Use --help for more information. Aug 18 14:58:31 openvpn 40653 Options error: --server directive network/netmask combination is invalid Aug 18 14:58:31 openvpn 40653 Use --help for more information. Aug 18 15:08:15 openvpn 31653 Options error: --server directive network/netmask combination is invalid Aug 18 15:08:15 openvpn 31653 Use --help for more information. Aug 18 15:12:39 openvpn 98194 Options error: --server directive network/netmask combination is invalid Aug 18 15:12:39 openvpn 98194 Use --help for more information. Aug 18 15:12:58 openvpn 55110 Options error: --server directive network/netmask combination is invalid Aug 18 15:12:58 openvpn 55110 Use --help for more information. Aug 18 15:21:13 openvpn 23712 Options error: --server directive network/netmask combination is invalid Aug 18 15:21:13 openvpn 23712 Use --help for more information. Aug 18 15:22:13 openvpn 71847 Options error: --server directive network/netmask combination is invalid Aug 18 15:22:13 openvpn 71847 Use --help for more information.

@viragomann I guess my question was how can we setup a ddns without exposing the real wan ISP IP. But i dont think that is possible as the vpn profile file will need a remote url that points to your wan ip

@viragomann said in Adding additional route to OpenVPN Client: So this network is on another location connected to the office network via IPSec? Yes, correct. I have figured it out already, basically I just need to add another Phase 2 entry on the IPsec tunnel. [image: 1629283600858-phase2-entry.png] So now I can reach the remote site over OpenVPN. Thanks @viragomann @marvosa

If they are different interfaces and not switch ports - then no there is no way to put them on the same network without bridging them. But the only reason you need for them to be on the same network is broadcast traffic.. They could be on different networks and still access everything on the other network. Just create any any rules. Do these devices use some broadcast/multicast discovery or protocol that is required that they are required to be on the same network.. If want to leverage your ports for individual devices - ok... But why do you need to bridge them.. Just use 192.168.1/24 on 1 and 192.168.2/24 on 2.. And use an any any rule - there you go these devices can talk to each other for anything other than broadcast traffic. Bridge is only going to complex up the config, and more overhead for what? Are you doing something that requires broadcast to work? Then get a switch... Really the only time it makes sense to leverage a bridge is media conversion... Or I had something that required the devices to be in the same broadcast domain, ie the same L2 network.. But I also wanted to be able to firewall between them for some stuff. In that case you would use a bridge (transparent firewall) and be able to do such a thing. But just wanting to leverage the ports on your pfsense box.. I don't see the point of trying to bridge them?

@viragomann Thank you Sir. The redirect IPv4 Gateway option in PfSense OPENVPN did the trick.

@bp81 I'm distributing the "Client Export set of files" in a password protected zip file. /Bingo

@viragomann Thanks for replying. I created a new CA and generate new client configuration.