@sourish So you have to recheck your WAN NSG configuration in Azure. Can you even reach pfSense with a different protocol, e.g. ping? Ensure to allow it in the NSG and on pfSense.

@Antibiotic Given DCO and IIMB both AES and ChaCha will be accelerated. AES will still be slightly faster, just because it's a faster algorithm.

@Gertjan: Thanks very much for pointing that out! As you can see from my latest topic in this forum, I changed the tunnel network to a /24 address.

@Gertjan right. certs are not "old", they are obsolete. sha1

@DominikHoffmann said in OpenVPN with Netgate connected directly to Starlink dish.: The only way to get around that would be to subscribe to a static IP address. How much does Starlink charge for that? I don't think its even an option at any price. But you can get a dynamic public IP https://support.starlink.com/topic?category=10&category=46 How do I set my IP address to Public? The ability to update the IP policy to a Public IP is only available with a Priority or Mobile Priority service plan: Login to your account www.starlink.com/account Select "Manage" in the Your Starlinks section Select the "pencil" icon next to "IP Policy" Select "Public IP" from the drop down menu Save Reboot your Starlink But you would need priority plan.. They are suppose to be rolling out IPv6 - if you have that you could use that for an unsolicited inbound connection for you vpn. Or there are other ways to work around the cgnat issue, with creating the outbound connection. Something like tailscale or wireguard could work. https://www.starlink.com/service-plans/all Wonder if have public inbound data is metered.. That can get pretty expensive. [image: 1714445221458-publicip.jpg] Not exactly how those priority tiers work.. But 20$ more a month isn't horrible for a public IP. But 250 a month for 1TB seems a bit high!

@MoonKnight Thanks for the feedback. I have since gotten rid of the destination rule inversion on the IPGROUP_ROUTE_VIA_EXPRESSVPN and set it to Any. This gives me better protection to make sure absolutely nothing goes out that is in that group if it does not go out the ExpressVPN gateway.

@viragomann Yes, I think I tracked it down to the VPN instances getting the same virtual IP in pfsense, which is making it conflict. And these are not changeable.... so.... currently looking at setting up a dedicated vpn connection on the linux box for the static route for the mailserver.

@DominikHoffmann Since you can reproduce it I'd create a bug report at redmine.pfsense.org.

edit: Apr 26 11:17:34 openvpn 83673 do_ifconfig, ipv4=1, ipv6=0 Apr 26 11:17:34 openvpn 83673 /sbin/ifconfig ovpns4 172.16.10.1 172.16.10.2 mtu 1500 netmask 255.255.255.255 up Apr 26 11:17:34 openvpn 83673 /usr/local/sbin/ovpn-linkup ovpns4 1500 0 172.16.10.1 172.16.10.2 init Apr 26 11:17:34 openvpn 83673 /sbin/route add -net 10.4.0.0 172.16.10.2 255.255.0.0 Apr 26 11:17:34 openvpn 83673 /sbin/route add -net 172.16.20.0 172.16.10.2 255.255.255.0 Apr 26 11:17:34 openvpn 83673 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1800 tailroom:568 ET:32 ] Apr 26 11:17:34 openvpn 83673 Socket Buffers: R=[42080->524288] S=[57344->524288] Apr 26 11:17:34 openvpn 83673 UDPv4 link local (bound): [AF_INET]175.144.139.191:1120 Apr 26 11:17:34 openvpn 83673 UDPv4 link remote: [AF_UNSPEC] This is log from Server. Is there any indicator showing something wrong or its perfectly fine? VPN has been down for awhile when using openvpn after update on pfsense. anyone care to help?

@James92 It's pretty hard to tell you, what's wrong there, when only seeing two rows extracted from the log. Clear the OpenVPN log. Go into the server settings and set the log verbosity level to 4. Then try to connect from a client. Post the whole OpenVPN log after. You can obscure public IPs of course.