Glad you have it working now. -Rico

This is the alias list: [image: ub8T6ai.png]

Well, today I think I figured it out. Tested with existing config over cellular: T-Mobile - Didn't Work Verizon - Worked I suspect maybe this is an MTU size issue of OpenVPN? Is there a way to lower the MTU on the OpenVPN server under pfSense? I know there is a way in the client, but wondering if I can force a lower MTU on the server itself.

I would still not consider that ideal for OpenVPN. You have to deliver the config and other settings (TLS key, etc) so using you may as well send along the CA in the bundle to be validated for added security. Sure, you could omit the CA since the OS bundle should consider ACME trusted, but I fail to see any advantage in doing so for OpenVPN. You could also argue it's less secure since any other OpenVPN server using an ACME cert would also appear to be valid to the client, though validating the cert CN and using TLS keys help there, it's still knocking down an extra layer of authentication between the server and client. Contrast that against the IKEv2 user auth scenerio above, where all you need to do is enter/match settings without delivering anything to the client. It's more convenient in that case, though some of the same security arguments still apply.

@bcruze Hi bcruze - thanks for the reply. Do you need a pic of the DNS resolver? I have it like I mentioned on my original post. [image: 1548428995755-0aaaf54b-aca4-4091-8ff1-8d451cb714eb-image-resized.png] [image: 1548429029498-32b56c59-9787-4835-a4df-ba3a6265353d-image-resized.png] Local host is also highlighted in the network interfaces. [image: 1548429100231-52184be5-63ee-47dc-91c4-407bdb483cc6-image-resized.png] You see here the two VPN interfaces highlighted. Nothing else is checked on this page and custom options box is blank. On the advanced settings: The only options checked are: [image: 1548429216486-6a8e50ea-458f-4692-a906-c603f66c47c6-image-resized.png] [image: 1548429240018-a6462338-cb53-4c56-890d-8e0fdc09963c-image-resized.png] Everything else is set at default values. Is this helpful? Thanks again!

I also discovered turning on fast-io is doing nothing for speed in 2.4.4

Someday, someone will create a REAL speed test which measures the speed to 5-6 various sites (i.e. microsoft, nike, porsche, etc). dslreports was once awesome. I really trusted them. Now that I'm using Firefox and all the anti-tracking toys, their site doesn't work very well. It doesn't take a genius to figure out why. (I simplified that, but you get the point) As an example, I get a bunch of Snort alerts when trying to run dslreports/speedtest now. Sensitive Data was Transmitted Across the Network 138:5 SENSITIVE-DATA Email Addresses 139:1 (spp_sdf) SDF Combination Alert I'm assuming these are false alarms, but I don't know enough about Snort to know for sure. At least, why does a speed test have to be throwing false alerts? Anyway, unless someone can explain these to me, I've retired dslreports. I have to admit, speed tests don't mean that much. Having a Porsche that breaks 200mph doesn't really matter 99.999% of the time. My biggest concern these days is with all the anti-tracking apps, like pfBlocker, Snort, uMatrix, Ublock, Squid (for http virus), and so on, all these start adding up to more and more latency. 800 MB/s doesn't matter as much as not taking 5 seconds for a site to load. That's even harder to measure... but it can be.

I've posted right in the other thread and then saw this one here. Maybe my posting there can help you...check it out. -Rico

@madcry Yeah, right. You can add this option here (Openvpn server settings) [image: 1548341617765-0470d3af-ec5f-4d8e-93ba-2cb928c4b231-image-resized.png]

Noobs moment, I'm trying to get ipvanish working on pfsense. is there an up to date guide for this?

@derelict Yes I do. I took it from Netgate video. so far it is the only solution that worked for me, so I'll take it :)

How about posting your server config and export client config file? -Rico

thanks Rico, its work. :)

How would you route traffic without adding some kind of router to this LAN? -Rico

@konstanti I disabled the first rule still not working

@fergomez1980 said in OpenVPN cant connect static routes: Static Routes in LAN 192.168.0.0/24 + Gateway in LAN 172.26.0.199 (ip alias of router to connect at that network) 192.168.1.0/24 + Gateway in LAN 172.26.0.199 (ip alias of router to connect at that network) Other than your current openvpn problem this sort of setup also screams asymmetrical traffic flow.. If you have a network that you get to via a downstream router, then this downstream router should be connected via a transit network no using a network that has hosts on it. So lets say lan device wants to talk to an IP on these networks.. does it have a host route - or send its traffic to pfsense? The return traffic will just go direct to client from the downstream router = asymmetrical. But as mentioned by viragomann, you will need routes on your downstream router on how to reach the tunnel network(s) you use for your openvpn clients.. Or no you will never be able to get there without doing source nat.

@rico hello I just finished configuring ssl/tls openvpn all working fine, but I couldn't understand in the server there is a section "Local Networks" what exactly this is for. Because without it I don't see any issues???? Also my cpu support AES-NI - Hardware crypto AES-CBC,AES-XTS,AES-GCM,AES-ICM [image: 1548063058905-2019-01-21_3-29-53-resized.jpg] My pfSense box also have Chelsio T580-SO-CR witch I believe support Crypto offload, but I am not sure how to use that function OpenVPN seems to support only "cryptodev" I have to set to AES-NI and BSD Crypto Device in order to get any crypto offload on the OpenVPN. Even so I get much better performance on the bare metal then VM, but I am sure with my setup that's not it !!!!! Also the million dollar question is HOW TO: OpenVPN Site-to-Site with DNS In the past I tried to setup Bind with no luck seems I need to study more and I have to go with build in unbound for now My sites are subdomains like: site1.myco.local site2.myco.local site3.myco.local Is there a way I can resolve without adding the hosts to each site manually Thank you EDIT: Is this section of client specific Overrides can be the key to be resolved by other clients [image: 1548266210891-2019-01-23_11-53-21-resized.jpg]