@viragomann I did found out what it was wrong. The error was in front of my face all the time and I did not were seeing it. [image: 1743428697119-2a767b14-aa92-4d90-a04b-70b5a149cf15-image.png] I have to put in IPv4 networks BOTH networks not only the one on my side... Thanks a lot for let me see it!

You can check with your mobile phone. whatismyip.com should return your home IP. -Rico

@Rico No, and no log entries though we don't have OpenVPN set up. PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND 77412 root 10 20 0 798M 677M nanslp 0 937:11 1.18% suricata 86659 root 10 20 0 850M 721M nanslp 0 547:29 0.65% suricata 99674 unbound 4 20 0 113M 87M kqread 2 7:30 0.23% unbound 19999 root 1 20 0 14M 4100K CPU0 0 0:00 0.08% top 69725 root 5 68 0 17M 3168K uwait 0 3:54 0.02% dpinger 69646 root 5 68 0 21M 3260K uwait 0 4:25 0.01% dpinger 71901 root 1 20 0 13M 2768K kqread 0 2:12 0.01% tail_pfb

I have setup Wireuard instead but am having DNS issues, have looked at several solutions. I can connect to devices via RDP on the other side of the wireguard tunnel but can't reslove dns on my side. Starting a new post here: https://forum.netgate.com/topic/196948/wireguard-dns-resolution-issue Thanks for the input.

Hi @Gertjan, thank you for answering. I´m not the only one, who is disappointed about openvpn makers suddenly treat their recent defaults as incompatible. As far as I know there is no easy (for people doing other stuff than openvpn too) documentation and/or recommendations for a soft transition. I think the pfsense could be upgraded to 2.6.x easily, leaving the old vpn connections intact, but still using old standards. 2.7.x probably will not come up after upgrade if VPN connections were not altered before updating. But I don´t find any documentation, what to change to have a smooth transition from 2.6.x to 2.7.x. "yust update to 2.7.2" is not a viable solution! My hope was someone with knowledge about openvpn beyond using the wizards, could share some knowledge about paths for transition without interrupting vpn services for all who have to upgrade.

Hm, so only IPs and subnets, nothing that needs to be resolved? That should load as soon as pf does, which should be before the openvpn resyn at boot. Do you see any errors in the OpenVPN or system logs when this happens? Or any sort of difference in the process ordering?

@timcin This issue cannot has nothing to do with pfSense. So this is the wrong place to request support for it. You should ask in a Raspy forum, how to enable an OpenVPN client service.

@donpablo You will need some upvotes to be able to attach files. But you could have described you settings with a bit more details. So did you state the local networks in the server settings? Or did you check "redirect gateway". Did you have a firewall rule in place on the OpenVPN tab to allow access? The wizard should have added it automatically though. Are you able to ping the LAN IP of pfSense?

I see the remote user connection IP is recorded somewhere, I see it when I click on "Status" -> "OpenVPN", where it shows the table of connected users, and it shows their remote IP there. I see this in "/usr/local/www/status_openvpn.php": <td><?=$conn['remote_host'];?></td> Looks like that line builds the table data for the remote user's IP address (and port) and displays it in the OpenVPN status table. Is there a way to get that same data (remote user's IP) into "/etc/inc/openvpn.auth-user.php"? My familiarity with the code isn't so great so I'm having a hard time tracing back how this data is discovered, but it seems like there can be a way....?

@viragomann Thank you so much, i didn't understand that i needed a IP "reservation" in the tunnel, so i can create a new rule allowing access to the MGMT network. now everything is fine.

@ermilan2309 If you need and don't want to throw the hardware in the trash (the manufacturer forgot to update their product, for example Yealink). Use Custom options on server: tls-cert-profile insecure

@fholzer I have re-generated all certificates to 2.7.0 version.there are still fixes https://github.com/pfsense/pfsense/commit/48cf54f850c5bf4fe26a8e33deb449807e71c204.patch [PATCH] OpenVPN Enforce key usage option fix. Issue #13056 , Fix OpenVPN forming invalid route statements for empty local networks (After applying, edit/save affected entries or reboot, Redmine #14919). Use IP/system_patches.php

@bp81 @Gertjan , This was client to site tunnel. Eventually there was no true problem, my way of testing with single tcp stream of iperf3 was bad idea. OpenVPN single stream can be awfully slow, max those 40mbps. If there is single packet lost, tcp windows goes back to lowers value. If I do iperf3 with parallel connections then I come to point that my download/upload are more or less the same. Cant explain why iperf3 upload test with single stream gets max, while download gets ~40-50mbps Nevertheless, my conclusion is that OpenVPN is particularly bad for those older protocols which use single tcp stream (ssh,scp, ftp, rdp etc) While those that use multiple streams, such as web browsing will get maximum speed. If I do test on speedtest.net i get almost maximum. This is without any special tweaks, AES-NI turned on, AES-GCM with ECDH without dco and any special mtu/mss buffer changes. Thank you for you willingness to help guys.