It could be turned into a GUI option, but thus far nobody has taken the time to do it. We'd also have to locate and warn against the possible negative side effects of doing that.

Depending on your OpenVPN RAS setup the route is pushed to the Client, no need for manual steps.

-Rico

Some months ago because of VORACLE I disabled compression completely, for testing only for my RAS Servers first...with a HUGE negative impact for my Users.
e.g. working with MS Office files from SMB shares and saving them, took 5 to 10 times longer with compression off. Back to lz4-v2 now...

-Rico

So the "maximum temperature allowed at the processor die" for that processor is 105C. (https://ark.intel.com/products/85212/Intel-Core-i5-5200U-Processor-3M-Cache-up-to-2-70-GHz-). Of course, you don't want to get too near that, but 54C is perfectly fine. I'd keep an eye on it in the summer for sure; I think as a rule of thumb it'd good to keep it at or below around 65C. I only say that because I think a lot of BIOSes use that as their default "thermal warning" value.

Glad you have it working now.

-Rico

This is the alias list:

alt text

Well, today I think I figured it out.

Tested with existing config over cellular:

I suspect maybe this is an MTU size issue of OpenVPN? Is there a way to lower the MTU on the OpenVPN server under pfSense? I know there is a way in the client, but wondering if I can force a lower MTU on the server itself.

I would still not consider that ideal for OpenVPN. You have to deliver the config and other settings (TLS key, etc) so using you may as well send along the CA in the bundle to be validated for added security. Sure, you could omit the CA since the OS bundle should consider ACME trusted, but I fail to see any advantage in doing so for OpenVPN. You could also argue it's less secure since any other OpenVPN server using an ACME cert would also appear to be valid to the client, though validating the cert CN and using TLS keys help there, it's still knocking down an extra layer of authentication between the server and client.

Contrast that against the IKEv2 user auth scenerio above, where all you need to do is enter/match settings without delivering anything to the client. It's more convenient in that case, though some of the same security arguments still apply.

@bcruze
Hi bcruze - thanks for the reply.
Do you need a pic of the DNS resolver?
I have it like I mentioned on my original post.
0_1548428994944_0aaaf54b-aca4-4091-8ff1-8d451cb714eb-image.png
0_1548429028735_32b56c59-9787-4835-a4df-ba3a6265353d-image.png

Local host is also highlighted in the network interfaces.

0_1548429099534_52184be5-63ee-47dc-91c4-407bdb483cc6-image.png
You see here the two VPN interfaces highlighted.
Nothing else is checked on this page and custom options box is blank.

On the advanced settings:
The only options checked are:
0_1548429216252_6a8e50ea-458f-4692-a906-c603f66c47c6-image.png
0_1548429239704_a6462338-cb53-4c56-890d-8e0fdc09963c-image.png
Everything else is set at default values.

Is this helpful?
Thanks again!

I also discovered turning on fast-io is doing nothing for speed in 2.4.4

Someday, someone will create a REAL speed test which measures the speed to 5-6 various sites (i.e. microsoft, nike, porsche, etc).

dslreports was once awesome. I really trusted them. Now that I'm using Firefox and all the anti-tracking toys, their site doesn't work very well. It doesn't take a genius to figure out why. (I simplified that, but you get the point)

As an example, I get a bunch of Snort alerts when trying to run dslreports/speedtest now.

Sensitive Data was Transmitted Across the Network
138:5
SENSITIVE-DATA Email Addresses
139:1
(spp_sdf) SDF Combination Alert

I'm assuming these are false alarms, but I don't know enough about Snort to know for sure. At least, why does a speed test have to be throwing false alerts? Anyway, unless someone can explain these to me, I've retired dslreports.

I have to admit, speed tests don't mean that much. Having a Porsche that breaks 200mph doesn't really matter 99.999% of the time.

My biggest concern these days is with all the anti-tracking apps, like pfBlocker, Snort, uMatrix, Ublock, Squid (for http virus), and so on, all these start adding up to more and more latency. 800 MB/s doesn't matter as much as not taking 5 seconds for a site to load. That's even harder to measure... but it can be.

I've posted right in the other thread and then saw this one here.
Maybe my posting there can help you...check it out.

-Rico

@madcry

Yeah, right.
You can add this option here (Openvpn server settings)

0_1548341616784_0470d3af-ec5f-4d8e-93ba-2cb928c4b231-image.png

Noobs moment, I'm trying to get ipvanish working on pfsense. is there an up to date guide for this?

@derelict Yes I do. I took it from Netgate video.

so far it is the only solution that worked for me, so I'll take it :)

How about posting your server config and export client config file?

-Rico

thanks Rico, its work. :)