@oguruma I don't know what would be causing that. Is the packet loss on the VPN client interface(s) only? It would be even more confusing if establishing a VPN client connection provoked packet loss on your WAN interface. Also, have you tried specifying different monitor IPs for your VPN client interface(s)? I use Google and Cloudflare DNS servers (e.g. 8.8.8.8, 1.1.1.1).

Multicast isn't going to cross a VPN tunnel like that. Typically the solution would be to make a tap VPN and bridge that to your LAN, but last I knew, iOS did not support tap mode for OpenVPN.

@gcu_greyarea said in TLS 1.0 but need TLS 1.2 for OpenVPN with Yealink Phone:

tls-version-max 1.0

Just FYI... I tried custom option “tls-version-max 1.0” on my VPNServer (on pfSense) and the server actually honours that option.
I tested with the iOS OpenVPN APP which gave me a "Server Version too low" error. After changing the Minimum TLS Version in the IOS App to "TLS 1.0" I could successfully connect again.

The question is whether the Yeahlink Phones (with new firmware) are capable to negotiate down to TLS 1.0 automatically.

Alternatively - if you have hundreds of Yeahlink Phones you may have enough leverage to ask Yeahlink for a custom patch. I.e. the same firmware which defaults to “tls-version-max 1.0”. However that doesn't really fix the compatibility issue.....

Might also make sense to have a look at the supported ciphers on the phone?

https://www.privateinternetaccess.com/pages/client-support/

its under advanced SSL usage. use the new openvpn files under OpenVPN Configuration Files (Strong)

either way thats awesome its backup and running. i also use cloudfare as dns for my devices outside the vpn tunnel

I have no problem getting DNS IPs to Linux or Windows..

You could do some outbound NAT on the OpenVPN connection to nudge that, but you're better off letting it route naturally if you can. Maybe add a route to the DNS server's gateway nudging that traffic back toward pfSense.

Thanks for the help.
With this and a guide i found on the forums here after a bit of searching i have been able to accomplish what i was after.
Cheers.👍 👍

OpenVPN clients should go to internet via their own default gateway. Upstream traffic shouldn't be routed over the VPN, but only traffic destined for internal addresses.

You should know, which network are to be routed to the head office. If you have host names which you need access to use nslookup or dig to resolve them.

@aagaag Sorry, never with pfsense, although I did find a tutorial that stated it could be used with Tomato, which gave me some hope.

Two links, both very similar:
https://www.safervpn.com/support/articles/115001428485-Manual-L2TP-Setup-for-Tomato-Router
https://www.limevpn.com/how-to-use/tomato-routers-l2tpip-sec-setup-instructions/

This didn't work for me, because I have a Static IP (over PPPoE). The setup requires the main (WAN) internet connection to be setup as L2TP. Sounded logical (from a newbie perspective) but improbable (with a little knowledge).

Since both links are from the relevant support teams of VPN providers, maybe it does work, and these similar settings could be applied to pfsense?

http://pfsense.local/interfaces.php?if=wan offers an IPv4 Configuration Type option of L2TP.

If I had a 2nd WAN, I would try it, but think it may also fail if your connection is PPPoE?

Maybe the gurus can help explain (but keep it simple, please?)

Many thanks.

I had a similar problem during my migration from Tomato to pfsense.

Turned out this was due to multiple Default Routes in the Routing Table.

All fixed with the help of @johnpoz. You might want to check that?

Thanks viragomann.

I've forgot to add 10.0.2.0/24 on the site-to-site server.

It works now, thanks!!

Same here cant configure bridge interface no matter what i do.

Make sure the VPN gateways have "Disable Gateway Monitoring Action" ticked as if the VPN goes down with that enabled it can cause all connections to constantly bounce causing a loss of connectivity.

Thanks very much I will take a look at those!

a service .... that needs admin privs to install

Ok, final update.
Eliminated everything that had to do with this VPN, interface, rules, etc.

Started all over, following all the steps, and everything is working as it should, without the manual routes.

By the way, if you run into the routing problem, you can change the "Gateway creation" to BOTH or to IPv4 ONLY and apply/save ont both server and client side(!)

That creates the new route.

Thanks all for your time and effort

np glad you got it sorted.