@Rico word! i do not need to unserstand why i would do this ;) CSO local networks but here in ausrtia a lot of things are possible ;)

@johnpoz said in Slow Speeds with OPENVPN: 4ms to google - that pretty slick ;) Here's mine. PING 8.8.8.8 (8.8.8.8): 56 data bytes 64 bytes from 8.8.8.8: icmp_seq=0 ttl=56 time=26.496 ms 64 bytes from 8.8.8.8: icmp_seq=1 ttl=56 time=12.179 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=56 time=11.206 ms 64 bytes from 8.8.8.8: icmp_seq=3 ttl=56 time=10.219 ms 64 bytes from 8.8.8.8: icmp_seq=4 ttl=56 time=13.817 ms 64 bytes from 8.8.8.8: icmp_seq=5 ttl=56 time=9.764 ms 64 bytes from 8.8.8.8: icmp_seq=6 ttl=56 time=8.719 ms 64 bytes from 8.8.8.8: icmp_seq=7 ttl=56 time=10.771 ms 64 bytes from 8.8.8.8: icmp_seq=8 ttl=56 time=10.745 ms 64 bytes from 8.8.8.8: icmp_seq=9 ttl=56 time=17.773 ms 64 bytes from 8.8.8.8: icmp_seq=10 ttl=56 time=7.366 ms 64 bytes from 8.8.8.8: icmp_seq=11 ttl=56 time=11.967 ms 64 bytes from 8.8.8.8: icmp_seq=12 ttl=56 time=15.246 ms 64 bytes from 8.8.8.8: icmp_seq=13 ttl=56 time=10.638 ms 64 bytes from 8.8.8.8: icmp_seq=14 ttl=56 time=8.609 ms 64 bytes from 8.8.8.8: icmp_seq=15 ttl=56 time=10.193 ms 64 bytes from 8.8.8.8: icmp_seq=16 ttl=56 time=8.295 ms 64 bytes from 8.8.8.8: icmp_seq=17 ttl=56 time=10.942 ms ^C --- 8.8.8.8 ping statistics --- 18 packets transmitted, 18 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 7.366/11.941/26.496/4.300 ms It appears to be a bit better than yours. I'm on a 75/10 plan on cable modem.

@JKnott said in Remote Employee & Remote PBX: @easysimpleit I have done that with a different firewall and it worked fine. I set it up with Talkswitch PBX and Adtran router. Once a VPN is set up, it's no different than any other IP connection. This would or should work if I’m allowing all traffic over the tunnel. I have it setup as a split tunnel and at the moment only internal resources are accessible. Is their anything special I need to do to allow that? The PBX is not local to our network, it’s a remote server outside our environment or control. Thank you

@JKnott I'm going to restate you're response as I understand it. Based on your experience the IP is configured on the tunnel and you don't understand why I'm implying the VPN connection would be receiving a DHCP address. Based on my read of the Netgate documents it notes a TAP bridging setup would allow the VPN client to obtain a DHCP address on the network it's attaching to. [image: 1586701720343-ng-doc.png] https://docs.netgate.com/pfsense/en/latest/book/openvpn/bridged-openvpn-connections.html This wording seems to be similar to OpenVPN's - **There are two methods for handling client IP address allocation: Let OpenVPN manage its own client IP address pool using the server-bridge directive, or configure the DHCP server on the LAN to also grant IP address leases to VPN clients.]** https://openvpn.net/community-resources/ethernet-bridging/ Also when one goes into the OpenVPN Server to edit it [if I remember correctly you do not see these options on creation] [image: 1586702057787-pfsrv.png] Based on what I've read I believe I'm using the correct terminology in explaining what I'm trying to do. If you feel otherwise could you help me understand your perspective. Thanks,

client specific override and firewall rules for the client i guess invert may be the best guess have a look here for the cso https://forum.netgate.com/topic/152171/openvpn-and-static-ip-for-all-clients/9

@Rico Thanks for suggestion. That works really nicely. Just like having a DHCP server handing out "static" IP addresses, in the OpenVPN subnet. I give you a thumbs up.

Yes the netmasks are all /24. For now it is 1 peer for testing. But in the future i would like to have the possibility to add more clients. The following is what I'm trying to accomplish: [image: 1586624098701-test.png]

@stephenw10 tested it with some older android clients right now without the ifconfig-push not working on device added the lines working maybe / pretty shure it is the client not the config on the Server

Your posting of the log showing the route waiting for interface to come up was key in finding that info... So glad you got it sorted!

Thank you I will give that try. So how is that openVPN server side should be setup? in "Redirect IPv4 Gateway" in Tunnel Settings in VPN server, should I list out all the VLAN?

I must say using these SG-1100's and pfSense was way easier than when I tried to do it using another vendors firewalls. Thank you again community for your help.

Thank you for your reply, however, could you also help in how to rectify that? Should I post any other logs?

@rem1488 said in Can a user change his password to open VPN or change the password even at the first connection?: after receiving the config you will get access to the system True. As soon as you have access to a device, the 'cert' method opens also the remote LAN .... Let's say I presume that tools like OpenVPN-client are not (never) installed on devices that have shared users. @rem1488 said in Can a user change his password to open VPN or change the password even at the first connection?: and users can leave it on a flash drive or somewhere else Yep. And they have the VPN login and password - just several characters - in their heads, which can be 'copied' also very easy to another head. @Gertjan said in Can a user change his password to open VPN or change the password even at the first connection?: What looks more secure to you ?? ;) The important word here is "looks". Which is close to 'mystification' or security by obscurity. Because using certs or passwords to ID yourself is the same thing. The latter is easier, after a couple of hundreds of VPN logins ..... as we all do lately.

@viragomann said in How to reach a webserver when all traffic is encrypted via OpenVPN?: If you have a gateway defined on WAN pfSense should direct response traffc back correctly. Ok. Yes my pfsense does a NAT from 192.158.0.0/24 to 192.168.5.22 on the WAN and redirects it to my ISP router with that address. I went to duckdns.org and updated my IP to reflect the ISP's public IP address but it still isn't hitting my router for some reason after x minutes <mydomain.>duckdns.org gets back the VPN IP address. I'm wondering if I can filter out my 192.168.0.150 to not have incoming or outgoing vpn traffic? I tried to add an alias and the address and then use the WAN gateway instead of vpn under the LAN interface but that didn't work.

To ensure the LAN rule with the NordVPNGatewayGroup will be applied you have to lift it up to the second position. Otherwise the rule allowing LAN net to any will be applied and the traffic is directed to the WAN GW.

Thanks for the reply! I had no idea about specifying subnets in the config file; I'll go read up on that more. Yes, I am connecting from behind another router (at work). I'm trying to access a server that's on a separate VLAN than what OpenVPN puts me on. It looks something like this: Work PC --> Work Router --> {WAN/Internet} --> pfSense --trunk--> switch --> server Where in pfSense do I need to add the subnets that you are mentioning? Also, I shouldn't have to worry about tagging my traffic to go through the switch, correct?

Glad you have it working. -Rico

@hugoeyng my suggestion a quick n dirty one A) use in openVPN [image: 1586412061734-d60e993d-cbed-4236-83d2-ed5bc436c142-grafik.png] B) follow this post to assign static IPs for your vpn-clients noPlans qNd answer in post on this formum (https://forum.netgate.com/topic/152171/openvpn-and-static-ip-for-all-clients/8) C) put these assigned IP adresses into an alias D) create a firewall rule with this new alias E) use the information from the documetation in this post to schedule the rule link here --> https://docs.netgate.com/pfsense/en/latest/firewall/firewall-rule-schedules.html i will test it today, and keep u posted, if anyone got a better idea lets share and improve nP