Hi Jim,
thank you for your time. I've supposed that the problem is the php library. I'll move to build and use a new CA.

Thanks,
Dario.

@Derelict Only from pfsense. Not from any clients. The routes show up in the pfsense route table with the gateway as the tunnel link address. Could it be an issue that the default destination is at the top of the entire list? Another interesting thing is that a trace route command to the other side of the tunnel gets only as far as the local gateway on the side you are trace routing from.

So finally installed the OpenVPN Access Server and it works, meaning, I did everything right on the client side, but still everything could be messed up on the server side, if I roll my own on a ubuntu machine.
Again, if anyone got a good and working tutorial for that, would be appropriated.

don't worry - i've sorted it.

@fertig said in Disabled static route deletes OpenVPN's routes:

@Derelict said in Disabled static route deletes OpenVPN's routes:

Workaround: delete them. Don't set them to disabled. You should not be using static routes for OpenVPN routes anyway. Let OpenVPN maintain them using Remote Networks.

if you're using a separate OpenVPN-gateway, you'll have to use static routes to this gateway

That is a static route to a gateway, not into OpenVPN. Two entirely different things.

if you're migrating away from such a gateway, while you're testing the OpenVPN on the pfSense, you'll allways disable the routes
temporarly, to get back quickly. This is the normal way of doing in my opinion... Especially because you don't get the VPN working - as
the routes are allways deleted. This is a complete unexpected behaviour.

Anyway, I filled a bug report

Good deal. That's the way to get developer eyes on it.

@dmd1234498
No, that's not noteworthy if the VPN server isn't at the other side of the globe. There are only some more hops to the webserver.

okay i switched to bgp instead and added the p2 and now it works.. go fig.

@Derelict Hi, yes your reply is correct. Basically no extra configurations are needed.

However, there is a caveat: If I enable Force all client-generated IPv4 traffic through the tunnel option and clients rely on DNS service to find the IP of the OpenVPN server, after rebooting my pfsense firewall, all the OpenVPN clients could permanently lose their connections (both VPN and Internet connections).

I end up calling colleagues to reboot all clients physically to re-establish the connection.😂

Be sure that User Authentication Settings on the OpenVPN client configuration page not empty:
Screenshot from 2020-06-25 13-23-52.png

Fill in the username and password fields

@Massimo-S

sorry, i reply miself

now it works correctly
i've disabled the option "dynamic IP" in the OpenVPN server settings page

the vpn remote clients now see/ping all LAN servers and services

massimo

@Tenou

They can only use an address within the tunnel range. So, you write your rules accordingly. If needed, you can even restrict the address range by using a longer subnet mask, to the point where there's only one address that will work. Also, if you're worried about that sort of thing, then you should be implementing other security beyond just VPN addresses. For example, if you're on a corporate network, you might be using Active Directory or similar to restrict what users can access.

Start here focus on the "Science and technology" explanation.
If needed, you could also look up the "IP" word.

What @Rico was saying : use a RFC1918 type IP. Not the other ones.

OMG 🤦 you are absolut right, I am the biggest idiot ever!
The IPs that I have tried have a different default gateway an this is not pfSense, so yes its totaly clear why the LANO is working (because all devices have the pfSense as default GW)
I have just tried a IP in LANH with pfSense as default GW and everything is fine...

Yes sometimes the solution can be so easy and you don't see it.

Many thanks for your support!
zulasch

@Jeremy11one
It's not a group you can modify. So there is no reason to display it there.

thank you, that helped!

@NOCling said in Teleworker fast VPN:

Traffic Shaping

thanks wasnt on my radar so far ...

~900Mbps routing and 50VPN Users is a pretty cool with the SG1100

If you needed static routes to make this work you did it wrong. You will experience occasional strange issues if you use static routes.

Let OpenVPN install the routes using the Remote Networks fields.

@Rico Yes. It was always checked.

EDIT: I just fixed the issue. Apparently when you duplicate a vpn client it copies all the settings except for the password (in the credentials part). I pretty sure I did the same thing in 2.4.4 release but never mind...If that's how pfSense should work and was designed to do so be it. Not something to be bothered by too much.

Thank you anyway for your help :)