Probably not.

Maybe I have found a solution for me. OpenVPN error messages are still there: Jan 27 13:09:38 php-fpm 47087 /rc.newwanip: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '[1548594578] unbound[17890:0] error: can't bind socket: Address already in use for 127.0.0.1 port 953 [1548594578] unbound[17890:0] error: cannot open control interface 127.0.0.1 953 [1548594578] unbound[17890:0] fatal error: could not open ports' Jan 27 12:41:03 openvpn 97238 ERROR: FreeBSD route add command failed: external program exited with error status: 1 Feb 2 18:56:11 openvpn 47315 PUSH: Received control message: 'PUSH_REPLY,topology subnet,redirect-gateway def1,sndbuf 131072,rcvbuf 131072,comp-lzo adaptive,route-gateway 10.3.2.3,redirect-gateway ipv6,route-ipv6 2000::/3,ping 10,ping-restart 60,dhcp-option DNS 95.211.146.77,dhcp-option DNS 37.48.94.55,ifconfig-ipv6 fdbf:1d37:bbe0:0:48:18:0:f1/112 fdbf:1d37:bbe0:0:48:18:0:1,ifconfig 10.3.2.241 255.255.255.0,peer-id 0' Feb 2 18:56:11 openvpn 47315 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS]) Feb 2 18:56:11 openvpn 47315 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS]) Feb 2 18:56:11 openvpn 47315 Options error: option 'route-ipv6' cannot be used in this context ([PUSH-OPTIONS]) Feb 2 18:56:11 openvpn 47315 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS]) Feb 2 18:56:11 openvpn 47315 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS]) I do not have the full speed, but it works with these NAT rules: [image: 1549135810481-nat-resized.png] Why do i need this localhost rules for OpenVPN? Do I need more rules like these? browse "System: General Setup" specify desired third-party DNS servers on WAN_DHCP [x] Do not use the DNS Forwarder as a DNS server for the firewall browse "Services: DNS Forwarder" [ ] Enable DNS forwarder browse "System: Advanced: Networking" [ ] Allow IPv6 [x] Prefer to use IPv4 even if IPv6 is available browse "System: Advanced: Miscellaneous" [x] Skip rules when gateway is down [x] Enable gateway monitoring debug logging

If you can exchange traffic with other hosts on that remote network and not THAT particular host, check for a firewall on THAT host. Check the gateway settings on THAT host. Packet capture on the interface THAT host is connected to for icmp traffic to THAT host IP address and try to ping it. Look at the capture. Are echo requests sent to THAT host captured? Are there replies? No? Check THAT host for the reason.

Hi @pfsmooth , If these addresses are all internal, why redact them? It only prevents observers from being able to accurately assess your configuration. What do your firewall rules look like on the OpenVPN interface? If you are trying to reach multiple LANs from VPN client, are all of the networks you are trying to access listed in the Local Networks field under the OpenVPN server instance? Or do you have the setting "Redirect IPv4 Gateway" enabled? The more information you can provide, including the unredacted internal addresses of the devices involved, the better it will help others be able to understand and provide suggestions to resolve your problem. Thank you, -James

Found Ubuntu manual setup and found this Line: Remember that you will use append @usenetserver at the end of your username (ex. username@usenetserver). so no ".com" and it worked. thank you for the Info

Yeah! I was missing those. Had an idea that CSO should be enough. Gave it a try. server pfsense: Config: Remote Access added route statement for the remote subnet in custom options local networks: local subnet, remote subnet (peer to peer server should have this, still trying to figure out why the remote subnet should be here, but according the pf-guide-doc it should, and it works as intended) CSO: remote networks: remote subnet Question here: In the CSO i got a Local Network field. Does this have effect on this kind of config? remote pfsense: Config: Peer to peer tunnel network: empty remote network: empty (in peer to peer config these are configured at time of connect, true for this scenario too?) But, no, can't pass traffic LAN to LAN.

It could be turned into a GUI option, but thus far nobody has taken the time to do it. We'd also have to locate and warn against the possible negative side effects of doing that.

Depending on your OpenVPN RAS setup the route is pushed to the Client, no need for manual steps. -Rico

Some months ago because of VORACLE I disabled compression completely, for testing only for my RAS Servers first...with a HUGE negative impact for my Users. e.g. working with MS Office files from SMB shares and saving them, took 5 to 10 times longer with compression off. Back to lz4-v2 now... -Rico

So the "maximum temperature allowed at the processor die" for that processor is 105C. (https://ark.intel.com/products/85212/Intel-Core-i5-5200U-Processor-3M-Cache-up-to-2-70-GHz-). Of course, you don't want to get too near that, but 54C is perfectly fine. I'd keep an eye on it in the summer for sure; I think as a rule of thumb it'd good to keep it at or below around 65C. I only say that because I think a lot of BIOSes use that as their default "thermal warning" value.

Glad you have it working now. -Rico

This is the alias list: [image: ub8T6ai.png]

Well, today I think I figured it out. Tested with existing config over cellular: T-Mobile - Didn't Work Verizon - Worked I suspect maybe this is an MTU size issue of OpenVPN? Is there a way to lower the MTU on the OpenVPN server under pfSense? I know there is a way in the client, but wondering if I can force a lower MTU on the server itself.

I would still not consider that ideal for OpenVPN. You have to deliver the config and other settings (TLS key, etc) so using you may as well send along the CA in the bundle to be validated for added security. Sure, you could omit the CA since the OS bundle should consider ACME trusted, but I fail to see any advantage in doing so for OpenVPN. You could also argue it's less secure since any other OpenVPN server using an ACME cert would also appear to be valid to the client, though validating the cert CN and using TLS keys help there, it's still knocking down an extra layer of authentication between the server and client. Contrast that against the IKEv2 user auth scenerio above, where all you need to do is enter/match settings without delivering anything to the client. It's more convenient in that case, though some of the same security arguments still apply.

@bcruze Hi bcruze - thanks for the reply. Do you need a pic of the DNS resolver? I have it like I mentioned on my original post. [image: 1548428995755-0aaaf54b-aca4-4091-8ff1-8d451cb714eb-image-resized.png] [image: 1548429029498-32b56c59-9787-4835-a4df-ba3a6265353d-image-resized.png] Local host is also highlighted in the network interfaces. [image: 1548429100231-52184be5-63ee-47dc-91c4-407bdb483cc6-image-resized.png] You see here the two VPN interfaces highlighted. Nothing else is checked on this page and custom options box is blank. On the advanced settings: The only options checked are: [image: 1548429216486-6a8e50ea-458f-4692-a906-c603f66c47c6-image-resized.png] [image: 1548429240018-a6462338-cb53-4c56-890d-8e0fdc09963c-image-resized.png] Everything else is set at default values. Is this helpful? Thanks again!

I also discovered turning on fast-io is doing nothing for speed in 2.4.4