I also discovered turning on fast-io is doing nothing for speed in 2.4.4

Someday, someone will create a REAL speed test which measures the speed to 5-6 various sites (i.e. microsoft, nike, porsche, etc). dslreports was once awesome. I really trusted them. Now that I'm using Firefox and all the anti-tracking toys, their site doesn't work very well. It doesn't take a genius to figure out why. (I simplified that, but you get the point) As an example, I get a bunch of Snort alerts when trying to run dslreports/speedtest now. Sensitive Data was Transmitted Across the Network 138:5 SENSITIVE-DATA Email Addresses 139:1 (spp_sdf) SDF Combination Alert I'm assuming these are false alarms, but I don't know enough about Snort to know for sure. At least, why does a speed test have to be throwing false alerts? Anyway, unless someone can explain these to me, I've retired dslreports. I have to admit, speed tests don't mean that much. Having a Porsche that breaks 200mph doesn't really matter 99.999% of the time. My biggest concern these days is with all the anti-tracking apps, like pfBlocker, Snort, uMatrix, Ublock, Squid (for http virus), and so on, all these start adding up to more and more latency. 800 MB/s doesn't matter as much as not taking 5 seconds for a site to load. That's even harder to measure... but it can be.

I've posted right in the other thread and then saw this one here. Maybe my posting there can help you...check it out. -Rico

@madcry Yeah, right. You can add this option here (Openvpn server settings) [image: 1548341617765-0470d3af-ec5f-4d8e-93ba-2cb928c4b231-image-resized.png]

Noobs moment, I'm trying to get ipvanish working on pfsense. is there an up to date guide for this?

@derelict Yes I do. I took it from Netgate video. so far it is the only solution that worked for me, so I'll take it :)

How about posting your server config and export client config file? -Rico

thanks Rico, its work. :)

How would you route traffic without adding some kind of router to this LAN? -Rico

@konstanti I disabled the first rule still not working

@fergomez1980 said in OpenVPN cant connect static routes: Static Routes in LAN 192.168.0.0/24 + Gateway in LAN 172.26.0.199 (ip alias of router to connect at that network) 192.168.1.0/24 + Gateway in LAN 172.26.0.199 (ip alias of router to connect at that network) Other than your current openvpn problem this sort of setup also screams asymmetrical traffic flow.. If you have a network that you get to via a downstream router, then this downstream router should be connected via a transit network no using a network that has hosts on it. So lets say lan device wants to talk to an IP on these networks.. does it have a host route - or send its traffic to pfsense? The return traffic will just go direct to client from the downstream router = asymmetrical. But as mentioned by viragomann, you will need routes on your downstream router on how to reach the tunnel network(s) you use for your openvpn clients.. Or no you will never be able to get there without doing source nat.

@rico hello I just finished configuring ssl/tls openvpn all working fine, but I couldn't understand in the server there is a section "Local Networks" what exactly this is for. Because without it I don't see any issues???? Also my cpu support AES-NI - Hardware crypto AES-CBC,AES-XTS,AES-GCM,AES-ICM [image: 1548063058905-2019-01-21_3-29-53-resized.jpg] My pfSense box also have Chelsio T580-SO-CR witch I believe support Crypto offload, but I am not sure how to use that function OpenVPN seems to support only "cryptodev" I have to set to AES-NI and BSD Crypto Device in order to get any crypto offload on the OpenVPN. Even so I get much better performance on the bare metal then VM, but I am sure with my setup that's not it !!!!! Also the million dollar question is HOW TO: OpenVPN Site-to-Site with DNS In the past I tried to setup Bind with no luck seems I need to study more and I have to go with build in unbound for now My sites are subdomains like: site1.myco.local site2.myco.local site3.myco.local Is there a way I can resolve without adding the hosts to each site manually Thank you EDIT: Is this section of client specific Overrides can be the key to be resolved by other clients [image: 1548266210891-2019-01-23_11-53-21-resized.jpg]

Some further digging and this seems to be a metric issue. If I change the metric for the TAP adapter on both clients they can find each other and everything works, but not otherwise. Is there a way to have Windows push all of the broadcast traffic down the VPN without having to manually change the adapter metric setting? Perhaps some setting I can push though the OpenVPN server that ensures 255.255.255.255 requests go down the VPN?

@lansmurf said in ExpressVPN interface is up but gateway is down: The only problem I stil have is that althought the interface and the gateway are up and working. Dpinger cannot ping the VPN server. I have set the Data payload to 1 but I still don't get a ping… If I enter 8.8.8.8 to monitor I get a huge packetloss >40%...  Maybe someone can give me advise at this point to get better monitoring results? (I guess this is important for load balancing if you enter multiple gateways to diffenrent VPN servers) A bit late, but replying in case it might help someone. I had same problem with Dpinger and packet loss. Solved it by enabling Hardware Crypto in openvpn client. Now I can use external IP to monitor if VPN gateway is online. Of course, your hardware needs to support this.

@jimp Thank you jimp! Works now.

Thanks for you time,i don't need a VPN when i am at home,but i don't know how to bypass vpn just when i am at home.If my vpn is active when i am connected to my home wifi it will lose connection and he try to connect to my wan.My wish is too be always on vpn because with my work i go in many places. I will try your idea with dns override,sems more clean,right now i have on my client config my wan and my lan ip,so he will try next if one will fail. I might create 2 vpn servers one on wan and one on wifi interface.

Multi-WAN Tactics with OpenVPN are covered here: https://www.netgate.com/resources/videos/advanced-openvpn-concepts-on-pfsense.html (22:50 min). -Rico

@rsaanon Did you get it to work?

@ffarkas said in OpenVPN only recognizes the first of two DNS servers: Windows clients would automatically search on the other DNS server when a name cannot be resolved One of the most common misconceptions to how dns works at a basic level. As stated by Derelict all NS pointed to by a client need to be able to resolve the the same stuff the same way or your going to have a bad day. If a NS returns NX for something that is asked for - then the client stops asking.. Because it was told that doesn't exist, so why should it go ask anything else for something that doesn't exist. The only time a client will go ask the other NS is if there is a time out.. And you can never be sure which NS a client will be asking out of the NS listed..

Thanks for the reply but was going nuts had to check Disable hardware checksum offload and solved it