Problem solved. I 'm so sorry to be so stupid i was focus on my local network and forgot the client configuration and change the ip --' I put my public ip and all work fine now. Thank a lot all for your help. Have a great day (i't my bithday today :p = 30yo)

By the way, tap mode changes almost nothing in the scenario. The only difference is that the tunnel network is no longer point-to-point and has broadcast semantics resembling a typical ethernet LAN. Client configuration and routing are still pretty much the same and if you can't get tun mode working properly you won't get tap mode working either.

I would like this feature, too.

Hmm, yes indeed.

Well your authentication retry checkbox would have nothing to do with that.

on pfSense which is the server and the DDWRT is the client you need to add this part on the pfSense client override ifconfig-push 192.168.90.5 192.168.90.6 iroute 192.168.1.0 255.255.255.0 192.168.90.5/24 is my openvpn server and the 192.168.1.0/24 is my LAN which is behind pfSense change the IP depending to your config

Thank you. That explains things perfectly.

@oguruma I don't know what would be causing that. Is the packet loss on the VPN client interface(s) only? It would be even more confusing if establishing a VPN client connection provoked packet loss on your WAN interface. Also, have you tried specifying different monitor IPs for your VPN client interface(s)? I use Google and Cloudflare DNS servers (e.g. 8.8.8.8, 1.1.1.1).

Multicast isn't going to cross a VPN tunnel like that. Typically the solution would be to make a tap VPN and bridge that to your LAN, but last I knew, iOS did not support tap mode for OpenVPN.

@gcu_greyarea said in TLS 1.0 but need TLS 1.2 for OpenVPN with Yealink Phone: tls-version-max 1.0 Just FYI... I tried custom option “tls-version-max 1.0” on my VPNServer (on pfSense) and the server actually honours that option. I tested with the iOS OpenVPN APP which gave me a "Server Version too low" error. After changing the Minimum TLS Version in the IOS App to "TLS 1.0" I could successfully connect again. The question is whether the Yeahlink Phones (with new firmware) are capable to negotiate down to TLS 1.0 automatically. Alternatively - if you have hundreds of Yeahlink Phones you may have enough leverage to ask Yeahlink for a custom patch. I.e. the same firmware which defaults to “tls-version-max 1.0”. However that doesn't really fix the compatibility issue..... Might also make sense to have a look at the supported ciphers on the phone?

https://www.privateinternetaccess.com/pages/client-support/ its under advanced SSL usage. use the new openvpn files under OpenVPN Configuration Files (Strong) either way thats awesome its backup and running. i also use cloudfare as dns for my devices outside the vpn tunnel

I have no problem getting DNS IPs to Linux or Windows..

You could do some outbound NAT on the OpenVPN connection to nudge that, but you're better off letting it route naturally if you can. Maybe add a route to the DNS server's gateway nudging that traffic back toward pfSense.

Thanks for the help. With this and a guide i found on the forums here after a bit of searching i have been able to accomplish what i was after. Cheers.

OpenVPN clients should go to internet via their own default gateway. Upstream traffic shouldn't be routed over the VPN, but only traffic destined for internal addresses. You should know, which network are to be routed to the head office. If you have host names which you need access to use nslookup or dig to resolve them.

@aagaag Sorry, never with pfsense, although I did find a tutorial that stated it could be used with Tomato, which gave me some hope. Two links, both very similar: https://www.safervpn.com/support/articles/115001428485-Manual-L2TP-Setup-for-Tomato-Router https://www.limevpn.com/how-to-use/tomato-routers-l2tpip-sec-setup-instructions/ This didn't work for me, because I have a Static IP (over PPPoE). The setup requires the main (WAN) internet connection to be setup as L2TP. Sounded logical (from a newbie perspective) but improbable (with a little knowledge). Since both links are from the relevant support teams of VPN providers, maybe it does work, and these similar settings could be applied to pfsense? http://pfsense.local/interfaces.php?if=wan offers an IPv4 Configuration Type option of L2TP. If I had a 2nd WAN, I would try it, but think it may also fail if your connection is PPPoE? Maybe the gurus can help explain (but keep it simple, please?) Many thanks.

I had a similar problem during my migration from Tomato to pfsense. Turned out this was due to multiple Default Routes in the Routing Table. All fixed with the help of @johnpoz. You might want to check that?