@johnpoz It definitely shouldn't. I never configured it to. It looks like I can select any option in "Potentially Dangerous" without it no longer working. But once I select "Allow only local requests" I can no longer reach the internet. Just my local resources.

@viragomann A) Sorry for not providing enough information. B) Your last suggestion made me make a few changes to confirm whether or not the CSOs were being applied and I stumbled upon the fact I had a REMOTE network define in both the CSO as well as the remote ends' VPN Client config. Removing the client config and leaving only the CSO remote network (ironically, exactly how the docs say to do it!) and changed tunnel net back to a /24 and everything is working. Thank you for the assist.

@Gamienator-0 yes the openvpn client can handle password on cert. As to the cert being saved - you could put it on thumbdrive if you wanted. But the device be it a phone or a laptop or a tablet is the thing they have.. with the cert on it. Which again they most likely need to auth to access this saved cert, etc. If this is work laptop the drive is most likely encrypted, if lost. And if you put a password on the cert, not only would they have to break the encryption of the drive, but also know or break the encryption for the password on the cert. So have to have the laptop, have to auth to the devices OS. Which could also need 2nd factor different than the vpn. Have to then know the password to the cert, then have to know the username+password to auth to the vpn. Also need the OTP. Which you could have to auth to the OTP application as well.. I use authy for my otp, which can be set to have to auth to even run. Not sure about google and MS apps if they can also be set to have to auth to even run, etc. And this most likely be on a different device if a work laptop for example which will also have to auth to use. Is that enough factors for you? ;) Device (laptop) Device password Possible Device 2FA VPN Cert Cert Password VPN username+password OTP Device (phone) OTP device password OTP software password Pretty sure that should be enough.. Now they are ready to launch the nukes ;) Even if you rollup the latop to 1 device since it has the cert on it, you need to auth to it to access the cert, and you have to have this device so that is 2FA right there. So cert password is 3FA, then username and password is 4FA, then the OTP device even without password on app your at 6FA.. You could add restrictions on what IPs they can come from, either ASN, or isp or region of the world so now your at 7FA. With a password on the OTP app your at 8FA.

@pinguimdocerrado said in Pfsense for openvpn server only: Note: pfsense is not the gateway for my network. So you either have to configure the routing accordingly of do masquerading on pfSense. Did you do any of these? The latter is the simplest way if the only goal is to access the server sites devices for maintenance.

@eiger3970-0 said in Can it be used to change regions?: free Opera browser VPN is enough Then use that..

@selcuk_ks Do you mean force general internet traffic out the clients local gateway, and only all VPN for services you host ? If so, this is standard split tunnel, so un-select the "Force all traffic through tunnel" option [image: 1714748201927-c2ef77b5-4e3b-4919-9504-7d2d4e23d0a3-image.png]

@sourish So you have to recheck your WAN NSG configuration in Azure. Can you even reach pfSense with a different protocol, e.g. ping? Ensure to allow it in the NSG and on pfSense.

@Antibiotic Given DCO and IIMB both AES and ChaCha will be accelerated. AES will still be slightly faster, just because it's a faster algorithm.

@Gertjan: Thanks very much for pointing that out! As you can see from my latest topic in this forum, I changed the tunnel network to a /24 address.

@Gertjan right. certs are not "old", they are obsolete. sha1

@DominikHoffmann said in OpenVPN with Netgate connected directly to Starlink dish.: The only way to get around that would be to subscribe to a static IP address. How much does Starlink charge for that? I don't think its even an option at any price. But you can get a dynamic public IP https://support.starlink.com/topic?category=10&category=46 How do I set my IP address to Public? The ability to update the IP policy to a Public IP is only available with a Priority or Mobile Priority service plan: Login to your account www.starlink.com/account Select "Manage" in the Your Starlinks section Select the "pencil" icon next to "IP Policy" Select "Public IP" from the drop down menu Save Reboot your Starlink But you would need priority plan.. They are suppose to be rolling out IPv6 - if you have that you could use that for an unsolicited inbound connection for you vpn. Or there are other ways to work around the cgnat issue, with creating the outbound connection. Something like tailscale or wireguard could work. https://www.starlink.com/service-plans/all Wonder if have public inbound data is metered.. That can get pretty expensive. [image: 1714445221458-publicip.jpg] Not exactly how those priority tiers work.. But 20$ more a month isn't horrible for a public IP. But 250 a month for 1TB seems a bit high!

@MoonKnight Thanks for the feedback. I have since gotten rid of the destination rule inversion on the IPGROUP_ROUTE_VIA_EXPRESSVPN and set it to Any. This gives me better protection to make sure absolutely nothing goes out that is in that group if it does not go out the ExpressVPN gateway.

@viragomann Yes, I think I tracked it down to the VPN instances getting the same virtual IP in pfsense, which is making it conflict. And these are not changeable.... so.... currently looking at setting up a dedicated vpn connection on the linux box for the static route for the mailserver.