Aha! Stupid me, you are indeed correct!

Thanks!

There is an existing thread: https://forum.pfsense.org/index.php?topic=112877.0

Kindly bumping.

Anyone with any assistance on the firewall rules to allow my OVPN bridge to speak to my LAN? Thanks!

@BeerBelli:

Spent hours on google and this forum. A few have tried with the PIA patch that is out, but I can't find anyone who actually has it working.

If anybody got the SHA256/AES256 settings working, please post here how you achieved it.

Thanks.

here my settings
https://forum.pfsense.org/index.php?topic=112877.msg633588#msg633588

You can delete them once they're expired or revoked. Might want to only delete the expired certs just in case the CRL gets messed up at some point so it's easy to add them back to the CRL/to a new CRL. Of course could always restore from backup as well in that case.

Might be the difference, I gave up on shared key rather early on in my switch from IpCop to pfSense (early 2000's).

As l mentioned, all the site-site connections I've done (including a half-dozen or so DD-WRT) were PKI and worked just fine.

Once you get your head wrapped around what you need for certificates (the Certficate Manager makes it pretty easy) it no big deal.

Being in the same local lan is a lot easier for my tasks, which don't require any road warrior worker setup  8)

@alfredo:

ad pan_2. Haven't had time to test you Single CPU question on our 'big' server.
https://forum.pfsense.org/index.php?topic=113167.0
Why do you find on big server questionable? It is fully configured with all thinkable redundancies.

It is still only one server. Need to reboot? No connection. Need to upgrade? No connection. Something broke along the way? No connection. (and to continue - need to update FW on host server? No connection for a hour. ESX PSODed? No connection. And so on..)
So I would push for redundant setup anyway, even if you have only one host server - more room to maneveur. And it is simpler to utilize VM Host resources by running multiple instances.

More so - I doubt pfsense team ever tested OpenVPN WebGUI with so much VPN server definitions, there could be some hidden rocks in it.

i've read that KVM & freebsd don't mix well, performance wise.

have you browsed this? https://forum.pfsense.org/index.php?topic=88467.0

@0x10C

in the OpenVPN Client you could try to increase the TCP/UDP socket send and receive buffers size, adding at bottom of the "Custom options" these two lines:

sndbuf 524288;
rcvbuf 524288

About the OpenVPN capability of the CPU you could run the simple OpenVPN benchmark formula referenced here:
https://forum.pfsense.org/index.php?topic=105238.msg616743#msg616743 in the Reply #9 message

If I execute the command on my router with a Celeron N3150 I get
27.41 real        25.62 user        1.77 sys

(3200 / 27.41) = 117 Mbps OpenVPN performance (estimate)

This value perfectly fits to the result of the speed test

speedt1.png
speedt1.png_thumb

Hello,

First thank you for responding, it's a tricky subject and I appreciate all the help I can get.
Now onto the topic :

First of all, the OpenVPN tunnel is not only a site-to-site server but a remote access one too (meaning sometimes I only want to connect to the OVPN IP, not the private subnets this machine has access to).

The tunnels are on a /20 but the LANs are on another, so no risk of collision. Our network plnning has been made to be a little future proof hence the /20.

On the PKI, good idea but no, maintaining it properly would cost more of my time than I can allocate to it, automating the renewal of a shared key is no big deal.

I was looking for a list of advanced options I can give to OpenVPN to assign a specific client-side tunnel IP belonging to the /20 in accordance to our naming scheme without letting the OpenVPN server choose it.

ok, thanx, but i decided degrade to 2.2.4 version (stable).

Ok, that's solved but ive followed almost every tutorial I can find and i cannot get traffic through this VPN. I've tried the Alias route, traffic leaves apparently but it looks like it dosent know how to get back. Infact every method I try looks that way. Traffic leaves the pipe and never comes back.

I created the manual nat rules. I currently have the Alias setup. What am I Missing?

hehe divsys seems to be more than from time to time ;)  I would say that is the vast majority of user problems is wrong cert..  What I don't get is the wizard as you stated takes you by the hand and its really pretty freaking impossible to mess it up.

My guess is they are not using the wizard..  Which makes no sense to me either..

Maybe their needs to be a wizard for creating the user certs as well?  So they show up in the export util..

Yes, 172.16.30.0/26 and 172.16.30.0/24 are different networks.

Glad it's working.

That's a good thing to do when using a VPN I have seen DNS leaks when using ipv6- think its UDP related but not sure