@opticalc said in Netgate's openvpn client's remote server and my homes public IP:

and it was leaking DNS due to my client still using PFSense as the DNS server

Unbound (the pfSense resolver) can be forced to use the VPN connection also .....

I followed some of your instructions and it is working once more.

I made a new CA as stated
I made a new Server Cert
I changed the OPENVPN to use the new CA & Cert
I changed 1 user to use the new CA & Cert
I downloaded and installed a fresh installed and it is now working.

@Gertjan Once more, thank you for time help time and assistance with helping me get this fixed. I really appreciate it.

That did the trick. 🙂

Thank you again. Pleased to have it working.

So I figured it out. You need to go to Interfaces -> WAN and set "IPv6 Configuration Type" from "DHCP6" to "None" and then reboot pfSense. When rebooted, the interface now has an IPv4 virtual address when you look at interface status that you can bind to and use.

I got the same error message after upgrading to a more recent pfsense version (2.6). I tried the packet capture (and I saw the client packets arriving), I switched from UDP to TCP (to no avail), I tried different port numbers and still got the same error message (TLS key negotiation failed to occur within 60 seconds).

Then I configured the OpenVPN server "Endpoint Configuration" and switched the interface from "WAN" to "any". Et voilà - the error message was gone and the connection was established as desired!

I then tried all different settings for "interface" to find out which was the right one, but I got the error message for every single one of them. Only "any" worked.

I reviewed DCO limitations and the document states that openvpn /DCO should honor kernel level routes. I added static routes (although dpinger should do this as well) and that didn't fix anything.

@Bambos This is surely the case

@Gertjan
Thank you for your time.
Brief, competent and clear.
Most likely my solution is to use the DUO Security platform first, and then, if successful, deploy my own server. Because I have a large number of VPN servers that require increased security
Thank you very much again!
Have a nice day.

@viragomann said in Can't access to Proxmox from outside (OpenVPN client):

o limit the rule to a single IP, enter the IP with a /32 mask.

Effectively !
Thanks again for your support.

@Gertjan said in OpenVPN Server dco:

so its really hidden ?

i checked this. only in my windows connect app:

433cb667-86dd-4934-aee9-06dfb0bed48f-image.png

@johnpoz is there a custom package (OVPN) implemented with this feature ?

@Aadrem said in OpenVPN Slow Only on One Specific Client (2.5G/1G Network):

Super Micro 1537 with a CPU that never exceeds 10% load,

pfSense is waiting on the WAN interface for traffic that comes in. Other VPN users have no issue, and you're pfSense handles them just fine. Just this 'one more' shows issues ?
So, the issue isn't pfSense, the VPN server ..... but the client, or the connection to/from the client.

What happens if you swap the VPN client config between 2 of your VPN users ?

@Aadrem said in OpenVPN Slow Only on One Specific Client (2.5G/1G Network):

(2.5 Gbps download / 1 Gbps upload). They are not on mobile 5G or a limited connection

No need to mention this, if you already know the hard sealing :
(1 Gbps download / 300 Mbps upload)

That said, the "problematic clients are a MacBook Pro and a OnePlus" have the connection "(2.5 Gbps download / 1 Gbps upload)" all for themselves ? Or is this connection shared with others ?
ISPs do sell their speeds measured with special conditions : like sun, Mars Earth and Jupiter aligned.

@Aadrem said in OpenVPN Slow Only on One Specific Client (2.5G/1G Network):

The issue does NOT occur when using 5G or FTTC connections, only on this specific FTTH connection.

Ah : That's useful info. The issue points to that network and the ISP.

@Gertjan
in case anyone has this issue, i found the solution. besides removing the DNS line remove the TLS key from Custom options under advanced configuration towards the bottom of the openvpn client. then go to the top and select USE A TLS KEY, then uncheck automatically generate a key and paste your key from your server here.
then for TLS Key Usage Mode change it to TLS encryption and authentication.
now it works after saving the changes!

@viragomann Sorry for that. Yes, it looks like there was a misconfiguration here. I had to change my default gateway it was still setup to be the 10.0.0.1 that the switch comes with. I thought it would be set from DHCP but i guess it wasn't. It's all working now! Thanks!

@poldus
What do you consider as "static" here?

The above shows the client log. But what shows the server log?
Does the server even see any VPN packet?

Are you aware, that shared key OpenVPN is deprecated these days?

Do you really intend to setup a tap client?