@valk said in All traffic behind pfsense is being routed through VPN. How can a client opt out?:

So I want to be able to do it from the client side

Then run your vpn on your client..

So, installing a static route manually in the OS makes the thing work.

A bit stuck now, feels like the knobs are not doing what they should.

Thanks for the reply.

True, it is M-files we are running. I will do another attempt with them but so far it has been quite useless replies in any type of support request we have sent them.

We will try the in-house web solution that is an option and see if it has the features we need or if we are forced to continue to run RDP from the locations that has too high RTT.

@gpeting

Bump, just trying to get a response on with a sense of urgency. We have a Hurrican heading our way need to the the remote phones programed ASAP. Thanks in advance.

@ipguy said in Why can't I use a /8 ?:

the next remote network, 10.3.0.0/28
the next remote network, 10.4.0.0/28

I am with @JKnott here - this doesn't make a lot of sense..

So you have a remote device.. And it has a /28 or even multiple /28s on the other end of it.. Ok what does that have to do with your tunnel network?

How many devices are going to connect to the openvpn server? 8000? So your tunnel network would only need to support 8000 IPs.. So a /19 would allow for 8190 address - so if using subnet vs net 30, each modem would only being getting 1 IP for the tunnel.. So 8190 modems. What networks are on the other end of the tunnel has nothing to do with the tunnel network.. The tunnel network allows for how many clients can connect to that server.. Using a /16 tunnel would allow for 65k devices to connect.. Even using net30 addressing you would still have way more than enough for 8000 connections.

Also with

the next remote network, 10.3.0.0/28
the next remote network, 10.4.0.0/28

Your wasting a lot of space between those networks as mentioned.. Your using a whole /16 just to assign a /28... Think we are missing some info here.

But you could route multiple network across your 1 IP used to connect for the tunnel..

I think a better understanding of what your doing or wanting to do exactly.. How are these modems connecting to you now?

Modified the pivpn install script and set the CN for one location to be different.

It seems pfsense computes identical hashes otherwise and gets confused which is which.

@nortel

Does your device have the correct date & time set ?

If so ...
I would check if the message : error=certificate has expired , is valid

From the pict , it seems like the client is a Windows pc w. OpenVPN client installed.
What is the other (Server) end ?
A pfSense you control ?

I'll try updating the OpenVPN client. I saw the new v3. It looks like a Windows version of the iOS client and seems feature limited. Not sure if anyone here has used it before. Maybe it's just the GUI is nicer looking and the "innerds" are still high-tech. :)

@denverdesktopssupport said in Can't connect to 3rd Party VPN Service using OpenVPN.:

@viragomann following this article. 192.168.35 is LAN

the interface is enabled.

https://support.privadovpn.com/kb/article/510-pfsense-openvpn-setup/

@viragomann Yes, This problem only appeared after changing the public IP of dyndns. Absolutely nothing was changed, just changed the DynDNS IP

Sorry to break open this thread again.

Linux OpenVPN has the parameter --txqueuelen which does not exist in OpenVPN for BSD. Apparently it makes a lot of difference on long distance connections.

BSD apparently has the parameter fixed to 50 i read somewhere else.

https://serverfault.com/questions/686286/very-low-tcp-openvpn-throughput-100mbit-port-low-cpu-utilization

@cmos_battery In your settings under VPN -> OpenVPN -> Server ; does it say this?

https://imgur.com/fUgdRch.png

@jknott said in OpenVPN Optimization (peer id):

I just tried the test described in the 2nd link. The 1st & 3rd runs are with AES-NI enabled and the 2nd and 4th without.

[2.5.2-RELEASE][root@firewall.jknott.net]/root: openssl speed -elapsed aes-128-cbc
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128 cbc for 3s on 16 size blocks: 25636690 aes-128 cbc's in 3.03s
Doing aes-128 cbc for 3s on 64 size blocks: 6645567 aes-128 cbc's in 3.02s
Doing aes-128 cbc for 3s on 256 size blocks: 1666553 aes-128 cbc's in 3.01s
Doing aes-128 cbc for 3s on 1024 size blocks: 419373 aes-128 cbc's in 3.02s
Doing aes-128 cbc for 3s on 8192 size blocks: 52444 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 16384 size blocks: 26180 aes-128 cbc's in 3.01s
OpenSSL 1.1.1k-freebsd 25 Mar 2021
built on: reproducible build, date unspecified
options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-128 cbc 135319.44k 141037.53k 141843.14k 142404.29k 143207.08k 142606.34k
[2.5.2-RELEASE][root@firewall.jknott.net]/root: openssl speed -elapsed aes-128-cbc
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128 cbc for 3s on 16 size blocks: 25330588 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 64 size blocks: 6627583 aes-128 cbc's in 3.01s
Doing aes-128 cbc for 3s on 256 size blocks: 1673390 aes-128 cbc's in 3.02s
Doing aes-128 cbc for 3s on 1024 size blocks: 417364 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 8192 size blocks: 53873 aes-128 cbc's in 3.09s
Doing aes-128 cbc for 3s on 16384 size blocks: 26240 aes-128 cbc's in 3.02s
OpenSSL 1.1.1k-freebsd 25 Mar 2021
built on: reproducible build, date unspecified
options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-128 cbc 135096.47k 141021.19k 141689.00k 142460.25k 143012.49k 142562.87k
[2.5.2-RELEASE][root@firewall.jknott.net]/root: openssl speed -elapsed aes-128-cbc
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128 cbc for 3s on 16 size blocks: 26072625 aes-128 cbc's in 3.08s
Doing aes-128 cbc for 3s on 64 size blocks: 6763860 aes-128 cbc's in 3.09s
Doing aes-128 cbc for 3s on 256 size blocks: 1672403 aes-128 cbc's in 3.02s
Doing aes-128 cbc for 3s on 1024 size blocks: 421159 aes-128 cbc's in 3.02s
Doing aes-128 cbc for 3s on 8192 size blocks: 52262 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 16384 size blocks: 26208 aes-128 cbc's in 3.00s
OpenSSL 1.1.1k-freebsd 25 Mar 2021
built on: reproducible build, date unspecified
options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-128 cbc 135524.71k 140277.32k 141972.28k 143010.76k 142710.10k 143130.62k
[2.5.2-RELEASE][root@firewall.jknott.net]/root: openssl speed -elapsed aes-128-cbc
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128 cbc for 3s on 16 size blocks: 25433637 aes-128 cbc's in 3.01s
Doing aes-128 cbc for 3s on 64 size blocks: 6800719 aes-128 cbc's in 3.09s
Doing aes-128 cbc for 3s on 256 size blocks: 1663307 aes-128 cbc's in 3.01s
Doing aes-128 cbc for 3s on 1024 size blocks: 417174 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 8192 size blocks: 51998 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 16384 size blocks: 26190 aes-128 cbc's in 3.01s
OpenSSL 1.1.1k-freebsd 25 Mar 2021
built on: reproducible build, date unspecified
options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-128 cbc 135293.74k 141041.75k 141566.87k 142395.39k 141989.21k 142660.81k
[2.5.2-RELEASE][root@firewall.jknott.net]/root:

If I'm reading that right, it appears there's a very slight, but probably not significant benefit to enabling it.

@jknott said in Client crypto hardware.:

I have a Lenovo E520 ThinkPad, with i3 CPU, which I bought about 10 years ago.

Apparently, that computer is too old to support RDRAND. It first appeared with the Ivy Bridge CPU, which became available around the time I bought my ThinkPad.

@bingo600 A change from 3 (recommended) to default did the trick. Thanks for that.

@viragomann,
Thanks for your interest in helping. However, PIA has confirmed that what it calls a "dedicated IP" is very different from a static IP and can be used only with PIA software, which is not available for pfSense. So this thread can be closed. I'm no longer pursuing that solution and will rely on DDNS.

@corsairwall32
Add a firewall rule to the top of the LAN rule set for allowing traffic to this destination IP. Open the advanced options, go down to gateway and select the WAN gateway.
So the traffic will be directed out to WAN.