I'm using the exact same openvpn server on my local machine, and there I've no issues at all. After searching for a few days I feel like being lost, and could need some pointers.
The only 2 differences I can think of between my local machine and the server is the OS (server is Centos 7, local machine ubuntu), and the fact that the server is in the same subnet as the vpn server. I did add some push routes to be sure the vpn server and gateway are not routed over vpn (we do not route alll traffic over vpn).
The interesting part of the 'route -n' output:
Code: Select all
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 <subnet>.254 0.0.0.0 UG 100 0 0 ens192
10.91.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
10.93.0.0 10.91.0.1 255.255.255.0 UG 1 0 0 tun0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
<subnet>.0 10.91.0.1 255.255.255.0 UG 20 0 0 tun0
<subnet>.0 0.0.0.0 255.255.255.0 U 100 0 0 ens192
<subnet>.111 0.0.0.0 255.255.255.255 UH 1 0 0 ens192
<subnet>.254 0.0.0.0 255.255.255.255 UH 1 0 0 ens192
The server is a pfsense machine, not sure how to copy the raw server.conf from there. The client.conf is exported from pfsense, this is my current client.conf (I've played around with the sndbuf / rcvbuf / mssfix and fragment parameters):
client.conf
dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA256
tls-client
client
resolv-retry infinite
remote <openvpn ipv4 address> <openvpn port> udp
verify-x509-name "<openvpn.fqdn>" name
pkcs12 <key path>.p12
tls-auth <key path>.key 1
remote-cert-tls server
comp-lzo no
passtos
sndbuf 0
rcvbuf 0
push "sndbuf 393216"
push "rcvbuf 393216"
fragment 1200
mssfix
persist-tun
persist-key
cipher AES-256-CBC
auth SHA256
tls-client
client
resolv-retry infinite
remote <openvpn ipv4 address> <openvpn port> udp
verify-x509-name "<openvpn.fqdn>" name
pkcs12 <key path>.p12
tls-auth <key path>.key 1
remote-cert-tls server
comp-lzo no
passtos
sndbuf 0
rcvbuf 0
push "sndbuf 393216"
push "rcvbuf 393216"
fragment 1200
mssfix