@johnpoz

@johnpoz said in openvpn causing resolver performance issue?:

its possible your vpn is causing pain as well with trying to resolve, maybe they filter other dns??

confirmed they do not filter anything I can find. pretty much just pass whatever traffic you send on through.

@johnpoz said in openvpn causing resolver performance issue?:

I would let unbound either just use your normal isp connection to resolve, or if you set on using it through your vpn. Set unbound to only use that interface for its outbound, or just set it to forward to your vpn services dns server.

ISP direct resolution would present a dns leak scenario on the vpn. not an optimal configuration. I tried changing the resolver interface binding, and it had no effect on the behavior.

@johnpoz said in openvpn causing resolver performance issue?:

But the fact of just running a vpn service on your wan would/should/could not have any effect on unbound resolving.. That don't have anything to do with each other.

I rebuilt everything from factory default last night. only difference is i setup the vpn server before i defined and configured the clients for my vpn service. everything functioning exactly as before with all dns traversing the vpn service. (no forwarding, so using root servers still)

The issue went away.

Don't really understand what was happening but would like to. I have a backup of the broken configuration. I might bring it up on a vm and investigate further. What you describe about a timeout scenario, seems to make a lot of sense. Just have no clue what would be timing out at the moment.

@Bot I personally would say go with IPsec when you can, OpenVPN is cool and all but IMO just not the same vs IPsec or WireGuard, which are my two go to options. OpenVPN certainly is overall more configurable (not to be confused with capable) than the other 2 but it ends up being harder to setup, slower, and more complex.

But yeah this should be doable either way by using NAT, it's basically the only way to get two identical subnets talking over a VPN.

@alkisg
You need to configure a VPN > OpenVPN > Client Specific Override for this client to route traffic to it.

In the CSO state a certain tunnel IP for this client and set the whole network range at "Remote Network/s". For IPv4 enter "0.0.0.0/0".

Also in the server settings enter "0.0.0.0/0" at "IPv4 Remote network(s)".

@w-hackl
Rules have to be defined on the incoming interface in pfSense.

Traffic from a client side LAN device enters the LAN interface, goes out on the OpenVPN and enters the VPN interface at the server side.

So you can either block it on the clients LAN or on the server VPN interface.

@viragomann ok, the subnet is the only parameter that I can change on the OVPN Server, I will set a /30 and I will let you know

@johnpoz

Looks like 23.09 is going to be out soon.

https://docs.netgate.com/pfsense/en/latest/releases/23-09.html

@viragomann hi, your solution work!
thanks!

Could somebody delete this topic please?
It was created accidentally when I intended to post to a different topic :(

The dropdown in taskbar is nice if you have multiple VPN's for different sites.

38d02b4b-d2e7-46c3-af17-adb954427f70-image.png

@viragomann

thanks
i tried to set langw to none, but i get the same result.

vlan33 is 19.83.10.32/29 so indeed a typo.
57de17ec-5b90-4942-a934-09ebaad386df-image.png

my actual subnet i need to access (98.91.0.0/16, and 5 more of the /16 subnets so covering a quite wide area) and set in OpenVPN Server's "IPv4 Local network(s)" section is not the pfSense LAN (19.83.10.32/29). pfSense LAN i could call MGMT because it's got no real use but to manage the OpenVPN.

Btw the reason for the tiny vlan subnet is that to have carp and HA set up properly, i needed to allow promiscuous mode, mac address changes and forging transmits which i will not do on my other vlans for security reasons.

once again, setting up a single server with the same setup without virtual ips it's all wrapped and packed working.
there's something about the firewall/nat/rules i can't figure out.

i can access (ping) 98.91.0.0/16 devices from WAN, LAN, Carp LAN, Carp WAN, too but not from OpenVPN 'nic'. I can ping my client from LAN and WAN, Carp LAN and Carp WAN, also OpenVPN 'nic'.

I feel like there's a route/nat/firewall rule missing for requests coming from the OpenVPN nic, to my desired subnets (38.91.0.0/16 etc)

@AMartinelli said in Establish openVPN tunnel from remote:

From my understanding, the steps should be these ones:

openVPN traffic must be allowed to and from B3 WAN port in the whole network B. Tipically, this means allowing UDP traffic on port 1194 for B3 WAN IP address.

Since B3 is the server, it is sufficient to allow the OpenVPN traffic (e.g. port 1194) to B3. The OpenVPN server itself doesn't initiate a connection on its own.

openVPN traffic reaching B1 must be forwarded to B3, more specifically to its WAN port IP address.

So you have to forward UDP 1194 to B3.
As ist seems B2 is also a router in between, you have to forward it on B1 to the WAN port of B2, and on B2 to B3.

There must exist in network B routing rules allowing network B devices (in this example B1 and B2) to reach B3 WAN port.

If you only need to access B4 devices as you stated above, there are no routes needed for the other networks.

I assume, you have stated the LAN address of B2 as the WAN gateway on pfSense in the interface settings. If this is the case, pfSense nats outbound traffic on the WAN to its interface address.
If the VPN is for your own private purposes, what I assume, this would be fine and you would also be able to access B2 without the need of a static route. However, since B1 is behind a router from the point of pfSense you would need to add routes to access this subnet.

In either case, you need to enter all subnets you want to access (B1, B2, B4) from the remote site into the "Local Networks" box in the OpenVPN server settings.

Maybe the B4 devices need additional settings to allow access from outside of their subnets, if it's even possible. At least, they need to have the pfSense LAN IP as their default gateway.
Try to access them from B2 to check this.

B3 needs to be able to communicate through internet

This is not necessary to connect to the OpenVPN server, however, it is for installing packages and updates on pfSense.

@viragomann

Ok I see now.

Thank you, I did find a NAT rule that took over almost the whole UDP port range and was obviously interfering with other inbound traffic.

After re-configuring the service in question and reducing the Inbound UDP port range to something more reasonable, I was able to resolve the OpenVPN connection issue.

@viragomann yes I did install it and it shows installed

@Motleycru oh my oh my ...man ....thank you so so so much....so unbeliable....i wasted about 6 hours tying to debug this shit. i was so frustuated and wanted to wack someone from norde, GL-Inet or dd-wrt ...what a mess .... a simple code comment on some screen would have saved 1000's of hours of peoples time. some one deserves to wacked serously. but thank you so so much. i can get some sleep now

@Kajetan321 and there you go - why the other suggestions are normally easier ;) Because doesn't matter what the client does.. All it needs is its normal gateway..

@ShaneDeak

Makes no difference in my case. At the end i had to create a new LAN firewall rule at client site pfsense (the one with dual wan and failover).

FailoverVPN.jpg

10.0.33.0/24 is the remote local net.

Now it works in both directions.

@ozgurerdogan If you have some box with 2 nics.. You need to make sure it the correct route to get to whatever your vpn tunnel network is.. Or it would just use its default route to try and answer some IP it does not have a route too.

So this other wan connection being used for non vpn rdp into this box, is not pfsense I take it.. Why would this other connection not come into pfsense?