@TYz your apps can not get to the internet, or you can not get to your apps from the internet? For me for example to get to your docker you would need to forward to that port 30050 at 192.168.1.200 on pfsense. I would then go to your actual public IP.. pfsense would forward it to 192.168.1.200, which in turn would be sent to your docker 172.16 address.

@SteveITS My own hardware. I did select QAT but it still shows as "No" on the dashboard so I guess it is not available.

@zeca ive got same problem i ask google for help and found this topic https://redmine.pfsense.org/issues/7240?tab=history after snort uninstall my openvpn client could connect with no issues

Hard set your MTU on the interface you dial into your VPN on and also set MSS Example: [image: 1721251503279-screenshot-2024-07-17-at-14.24.58.png] Hard setting this helped my speed drastically as it will fragment on some ISPs

Apparently ESXi vSwitch was blocking the bridge interface on the LAN and only the VPN clients were getting IPs I disabled all the security features on the vSwitch and LAN, and it's all working now. Thank you, @viragomann

@gbitglenn Let's make a list. Check the OpenVPN server version : is it the same ? If, for example, Openfense uses a way older OpenVPN server version, settings change, so client settings will change anyway in a near future, so game over anyway, as changes for every client will be need when Openfense changes it OpenVPN server version. If the OpenVPN is somewhat the same : If you can export the main openvpn CA certificate from OpenSense, and the certificate itself, you could import them both into pfSense. And all the 25 user certificates. Actually, this must work, and is easy to test for just one user. Just take an old sub 10 $, old PC with 2 NICs, install pfSense and do whats said above. @gbitglenn said in Migrating from OPNSense OpenVPN To PFSense: Is this even possible or am I screwed? Is that modern phrasing ? Before, it was "Is this even possible or do I have some work to do ?"

I have the interval set to 60 minutes as a test and sure enough I'm getting these logs every hour. But is this an indication that there is a fault? If the pings were going through would it even need to authenticate? Jul 16 09:37:23 openvpn 90300 user 'UserName' authenticated Jul 16 09:37:23 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_SSO=openurl,webauth,crtext Jul 16 09:37:23 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_GUI_VER=OpenVPN_GUI_11 Jul 16 09:37:23 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_COMP_STUBv2=1 Jul 16 09:37:23 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_COMP_STUB=1 Jul 16 09:37:23 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_LZO_STUB=1 Jul 16 09:37:23 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_PROTO=990 Jul 16 09:37:23 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC Jul 16 09:37:23 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_NCP=2 Jul 16 09:37:23 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_MTU=1600 Jul 16 09:37:23 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_TCPNL=1 Jul 16 09:37:23 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_PLAT=win Jul 16 09:37:23 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_VER=2.6.5 Jul 16 08:38:08 openvpn 90300 user 'UserName' authenticated Jul 16 08:38:08 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_SSO=openurl,webauth,crtext Jul 16 08:38:08 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_GUI_VER=OpenVPN_GUI_11 Jul 16 08:38:08 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_COMP_STUBv2=1 Jul 16 08:38:08 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_COMP_STUB=1 Jul 16 08:38:08 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_LZO_STUB=1 Jul 16 08:38:08 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_PROTO=990 Jul 16 08:38:08 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC Jul 16 08:38:08 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_NCP=2 Jul 16 08:38:08 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_MTU=1600 Jul 16 08:38:08 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_TCPNL=1 Jul 16 08:38:08 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_PLAT=win Jul 16 08:38:08 openvpn 92234 UserName/5.public.IP.10:63453 peer info: IV_VER=2.6.5

@McMurphy said in DCO unable to connect (unsolvable): data-ciphers AES-256-GCM data-ciphers-fallback AES-256-GCM This is not really meaningful, and apart from this it differs from the Windows settings, where AES-256-CBC is used.

@Gertjan said in OpenVPN questions (DNS, Speed, Reliability etc): I'll say it upfront : not sure if it's wise to have identical domain names on two different location. It is definitely not wise and the logic says I should switch to an another domain name for one of the sites but it is just too troublesome. The only way I can think of to have an unified DNS is to manually set up the DNS entries on both sites which is too ugly and clearly not a standard approach.

@lsw793237040 [image: 1721091040390-36a995b0-1e40-4d22-83a0-2bf543c2940c-image.png]

@sbob990 I showed you my OpenVPN firewall rule, the one that accepts 'UDP, port 1194' from 'everybody'. Such a rule accepts OpenVPN traffic from everybody. No 'blacklisting' is happening on pfSense. That is, you didn't tell us about that. If you don't see the traffic counter in front of the rule going up when you connect, the traffic never arrives at the pfSense WAN NIC. You have an upstream router ? Did you NAT that router ?

@johnpoz Thank you! And, I really should have seen that, ... doh!

@viragomann Thank you so much. I think I'm already too used to the simplicity of openVPN.... thanks, I added the networks and it works. many greets markus

thank you, that seems the only way, since pfsense isnt supporting SASL. tried yesterday also with Apache Directory Studio connection is accepted with StartTLS (no SASL), which doesnt work in pfsense . [image: 1720788012451-f70705f8-df66-484e-9761-4dd8f906e341-grafik.png] and [image: 1720788201961-df09bfed-e607-47a1-9afe-b9a43e917279-grafik.png] this is getting me really confused. anyway i will try to export the CA and do it your way, (was unsuccessful today, to find out how/where to extract it from the synology. the only thing i got was the certificate, no CA ) thank your for your help, i will report back how it went (in about two weeks, have to pause this project).

Hi, I have updated the VPN CA and TLS certificates, if that what you meant? Sorry I am a beginner with VPN related stuff, still learning how it all works, thanks!

@rnolin said in OpenVPN only and IP address WAN-LAN: If the customer keeps his router, what are the network architecture options? Can we use only the WAN or the LAN of Netgate 1100 ? If you insert pfSense as shown in the diagram you need both. I know that the WAN can't be in the same domain as the LAN, and if we absolutely have to use both the WAN and the LAN, does that mean we have to change all the IPs on the customer's workstations? Change the routes LAN network and connect pfSense to it. On pfSense configure the LAN network as it was on the router before. Other options are: Configure a transit network on the router and connect pfSense to it. You only need a single port connected to the existing LAN then, say LAN. Then you would to add routes on the custom router for the VPN tunnel network and point it to pfSense, and on pfSense for the LAN and point it to the router. Do masquerading on pfSense. This works as well with a single port. The drawback is that, when accessing the LAN devices over VPN, they will see only the pfSense IP, not the real VPN client IP.

@aredondo said in How to use same local network for IPSEC tunnel and OpenVPN server: Hi, I currently have in the pfsense configured an OpenVPN server with access to a specific local IP. But I also need to set up an IPSec tunnel where the local network is this same IP. From the same remote IPs? Which type of VPNs, road warrior or peer to peer?

I have found a workaround. In Windows PowerShell I can do this: netsh dnsclient delete dnsserver "OpenVPN TAP-Windows6" all netsh dnsclient add dnsserver "OpenVPN TAP-Windows6" 192.168.131.191 This sets the correct DNS server so that I can join the AD domain, which is the goal I was trying to achieve. It seems that the CSO adds the DNS records to the existing one, and doesn't replace it. Is that by design or can it be fixed/changed?