@thenarc Thanks for trying anyway. Yeah, watching the CPU usage was one of the first things I tried and it definitely isn't a problem as far as I can see, not even close. I'll keep trying different configurations, but if you or anyone else thinks of something then do let me know and I'll owe you a beer :-)
@bcruze said in Connecting to AirVPN with OpenVPN and Gateway issue:
https://airvpn.org/topic/17444-how-to-set-up-pfsense-23-for-airvpn/
i learned ALOT by reading and following this guide. there are still things to uncheck but you have to read the entire thread.
my connection has been 100% stable if i just stop tinkering.
good luck Airvpn is a great provider
(tunnel settings uncheck BOTH that you have checked)
you can also type IFCONFIG at the diag > command prompt and your tunnel interface gateway will be listed towards the bottom..
Alright, ill check this out thanks.
@rico said in Connecting to AirVPN with OpenVPN and Gateway issue:
With 0.1ms RTT I don't think you are Monitoring the other Tunnel Side (VPN Provider).
-Rico
I thought this was strange also, considering my local ISP gateway was 8.9ms and 2.2ms
Firewall rules - lan- add each of your devices (assign a static up to then from dhcp lease page). Anyways add them again to the above then change the gateway to your vpn gateway
If you don’t have another gateway your vpn isn’t setup properly... my setup like this has been working for years! Pfsense is an amazing firewall
I have found some more.
This is apparently a known issue that is caused by changing the Monitor IP on an OpenVPN-Interface.
Here is the bug report: https://redmine.pfsense.org/issues/8142
And here the discussion linked in the report: https://forum.pfsense.org/index.php?topic=138608.msg764734#msg764734
The issue is still present in 2.4.3-RELEASE (amd64).
The only workaround I have found without resetting the system was to change the subnet of the Ubuntu OpenVPN-server to something different than x.x.x.0/24.
x.x.x.0/24 seems to be forever blocked by the non removable route.
If anyone has any updates in that regard, I would be highly interested, so please let me know!
Kind regards,
Holger
In the OpenVPN client settings check "Don't pull routes" to avoid to get pushed the default route by the VPN servers.
Assign interfaces to each client instance and enable the interfaces.
Edit the firewall rules on your LANs which are allowing the upstream traffic, expand the advanced options, go down to Gateway and select the appropriate gateway.
In System > Advanced > Miscellaneous check "Skip rules when gateway is down".
Consider that firewall rules with stated gateway allow traffic passing that gateway solely. So you will need separate rule to permit internal access it you need, for instance DNS to the pfSense interface.
The router, by definition, must always have access to the internet, or else it would not be able to contact the VPN server to establish the tunnel in the first place. You might be able to construct firewall rules to limit outgoing traffic -- only allowing certain destination hosts, for example -- but it might end up causing lots of headaches.
Just configured L2TP/IPSEC and did a test from a Laptop with Windows 10 using Windows 10 built in VPN Client software.
Test was done with laptop connected to Wifi and I got around 70mbps with Iperf over the VPN tunnel.
Pfsense CPU load was around 6% during test.
This is twice as fast as OpenVPN and even not a proper test since it was done over wifi.
Can't understand why OpenVPN is so slow...
@derelict
Thanks Derelict. I will have a further look into it.
It seems I cannot replicate this issue anymore, but not much has changed.
I will return if I manage to figure it out.
Thanks
@derelict I will try to post the network diagram.
We are using two Devices at the Remote sites:
An Intel NUC running custom data acquisition software which periodically publishes messages to the MQTT Broker at the central site . It initiates the OpenVPN channel to the central site via the 4G cellular wireless router.
There is a power controlling/monitoring device at the site which has a web and SNMP interface. We need to occasionally check or reconfigure that from the central site.
We would like to SSH into that device from the central site across the OpenVPN tunnel.
All of this palava comes about because of the "carrier grade NAT" at these Remote sites, which means we don't have static IP addresses and DynDNS doesn't work so we need to open the comms channel from that end.
@sage-badolato said in OpenVPN Site to Site Setup:
@marvosa I'm not sure how to get those config files. If you could let me know how to get those, I'd be more than happy to.
The OpenVPN config files are located here:
/var/etc/openvpn
You can view the contents via the shell or Diagnostics -> Edit File
Hi Folks
I tore the entire system down and redid it from scratch from the actual manual. This time it worked . So not sure what I missed but all is good now. Thanks for your input.
RESOLVED!
The problem was the MTU of VPN!
I had MTU 1500 but max of my openvpn machine was 1472.
I add
mssfix 1420
fragment 1472
mtu-test
to openvpn client config and all works!
Thanks!
@jimp said in OpenVPN - Connected Since time is wrong:
What time zone did you select? Looks like you used one of the GMT offset zones which really shouldn't be used. Pick a geographically named zone and restart things again.
Thanks I changed to Europe/London and it seems to be working well for now :)
@johnpoz I suppose in the final setup it wont be needed as this will be the only gateway, but at the moment I need it as it is not our primary gateway just yet. Thanks for your help on this anyway John.
Check out the following guide which explains quite well how to set up multiple OpenVPN client connections in pfSense:
https://www.techhelpguides.com/2017/06/12/ultimate-pfsense-openvpn-guide/
You cannot route the servers public IP through the tunnel. That would mean the vpn tunnel would be routed through the tunnel itself. How should that work?
Access the web server by its internal IP. Also you can setup a split DNS and provide it to the vpn clients. So the client get the internal IP when they try to access the web server.
im sure im done this wrong.. and not trying to get you mad.. just learning as i go
and ok ill check out that stuff
reason i put the block on is.. its below the NordVPN and doesnt that mean
yes when NordVPN service is working it does that rule.. but if the NordVPN is offline it would skip that rule right ..or does it still keep that rule... as thats the reason i put that block below nordvpn incase the service would shut off then the rule gets skipped and goes to allow it..
because the last line is your Default Lan so when the NordVPN goes down.. i still can use the internet im just not behind it anymore...
so thats how i thought it worked
NordVPN up -----> all computers are behind vpn
NordVPN goes down -----> blocks the 1 computer... ---->runs last rule that allows rest of the computers to access the internet...
thought thats how those rules worked i have set....
as for the block of the tunnell here is the image but im sure i did it wrong.. but im trying and ill google the info you mentioned thanks so far
This fixed my speed issues.
In your open vpn client settings I added this to my custom options.
My speeds went from 40Mbps, to 90Mbps.
My ping times also went from 27ms to 20ms
This was recommended from this thread. https://forum.netgate.com/topic/114212/aes-ni-cryptodev-openvpn-help-a-n00b-understand/23
fast-io
sndbuf 524288
rcvbuf 524288
What are addresses VPN net and VPN address If you assigned an interface to the OpenVPN instance then set addresses and gateways on that interface you did it wrong.
Why port forward at all? Why not just directly route to 192.168.0.5?
If you have only a "private" RFC 1918 address, then you're out of luck. To set up a VPN, you need an address that you can reach from elsewhere. Those private address won't work for that.
Assign an interface to the OpenVPN instance in Interfaces > Assign.
Then edit all you LAN firewall rules which allow upstream traffic, open the advanced options, go down to Gateway and select the gateway of the corresponding OpenVPN instance.
Consider that rules with stated gateway only allow traffic passing that gateway. So if you also need access to other destinations like DNS on pfSense itself you have to add additional rules to permit that and put them to the top of the rule set.
Hi,
LAN rules aren't important, as initial traffic goes out the LAN, not coming in.
"VPN"(or, if absent, "OpenVPN" tab rules) rules are important :
do you see the state counters going up ?
And, as you didn't mention : some other little details, like the local LAN from where you run your Mac with Viscosity must be different as the remote LAN on pfSense with OpenVPN.
