@viragomann said in Tried to change ovpn p2p from shared key to SSL/TLS... Connection done but no rooting... same settings:

@gsp said in Tried to change ovpn p2p from shared key to SSL/TLS... Connection done but no rooting... same settings:

So in any case CSO is mandatory?

If you want to access a network behind the client, it is, as mentioned.

The CSO sets the iroute inside the OpenVPN server. This is needed to route the traffic to the proper client.
This routes will not shown up in the routing table of pfSense. There you will only see the network, which you stated in the server settings.

Thank you for your help! I have some sites interconnected with shared key option... Should I go to IPSec or ovpn p2p ssl , what do you think better? Because for many sites IPSec is now much easier setup... :)

Any Help ?

@luquinhasdainfra yes you cannot upgrade packages for a later version. See my sig.

@SteveITS Since posting that I tried and got working and came back here and noticed your reply. I didn't forward a port since my pfsense is static but good to know that it can be done.

However it seems to go offline a couple times sometimes and needed "coaxing" to get it back connnected (but in all fairness I was messing around with it lots)... I found changing a setting like tunnel name on UniFi S2S VPN Page would make it work again (reset button in status column didn't do anything when in this state, nor did pausing/unpausing). Using hostname instead of IP does not appear to work even though it is a new feature, and unifi does not show any status that it is connected like OpenVPN, but that is support issues for UniFi, I suppose not here.

@viragomann

No my firewall rule only accept specific vpn network to specific local subnet

The linux behaviour was exacly a test on any/any
Therefor i found this issue where windows obey and linux does not give a shit

:)

@viragomann
Yes, the users are already created on the current server.

@talaverde said in VPN DNS (i.e. PIA or NordVPN) and/or DNS over TLS - Which way to go?:

o DNSSEC/TLS enabled DNS servers. No issues of leakage that I'm aware of. DNS requests are much quicker than using the VPN

This is 4 and half years too late, but can you please share the instructions on how you route your VPN DNS queries through your local DNS

@tbgu87
Hi,
das ist der internationale Bereich. Hier sollten Posts in Englisch verfasst sein. Für Deutsch gibt es einen eigenen Bereich.

Die Endgeräte bekommen die Routen richtig gepuscht.

Hast du dir das in der Routingtabelle am Client angesehen?

Oft wird die Route auf den entfernten Netzen zum Access Server Tunnel Netz vergessen. Also je nachdem, wie du die Site-to-Site Verbindungen eingerichtet hast, ist das Client Tunnel Netzwerk da irgendwo als "Remote network" einzutragen.

@jimp
Hi,

thanks for the answers !

Regarding the fact that the pfsense 2.6.0 CE version is impacted, for my part I was able to confirm that last week that on one of my firewalls in 2.6.0 not up to date I had available the 2.5.4 package of openvpn while today I have version 2.6.4.
What is strange is that as https://cve.mitre.org/ indicates, only versions 2.6.0 to 2.6.6 are impacted...

09adf418-f563-483c-a369-5e4d60d0cff7-image.png

0ee2dbd6-cc83-41b3-9214-51f9a43b7792-image.png

911df671-4911-41c9-8a99-96362055474f-image.png

49e14baa-a9bd-40b3-997f-36603c82f552-image.png

To conclude, you must upgrade to pfsense CE version 2.7.1

@pfchangs77 said in pfsense openvpn won't connect from certain cable providers ?:

supervisors/managers

Yeah they not going to know squat, you need to talk to one of their upper level tech/engineers ;)

@dimangelid it also worked for me, thank you very much have a good day.

@greenlight
I don’t use pfblockerng

Some more info...

I am trying now to reconfigure my system by getting rid of all the VPN configuration and redoing it..

However as one last thing, I was going to try was removing my VPN Gateway and recreating it and subsequently assigning a VPN interface to it.

However when I did that, my Internet access stopped working. i.e. the WAN_PPPeO gateway was removed under the covers!

I wonder if this is the problem I am experiencing above:

There is something weird in that the Gateway link on my rule shows that correct VPN gateway, including a red status when I hover over it, but when I click the link it opens to the WAN_PPPOE Gateway definition, not the VPN one.

Which leads me to believe there may be something that happened during the upgrade? I even recreated the rule from scratch, with the VPN gateway selected, but it still clicks through to the WAN_PPPOE gateway?

For clarity, on the Rules/LAN page where I have my rule to direct certain hosts to the VPN Gateway. it shows that I have my VPNgateway selected for the traffic. If I hover over the VPN link for the rule, It shows the VPN gateway state.

But when I click on the VPN gateway link, it opens to the WAN_PPPoE gatweway definition, not the VPN gateway definition? if I inspect the link, the URL points to the actually WAN_PPPeE gateway with id=3 whereas the VPN gateway is actually id=2?

I wonder if the backup/restore of my configuration is just screwed and I need to start over?

Any ideas here?

@dneuhaeuser said in pfSense 2.7.1 OpenVPN SHA1 hash clarification:

I understand that with pfSense 2.7.1 SHA1 certificates are no longer supported for OpenVPN.

However the list of "Hash algorithms removed from OpenVPN" does NOT include SHA1.

So does this mean SHA1 is still usable as auth digest algorithm for the time being?

That is correct. It is still OK (though not great) to use as an auth digest algorithm for now, that's a bit different context than when it gets used on a certificate.

No, that kind of control would have to be implemented in the Client OS and support for those sorts of restrictions vary widely. Especially if it's a device owned by a user and not controlled by the company there wouldn't be a way to enforce anything on there.

@SteveITS
I'm trying to avoid the logs full of "recursive routing".
Doing a packet capture, I discovered that one of my LAN devices that sends traffic over the OpenVPN client ( I have a NAT rule for that ) is trying to connect to the public IP address of my client.
I created a block rule that blocks traffic to the public IP, and it is working great.
With that rule there is no more "recursive routing" on the OpenVPN client logs.

On my Client config, I have a FQDN, not an static IP, and that FQDN calls a list of IPs, and uses 1 public IP from that list to connect to.
That's why the Remote IP always changes, and that's why I'm looking for a way to automate via an Alias or Virtual IP that IP, so that the "blocking" rule continues doing its job.

Just realised I made a mistake. I wanted to reply to a thread and I’ve ended up creating a new one. Seems like I can’t delete this either.