@jimp Sorry, you were right, it was my config error, now it works correctly (pear to pear SSL / TLS) no bugs.

Thanks

@nogbadthebad said in Problem with Virtual Address:

I'm at a loss why Surfshark said talk to Netgate ...

Because that’s an easy way for the first level support to get rid of an onerous customer.

Attributed this to Windows Update KB5013887. Once removed, OpenVPN performance is back to normal.

@rolster said in Multi-Hop OpenVPN:

I have an OpenVPN installation running between my head office for Business "A" and the Head Office for Business "B".
It works really well and does what I want it to do.

In both businesses, I have multiple sites that also need to connect across the OVPN tunnel, but we don't the necessay L3 routing in place to get their traffic to each of the head offices.

In my head, I believe that this should be possible, by installing a PFS OVPN client at each site.
The local traffic can be forwarded into the LAN interface without issue.
I want the traffic to travel via the WAN interface to the LAN interface of the successfully connected installation, then travel through the working inter-site tunnel to the partner business.

I think it should be "do-able", but haven't got it working yet.

Any tips or advice?

So you have a site to site tunnel between A and B?
How are the "multiple sites" connected? Just to A, just to B, between both?
I don't know what PFS is, do you mean pfSense? If so, yes, that would work, but not necessary. Any OpenVPN client would work.

What JKnott means is you just need the correct static routes between sites. The OpenVPN config will add them if done right.

@viragomann I was able to open the .exe as an archive in 7-zip and just rename the .ovpn as you don't even need to run in it as a command - rename is an option when right-clicking on the file whilst having the it open as an archive.

Thanks again for pointing me in the right direction!

@viragomann actually I use an alias with my various subnets, including the tunnel subnets, so I believe it is covered. I also use an interface for my OpenVPN servers and don't use the "general" OpenVPN tab as such. That way I have some idea what is going on by doing things manually.

I need to do a bit more digging into this.

@postuser49
Try to use AES-256-GCM cipher. The CBC is a known as less performant.

You can find further tuning hints on Netgate's VPN Scaling page.

@whitefed0ra are you still having connection problems with PIA? I'm asking because my PIA also stopped on PFsense 2.60...
After reading several posts, I was told that using TLS keys are going to be removed in PFsense v2.70. If this is true, I don't know yet and first must be determined. Until then, my VPN is offline.

@viragomann
Thanks, I see now the part of Remote Networks that I didn't see before.

After some more testing, I decided to try using WireGuard as an alternative. Problem fixed in 10 minutes.

I agree, pfSense could be much easier. But it is not a consumer product, it is for the enterprise and those are the ones who are willing to pay the money its cost.

@powerextreme Probably best to troubleshoot from the pfSense side.

Is the OpenVPN firewall rules tab showing that you're passing all data?

Are there any blocked events in the Firewall log related to your OpenVPN connection?

@betahelix Nothing really sticks out as a problem but you can try turning off hardware crypto.

The other thing is viragomann's suggestion.
You have:
ifconfig 192.168.72.1 192.168.72.2
route 192.168.10.0 255.255.255.0 192.168.72.1

Should be on the client side:
ifconfig 192.168.72.2 192.168.72.1
route 192.168.10.0 255.255.255.0

Other than that, my guess is something on the Asus which I know nothing about. Might check if they have some kind of support forum too.

@viragomann Confirmed you were correct!

Adding a 2nd Phase 2 rule at both ends tells it where to send the traffic and it works perfectly.

Thanks for the tip!

@dimitri21 nevermind it was the windows firewall.

Powershell

New-NetFirewallRule -DisplayName "Allow inbound ICMPv4 from Patch Svr" -Direction Inbound -Protocol ICMPv4 -IcmpType 8 -RemoteAddress 192.168.71.110 -Action Allow

I solved it by having a constant ping to my client and noticed the openVPN traffic spiked on the client but no reply. So I assumed it was the client. Then I turned off the firewall and had ping. I then noticed the scope ip range for a private network is only the local subnet, not the patching server. I then added the patching server ip address in and turned on the firewall and I didn't lose ping. I then decided rather then figuring out which profile its in, rather to add specific firewall rules just for the patching server only.

Hope this helps someone.

@viragomann Hi, I solved! Your advice got me reasoning. I send you the configuration done:10.10.2.254_services_dnsmasq.php.png

@johnpoz thanks and understood. The double nat suggestion sounds familiar and I assume it's safe to say that the pfSense features are a superset of whatever the freebie ISP router has (I don't have access to the mfr/model info at the moment) so we shouldn't be losing anything by moving the network to the pfSense unit.

Many thanks!

@erlandghd well let us know how it works.. If you run into trouble, happy to help. But this weekend I prob not going to be around - My youngest son is getting married this weekend ;)