In case this will help any one else, I've figured this out....

Here is a link on how to find the logs for NPS...

https://social.technet.microsoft.com/Forums/windows/en-US/45aa3000-c32b-483b-8d6e-565b56b163fc/how-to-check-the-nps-logs-in-the-event-viewer?forum=winserverNAP

Basically there are text file logs in c:\Windows\System32\LogFiles\In* , or you can check in Event Viewer under Diagnostics -> Event Viewer -> Custom Views -> Server Roles -> Network Policy.

In my case, the problem users were set to "Deny Access" under the "Dial In" tab of the user properties in AD Users & Computers. Setting to Allow Access fixed it up.

If you don't see the "Dial In" tab, this may be of help :

https://support.microsoft.com/en-ca/help/975448/the-dial-in-tab-is-not-available-in-the-active-directory-users-and-com

For me, I had to be on the server to get that tab, not accessing Active Directory Users and Computers on another PC.

Hope this will help someone else.

Thanks, Derelict for pointing me in the right direction!

I've just successfully troubleshot a 2nd extension today:

Depending on your OpenVPN connection (all traffic, DNS etc) you may want to change your PBX hostname in the SIP client from FQDN to LAN IP, and make sure that all Local networks are listed in the appropriate sip.conf file.

@pnunn

The default route is simply the way out of the network. It's just like driving somewhere. The first thing you have to do is get out of your driveway. On more complex networks there may be other, more specific routes that might be used first, but eventually you'll need a default route. The only exception is at the top level, between ISPs, carriers, etc., where every possible route must be known and the packet gets dropped if there isn't a route.

You could route through an interface, but only on point to point links. On Ethernet, there's always the possibility of more than one other NIC out there, so you can't rely on using just the interface.

@viragomann maybe I screwed up then. I had a root CA, and under that I had two intermediate CAs, one for each OVPN. They were both able to log in. I'll try making two root CAs.

@andrewz I did that allready.

That is automatic if the OpenVPN server is bound to the CARP VIP. If it is not doing that you have something wrong. What that something is could be anything based on the information given.

What would probably be telling are the OpenVPN logs from both nodes during a failover and failback. Maybe the system logs.

@nikkon How do I disable suricata?

Thank a lot for replies

Is there a way to make it shorter than 60-sec ?
Any setting to adjust ?

Yes. The modem/edge router will need a static route pointing the VPN client subnet back to pfSense When there is only one interface it is WAN That's a bit vague, but in general you'll still need a few things. pfSense will have to use the modem for its default gateway, you'll need firewall rules on pfSense to pass the VPN traffic in WAN and OpenVPN tab rules to pass VPN traffic in there.

@jimp said in OpenVPN Client dropping every second state:

Also "OpenVPN" is an interface group not an interface, so using it as a NAT destination may not always do what you expect, especially for outbound NAT since it would effectively round-robin in that way for outbound.

Yeah I didn't realise it would round robin like that but now I do.

@derelict said in OpenVPN Client dropping every second state:

10.1.70.0/24 still looks wrong.

I removed that em0.70 interface and configured the server properly, Now that route isn't there which is good.

@derelict said in Problem with OpenVPN Client Export:

That's not correct. Use your own PKI.

Thank you for your reply.

No no, I am using my own keys. The problem were COMODO keys actually.

Everything works perfect now. Thank you for all your support .

Nothing there would prevent access from one client over the other.

The rules on WAN only allow connections to the VPN server itself. (Not sure why you have two there. It looks like the second one is superfluous).

The OpenVPN rule passes all traffic from OpenVPN endpoints into the firewall.

I would look at the client for the problem.

Honestly, in that case I would probably use IPsec.

There really isn't enough information provided to make any recommendations. Need to know how the subnets are defined, etc.

Zero idea what you are doing with that eth1 - eth2 loop at Site B, for instance.

@poisonvodka said in HowTo: Route part of your LAN via TorGuard or PIA.:

Did a lot of the screenshots disappear when forums migrated to netgate? :(

Yep.

But never mind, screenshots from 2 years back aren't very useful anyway - as is probably most info in this thread.

As flynjets already stated, for your subdomain, change your DNS record type to an A record pointed at your IP instead of a CNAME.

If you want your clients to connect using your vpn.mydomain.com subdomain instead of an IP, that change is made during client export. I.e. change the Host Name Resolution option to "Other" and enter vpn.mydomain.com in the Hostname box.

@derelict Thanks for the response. Much appreciated.

Sasansgh, if I were in your place, I would have contacted PIA's customer support team and ask them the resolution of my query, because they would be in a better position to resolve your query.

I would start by checking MTU sizes with the ping command.
Why not use IPSEC for your site-to-site tunnel ?

@johnpoz
Any chance you have an idea here?

You gave 2 examples where vpn make sense - circumvention is the key... If what you are looking to protect yourself is your isp saying hey you can not do that p2p because you shared xyz whatever. Ok then sure vpn works..

If you want to circumvent some geographic restriction, again sure vpn can make it look like your coming from region A while your really in B..

But lets be clear here - your not protecting yourself ;) Your hiding shit you could get in trouble for or trying to break someones policy on where you can come from.

So you policy route your this traffic, and this traffic only. If your son wants to p2p.. then policy route his p2p traffic out the vpn. If you want your media player to stream something from region B, then policy route that connection out vpn in region B..

Lets be honest here, your not "protecting" yourself from big bad isp here ;) To be honest if you want to download p2p stuff you be much better off getting a seedbox somewhere in a country that has lacker laws and doing it all there, and then just use secure channels to that box to move what you want to and from it, https, sftp, etc.

Routing all your traffic through a vpn is just nuts.. Paying some company X$ to protect you is nuts - better off just getting a box somewhere else and routing/doing what you want to do that is ?able there..