@viragomann said in OpenVPN client computer names:

So you will have to request the responsible admin to do this.
Can't think of any you can do on the OpenVPN server, since the clients use equal user accounts on the terminal server.

Maybe you got me wrong. Both our employees and subcontractors have their own individual OpenVPN accounts. However, they have one user account for the customer's system (another company). We connect to this client's network (another company) through the IPsec tunnel. When our employee tries to log into this system and the subcontractor is already logged in, a message appears that this user is already logged in to the computer (and the computer name appears here). If I could link an OpenVPN account with an unknown computer name of the subcontractor, I would know who to turn to, e.g. to log out.
Currently, subcontractors get static IP addresses from OpenVPN. So I am able to bind the user - ip account, but I am not able to bind the ip address - computer name.

@viragomann Makes sense - I put that into the Local Networks box and now it's all set. I kept the CSO setup because it makes for easier export of the installers or config files with the certificates embedded for the specific 'user' or cert - but since this was my use case - it's working perfectly now.

Thank you for all your help today - I learned a lot.

@viragomann Thanks this was very helpful. I looked again at the certs and found that the Peer Certificate Authority for the one in Question was actually a server cert instead. Changed it back to the Intermediate CA it should have been and the list is populating.

That is more of a question for OpenVPN than pfSense. If OpenVPN supported it, pfSense could use it.

IIRC it had something to do with the HMAC being a part of the shared key in that mode, and AEAD ciphers like AES-GCM and CHACHA20-POLY1305 want to do hashing themselves. I could be misremembering that, though.

I'm not sure what will change here but something is going to have to change in OpenVPN since 3.0 hardcodes the ciphers and only uses AES-GCM and CHACHA20-POLY1305. Maybe they find a way to make it work, or maybe they drop shared key mode.

Update :
Look like it's the latency which impact the TCP VPN.
Wel, I cannot do to much things about it, so I will keep 2 VPN and when UDP is blocked, I will use the TCP.

@bob-dig Thank for your reply.

Currently my OpenVPN settings is here
45e6a85a-52bd-4dd6-a4f1-bd1e35d3a009-image.png
In the above photo, 192.168.160.0/24 IPv4 Local network which OpenVPN Client can access.
With this setting, I can connect to Nextcloud using nextcloud.mydomain now

@jimp I spent about 5 hours today trying to figure this one out. It's a shame the default setting is incorrect - no tutorial has mentioned this. Thanks.

I've set :

1b1768a4-d299-443e-9504-4bca4411a3ad-image.png

So, no surprise, I see in the logs the same thing :

2021-07-15 12:44:55.799700+02:00 openvpn 48505 GertjanHome/92.184.123.121:55566 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

I also saw the same thing on the client side - in the logs of my Phone..

Found. There was old certificates generated using easy-rsa before pfsense installation. And it was added to crl. New certificate was created with same serial and became revoked. I created new one and all works.

There is a bug in pfsense - it should check crl and show "revoked" for certs with revoked serial.

@ryu945 said in DNS Redirect over OpenVPN:

Why did I have to use subnet IPs instead?

I have not idea what you actually did.. You can for sure use specific IPs in the rules for source and destination..

Maybe you had the wrong IPs in source or destination, maybe there was a state already if you were trying to to block something..

Order of rules matter! Top down, first rule to trigger wins, no other rules are evaluated, etc.

@milliput said in Local printer, OpenVPN, remote server:

the server tech told me i need a bidirectional tunnel

What?? Sorry but that has zero to do with printing through rdp..

For the "server" to print to some printer on the clients network - yes you would need a site to site vpn setup where the server network knows how to get to the client network.. Never in 30 years in biz heard any one call such a thing a bidirectional tunnel ;) hehehe

But that is not what your doing.. Your printing to a local resource from your rdp client... There could be some issues with drivers on the server your rdping too.. But thought they fixed that in like windows server 2008, maybe r2 with easy print driver or something.. Been years and years since had to deal with such stuff.

But its not your "vpn" setup that is causing the problem that is for damn sure ;)

is this printer usb printer on the rdp client or a network printer on the clients network. Its possible vpn setup send all traffic down tunnel and not allow split tunnel. But didn't think openvpn did that out of the box even when using default gateway through the tunnel..

What exactly is the client using for the rdp client? Are they set to use the local printer resource like my pic?

site-to-site

So you have a site to setup setup with pfsense to this remote site where the server you rdp is?

@viragomann

The cisco router has a fixed "vpn" connection the corporate "intranet" (194.82.54.70), thats why I can only access it within the LAN through the gw 10.132.37.1.

I missed that about the outbound rule.
I have added it as an extra outbound rule with dest.194.82.54.70/32 .
I can now ping it from my vpn user.

Awesome.
Thank you for your great help, I really appreciate it.

@3lmar It turned out it was a totally different problem.
The solution is somehow related to pfsense, because I would not have found it without pfsense's package capture.
My windows 10 notebook on the OpenVPN was trying to connect via port 80, which seemed strange. I learned it did that, because the share wasn't on the same subnet.
The solution was to disable NetBIOS over TCP/IP: https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/direct-hosting-of-smb-over-tcpip

Sorry for having disturbed you.
Maybe this helps anybody else, who like me wouldn't expect a problem with windows pcs connecting to windows pcs.
I should have stayed with linux.

@johnpoz said in Strange VPN Kill Switch Problem:

https://forum.netgate.com/topic/67692/openvpn-kill-switch/6

That would be the other solution but is more prone to user error and I had to much open states with it if I recall correctly.

You can also combine both to be really secure. 😉

@bcruze said in PIA server changes:

@cobrahead said in PIA server changes:

@bcruze said in PIA server changes:

There is also that super helpful ping command

How can find PIA servers using the ping command? I am not trying to figure out which server I am using, I was looking for the entire list of servers, which used to be posted on their website.

i misread. i thought you meant by IP address
I apologize

It's all good. 😁

@dmallia said in VPN Speed:

@ryu945 said in VPN Speed:

What is your RAM usage?

I have 3GB assigned to pfsense and it stays at 2.45GB used (approx 82%). no changes when I test vpn speed.

The fact that such a slow speed has you use so much RAM makes me wonder if it is a RAM capacity issue. I know higher speeds need more RAM. That said, that does seem like a lot of RAM being used for that much speed. You can try giving it more RAM. I wonder if this is the issue because I have literally seen old wireless routers completely cut out when they try to pull bandwidth to fast. I assumed it was a lack of RAM to run the connection.

Also, what is your RAM speed?

For some reason, it is working now.