@bingo600 said in Need to log OVPN user activity to syslog server. How ?:

Btw: Who would prefer Bridging to Routing ??

Hmmm, Hi 😉

don't declare this like this, just think of branch to branch (VPN)

TUN and TAP are not in vain (developers are not stupid)

+++edit:

yeah and nowadays the log files are the ones that take up the least space in a logged environment...

we store a lot more nonsense stuff, like your FaceBoo... ksit stuff, just kidding.... you don't have FB 😉

@marvosa said in HELP routing VLAN devices through OpenVPN client connection:

Also, I'd dump that TP-Link asap... it'll only cause issues ;)

I forgot to mention that, even though I thought about it when I read that message. I ditched my TP-Link AP a couple of weeks ago, for that reason.

I deleted the post with the link to the screenshots since it the topic/discussion has gone stale.

@warnerthuis So, the issue lies in the tunnel between work and the hosting site. Post the server1.conf from the server and client1.conf from the client.

@viragomann

Thanks for help :)

" Go into the server settings and check "Redirect gateway IPv4" and also ~IPv6 if needed."

that was missing, now its working =)

@jacksonp Post your server1.conf (/var/etc/openvpn).

@mcury Well, after the last several days going at this, I decided to do another reboot of my pfsense. I had a strange crash code once I restarted, so I rebooted again to see if it was just a one time thing.

After rebooting I tested the VPN and everything is now working. Looks like my hardware just didn't want to cooperate with me.

Thanks for the troubleshooting! I still have no idea why it was giving me problems.

@aewhitlock Did you ever resolve this?

I'm having the exact same issue as well where the auto-generated OpenVPN IPv6 gateway uses a different IPv6 IP than the VPN's IPv6 address when the IPv4 address and gateway are the same.

screenshot

In my settup the IPv6 gateway is auto-generated as *:103::2, but the actual address on the interface is *:103::1.

For IPv4 they are both 192.168.3.1 as expected.

I can't figure out why pfsense thinks the gateway should be *:103.:2 and not *:103::1.

@canernecocaner

This setting is on the server

I don't know if you have to export new files for the clients , in order to activate it there.

/Bingo

You should probably somehow mark this thread as "solved".

I found out the issue:
checking in system logs openvpn there was this error:
Options error: --server directive when used with --dev tun must define a subnet of 255.255.255.248 (/29) or lower
corrected in vpn--openvpn--server--edit
now I have other errors but at least they are not unknown.

it seems to work, at least now I am getting intelligible errors.

@viktor_g
I looked over the release notes. You are 💯correct. (For now) only the beta release of Tunnelblick supports OpenVPN 2.5.0.

Today I downloaded Tunnelblick 3.8.5beta01. I unchecked the "Legacy Client" setting (within the PFSense WebGUI). I then clicked the "Save as Default" button. Next, I downloaded the "Viscosity Inline Config" file. When I double-clicked on the .ovpn file I was presented with the same-exact installation alert.

For now, I will reenable the legacy client setting. But I'm still curious to know when the client export file will "play nicely" with Tunnelblick.

-Michael-

@viragomann
Now it works and I have my Static IP, but another problem arises for which, however, I open a separate topic.
In the meantime, thanks for the help.

I had this feeling and thanks for confirming it. I'll remove the direction.

doing more and more testing. two systems now. both 1151 based. both setups have the same memory, 32GB (16GB x2 of DDR4-2666Mhz ECC UDIMM)

pfSense Hardware

Supermicro 1019C-FHTN8 with Intel Xeon E-2278G (8c/16t, 3.4Ghz, 5.0Ghz turbo), idles at ~26w Supermicro 505-203B / X11SCL-IF with Intel Pentium Gold G5400 (2c/4t, 3.7Ghz, no turbo), idles at ~16w

Both systems have Intel I210 NICs, but I also tested an Intel X710-DA2 10g dual port SFP+ NIC (on the LAN side only). The 1019C-FHTN8 is fun because it has 8 i210 NICs!

aaaf76da-644d-4dc7-a768-d6f05bb91d92-image.png

OpenVPN Clients

i9-9900KF running Ubuntu 20.04 i7-7800X running Ubuntu 20.04

Both clients are AIO water-cooled and slightly overclocked, so there should be no client-side bottlenecks with 1 Gbps links.

Testing Matrix

pfSense 2.4.5-p1 vs pfSense 2.5.0-nightly VM vs Bare metal installs PCIe pass-through of NICs vs VirtIO

Again, is all cases, this OpenVPN test is totally bogus and is wildly off from real world numbers.

openvpn --genkey --secret /tmp/secret time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-256-gcm

Observations

Proxmox KVM adds about 10-20% overhead VirtIO NIC perform nearly identical for 1 Gbps vs PCI pass-through (probably due to both CPUs being fairly powerful) pfSense 2.5 is about 4% faster than pfSense 2.4 in iperf3 tests OpenSSL could be used to compare openssl speed -elapsed -evp aes-256-gcm the results of this test matched nearly the differences in each iperf3 test, percentage-wise X710-DA2 NIC adds about 4-5 watts to each system's total idle power

Bare Metal Results

Intel Xeon E-2278G through using OpenVPN with AES-256-GCM was ~810-850 Mbps Intel Pentium Gold G5400 using OpenVPN with AES-256-GCM was ~760-800 Mbps

Before I sent back my Supermicro A2SDi-4C-HLN4F, Intel Atom C3558, I managed to do some quick testing

Observations

Idles at 22w, but maxed out at 26w, whereas the 1151 systems maxed at at 40w and 110w when CPUs are loaded with stress-ng --matrix 0 Under Proxmox as a guest, OpenVPN performed at nearly 50% loss in total throughput using a simple iperf3 test

C3558 was just not great under Hypervisor/Guest situation, even though pfSense was the only guest on an otherwise idle system. I have no explanation, other than it was repeatable and what I observed.

Conclusions

If you are using some embedded CPU like Intel Atom, than bare metal setup is the way to go. If you are using a fairly fast CPU, even the Pentium Gold series, it seems like for gigabit speeds on firewall, CPU is not the bottleneck. For OpenVPN itself, I was unable to achieve 1 Gbps AES-256-GCM even with the E-2278G @ 5Ghz.

The convenience of VM, being able to easily snapshot VM before a major upgrade, etc, probably outweighs the OpenVPN performance hit, plus the power savings if you are already running a Proxmox setup. I would love for pfSense with ZFS to support taking a snapshot of itself before an upgrade so you can easily rollback if it goes south. If you needed real serious OpenVPN performance, you'd probably wouldn't be doing it on your router anyway and using a VPN appliance.

I did not test any VLAN performance, which is all done on the CPU with pfSense, but I would imagine the VM overhead would exist there as well.

I have CenturyLink Fiber, so it uses PPPoE and the FreeBSD bug (although pfSense won't call it bug for some odd reason, which it does not exist in Linux), basically only uses 1 of the WAN NIC's queues, so when testing outside of my lab and actually hooking this up to the internet, my overall speeds were even worst, given its basically singled thread now inside the kernel. Documented here, here, and here.

Thoughts

FreeBSD has become a toy compared to Linux over the past decade. The Linux device drivers, kernel, applications, etc all have eclipsed BSDs at this point and with nftables replacing iptables on Linux, I would love to see pfSense router based on Linux instead of FreeBSD :)

I also tested Wireguard on Debian 10.6 and Ubuntu 20.04, behind pfSense, and in each case, Wireguard was easily able to achieve 1 Gbps. Wireguard is probably the future of VPNs at this point :)

@viragomann thank you for the suggestion, I am gonna give it a try, we should fix the issue by having the remote endpoint add a phase 2 for the openvpn subnet but in the meantime this should fix it as well.

The config in this article fixed my slow pfsense sg-3100 pia openvpn. The official documentation isn't accurate and I also had to piece together the setup, which matched this thread. I only got 30MiB out of 400MiB. I switched to AES 256 Strong Auth and the speed immediately jumped to 300. Thanks.