@McMurphy said in DCO unable to connect (unsolvable):

data-ciphers AES-256-GCM
data-ciphers-fallback AES-256-GCM

This is not really meaningful, and apart from this it differs from the Windows settings, where AES-256-CBC is used.

@Gertjan said in OpenVPN questions (DNS, Speed, Reliability etc):

I'll say it upfront : not sure if it's wise to have identical domain names on two different location.

It is definitely not wise and the logic says I should switch to an another domain name for one of the sites but it is just too troublesome. The only way I can think of to have an unified DNS is to manually set up the DNS entries on both sites which is too ugly and clearly not a standard approach.

@lsw793237040 36a995b0-1e40-4d22-83a0-2bf543c2940c-image.png

@sbob990

I showed you my OpenVPN firewall rule, the one that accepts 'UDP, port 1194' from 'everybody'.
Such a rule accepts OpenVPN traffic from everybody.
No 'blacklisting' is happening on pfSense. That is, you didn't tell us about that.

If you don't see the traffic counter in front of the rule going up when you connect, the traffic never arrives at the pfSense WAN NIC.

You have an upstream router ? Did you NAT that router ?

@johnpoz

Thank you! And, I really should have seen that, ... doh!

@viragomann
Thank you so much.

I think I'm already too used to the simplicity of openVPN.... thanks, I added the networks and it works.

many greets markus

thank you, that seems the only way, since pfsense isnt supporting SASL.

tried yesterday also with Apache Directory Studio
connection is accepted with StartTLS (no SASL), which doesnt work in pfsense .
f70705f8-df66-484e-9761-4dd8f906e341-grafik.png
and
df09bfed-e607-47a1-9afe-b9a43e917279-grafik.png
this is getting me really confused.

anyway
i will try to export the CA and do it your way,
(was unsuccessful today, to find out how/where to extract it from the synology. the only thing i got was the certificate, no CA 🙈)
thank your for your help, i will report back how it went (in about two weeks, have to pause this project).

Hi, I have updated the VPN CA and TLS certificates, if that what you meant? Sorry I am a beginner with VPN related stuff, still learning how it all works, thanks!

@rnolin said in OpenVPN only and IP address WAN-LAN:

If the customer keeps his router, what are the network architecture options?
Can we use only the WAN or the LAN of Netgate 1100 ?

If you insert pfSense as shown in the diagram you need both.

I know that the WAN can't be in the same domain as the LAN, and if we absolutely have to use both the WAN and the LAN, does that mean we have to change all the IPs on the customer's workstations?

Change the routes LAN network and connect pfSense to it. On pfSense configure the LAN network as it was on the router before.

Other options are:

Configure a transit network on the router and connect pfSense to it. You only need a single port connected to the existing LAN then, say LAN.
Then you would to add routes on the custom router for the VPN tunnel network and point it to pfSense, and on pfSense for the LAN and point it to the router. Do masquerading on pfSense. This works as well with a single port.
The drawback is that, when accessing the LAN devices over VPN, they will see only the pfSense IP, not the real VPN client IP.

@aredondo said in How to use same local network for IPSEC tunnel and OpenVPN server:

Hi, I currently have in the pfsense configured an OpenVPN server with access to a specific local IP.
But I also need to set up an IPSec tunnel where the local network is this same IP.

From the same remote IPs?

Which type of VPNs, road warrior or peer to peer?

I have found a workaround. In Windows PowerShell I can do this:

netsh dnsclient delete dnsserver "OpenVPN TAP-Windows6" all netsh dnsclient add dnsserver "OpenVPN TAP-Windows6" 192.168.131.191

This sets the correct DNS server so that I can join the AD domain, which is the goal I was trying to achieve.

It seems that the CSO adds the DNS records to the existing one, and doesn't replace it. Is that by design or can it be fixed/changed?

After all it was unrelated to OpenVPN problem.

Thx all!

Hi,

there is an option in the configuration of your OpenVPN Server:

VPN / OpenVPN / Servers

Duplicate Connection: Check!

Exactly what I was looking for, thank you very much! and happy 4th tomorrow!

@Bambos
The first hit:
Masquerading Made Simple HOWTO

Something like this should do the job.

@viragomann Thank you for your response.

While I was waiting for a response, I did try one more approach and I did manage to get it to work.

Thanks for your time.