@johnpoz Thank you! And, I really should have seen that, ... doh!

@viragomann Thank you so much. I think I'm already too used to the simplicity of openVPN.... thanks, I added the networks and it works. many greets markus

thank you, that seems the only way, since pfsense isnt supporting SASL. tried yesterday also with Apache Directory Studio connection is accepted with StartTLS (no SASL), which doesnt work in pfsense . [image: 1720788012451-f70705f8-df66-484e-9761-4dd8f906e341-grafik.png] and [image: 1720788201961-df09bfed-e607-47a1-9afe-b9a43e917279-grafik.png] this is getting me really confused. anyway i will try to export the CA and do it your way, (was unsuccessful today, to find out how/where to extract it from the synology. the only thing i got was the certificate, no CA ) thank your for your help, i will report back how it went (in about two weeks, have to pause this project).

Hi, I have updated the VPN CA and TLS certificates, if that what you meant? Sorry I am a beginner with VPN related stuff, still learning how it all works, thanks!

@rnolin said in OpenVPN only and IP address WAN-LAN: If the customer keeps his router, what are the network architecture options? Can we use only the WAN or the LAN of Netgate 1100 ? If you insert pfSense as shown in the diagram you need both. I know that the WAN can't be in the same domain as the LAN, and if we absolutely have to use both the WAN and the LAN, does that mean we have to change all the IPs on the customer's workstations? Change the routes LAN network and connect pfSense to it. On pfSense configure the LAN network as it was on the router before. Other options are: Configure a transit network on the router and connect pfSense to it. You only need a single port connected to the existing LAN then, say LAN. Then you would to add routes on the custom router for the VPN tunnel network and point it to pfSense, and on pfSense for the LAN and point it to the router. Do masquerading on pfSense. This works as well with a single port. The drawback is that, when accessing the LAN devices over VPN, they will see only the pfSense IP, not the real VPN client IP.

@aredondo said in How to use same local network for IPSEC tunnel and OpenVPN server: Hi, I currently have in the pfsense configured an OpenVPN server with access to a specific local IP. But I also need to set up an IPSec tunnel where the local network is this same IP. From the same remote IPs? Which type of VPNs, road warrior or peer to peer?

I have found a workaround. In Windows PowerShell I can do this: netsh dnsclient delete dnsserver "OpenVPN TAP-Windows6" all netsh dnsclient add dnsserver "OpenVPN TAP-Windows6" 192.168.131.191 This sets the correct DNS server so that I can join the AD domain, which is the goal I was trying to achieve. It seems that the CSO adds the DNS records to the existing one, and doesn't replace it. Is that by design or can it be fixed/changed?

After all it was unrelated to OpenVPN problem. Thx all!

Hi, there is an option in the configuration of your OpenVPN Server: VPN / OpenVPN / Servers Duplicate Connection: Check! Exactly what I was looking for, thank you very much! and happy 4th tomorrow!

@Bambos The first hit: Masquerading Made Simple HOWTO Something like this should do the job.

@viragomann Thank you for your response. While I was waiting for a response, I did try one more approach and I did manage to get it to work. Thanks for your time.

https://redmine.pfsense.org/issues/15585 Shouldn’t this export creation file include an option to customize the MTU and MSS ? I opened a feature request for this, as I was wondering this today and referenced this thread. Please let me know if this is something you would like to see.

@Leva We're seeing the exact problem here. Running pfsense+ 24.03. Did some research on the net in the meantime - there's a related post on Reddit (https://www.reddit.com/r/PFSENSE/comments/dc5mv8/pfsense_active_directory_authentication_using/). I've also opened a support ticket with Netgate (#2887255105) and hope we'll get this up and running finally.

@viragomann Man, you ever look at something so long you miss the obvious? Thanks for pointing it out, I hate when I overlook something so simple!

I understand I need to calculate MTU and MSS values then set them in pfSense. From the test above I have identified the packets fragment above 1472. To this would make the WAN MTU value 1500 (1472 + 28) If the correct MTU value is 1500 for the WAN link, is this the same MTU I should be using for OpenVPN?

@jucelio_rosa said in Failover (two internet links) and point-to-point VPN: On the client's screen (graphic screen) I put in the custom options field: remote 192.168.1.15 (server ip) 1197 udp;! A private IP? I'd assume, that the client has to access a public IP to reach the server.

@Shuldyk-Andrii Ah ya, also your client doesn't have proper routes. Did you enter the local networks of C - G into the "Local Networks" box of the access server settings? You can combine all your subnets by entering 10.35.32.0/20. So the server will push the route for 10.35.32.0 - 10.35.47.255, which include local network of A as well.