@viragomann said in Create an Outbound route - Client to Site:

Add 192.168.20.15/32 to the "local networks" in the OpenVPN server settings.

How does the right side network know how to reach that user? This is a perfect example of why using the same subnet for 2 networks is a bad idea.

BTW, several years ago I used to do a lot of travelling with my work. I'd find myself in a hotel somewhere, unable to reach my home network, as it was the same subnet as the hotel. After running into that a couple of times, I decided to move my home network to 172.16.0.0 /24, as I had only once seen anything in 172.16 used elsewhere.

@viragomann Again, thanks a lot! If those issues were at least mentioned in the documentation - which appears to be a cookbook - one would have to ask fewer questions.

@sig1980 said in After Update to 23.09 Performance and stabillity issues:

something wrong with AES-NI Acceleration

Hi,

Thanks for the info, just upgraded and it is indeed better...
I still think it's less, ..... my usual speed (600-650), but this may be time interval dependent, I'll measure at other times.

9ea05dcf-083d-47ff-8899-743060e9a460-image.png

CDN77 gives the transit network to us, and it's darn well loadable, with no typical fluctuations.

What I find funny is that this hasn't been a problem for anyone but us?
There was a dead silence on this 🙃

PS:
long ago here on the forum, if there was such a VPN performance problem, - the thread would have spun up...
Thanks again for pointing this out to me (23.09.01), now I'm about to revert to CE everywhere in our deployments, but I'm already testing OPNsense as well.

@mzaknoen
You have to add the access server tunnel network (192.168.1.0/24) to the "remote networks" on the remote peer to peer endpoint to add the route for it back to the office.

@Ehughes-0 After some other issues have come to the forefront it appears this is more of an issue with Azure VPN than an issue with OpenVPN. I will update once I have a solution but I am engaging Azure for assistance with this.

@bchan you could review kernel initialization by running...

sysctl -a

...if you want to review what might not have 'come up' properly. a subsequent reboot could then affirm or disaffirm any findings.

@jimp Thanks for the clarification. We have not upgraded to 2.7.1 and we will attempt to get that changed over seamlessly for the user.

@Gertjan

that make sense!

My servers/clients certs are long time ago ecdsa-with-SHA512 but I see this drop down and it look like the default has changed.

ExportVPN 2023-12-01_15-40.png

Maybe some of my VPN exports in 2022 was still in the old legacy version and thats the problem now.

@viragomann thanks for the long reply, I appreciate your help and your patience ;-) (btw. it seems we could "talk" in german as far as I understand ... would have to happen in the "German" section of this Forum, I assume)

No, I don't want to bridge 60 client subnets. I wondered if a bridge would help in the shops where the openvpn client appliances run. Right now in my test shop the specific PCs run behind the SG1100 and are in a separated LAN there.

I should draw a new diagram ...

Right now the customer is testing things and sounds happy so far. I expect him to plug more PCs into that subnet today ... maybe the current setup already is good enough (while not yet perfect maybe).

It's very likely that I mix up concepts. You list NAT and routing as 2 ways of doing that, I maybe still don't fully see the lines between. As far as I understand right now, I currently have NAT and routing in place ...

Let me come up with another diagram, this time maybe more beautiful and with more details. I'd really like to get this as clean as possible before I have to scale it up to N vpn clients.

good morning from my side ...

Even if you get past that encryption error it will reject the certificates since Yealink's firmware only supports SHA1 certificates, and SHA1 certificates are not valid on OpenSSL 3.x

@ndemarco
You have to use different CAs on each server. So only users, who owns a client certificate from a certain server, can connect.

@viragomann Thank you for these explanations, everything is clear now :)

Ok, so I suggest to review the description of the input field from:

The virtual IPv4 network or network type alias with a single entry used for private communications between this client and the server expressed using CIDR (e.g. 10.0.8.5/24). With subnet topology, enter the client IP address and the subnet mask must match the IPv4 Tunnel Network on the server. With net30 topology, the first network address of the /30 is assumed to be the server address and the second network address will be assigned to the client.

to:

The virtual IPv4 network (or, just for net30 topology, a network type alias with a single entry) used for private communications between this client and the server expressed using CIDR (e.g. 10.0.8.5/24). ...

@dimnovotny

thank you for your howto. Did you find a way to detect id-changes and automate the configuration generation für pkcs11-id?

It shouldn't be a problem either way if you use a current version of pfSense with the current version of the export package. It properly sets the encryption on the PKCS#12 archive to be "high" by default which is compatible with OpenSSL 3.x. If you need to export for macOS/iOS (which don't support "high" level encryption on PKCS#12) you can set it to "low" which uses an older algorithm that is supported by both OpenSSL 3.x and macOS/iOS.

@dave-opc I had the workstation as my work computer for a while and it had no updates, it's an old Fujitsu Celsius M740. I will check again, have to switch to the 2nd machine and put back the windows disk.

@viragomann said in Tried to change ovpn p2p from shared key to SSL/TLS... Connection done but no rooting... same settings:

@gsp said in Tried to change ovpn p2p from shared key to SSL/TLS... Connection done but no rooting... same settings:

So in any case CSO is mandatory?

If you want to access a network behind the client, it is, as mentioned.

The CSO sets the iroute inside the OpenVPN server. This is needed to route the traffic to the proper client.
This routes will not shown up in the routing table of pfSense. There you will only see the network, which you stated in the server settings.

Thank you for your help! I have some sites interconnected with shared key option... Should I go to IPSec or ovpn p2p ssl , what do you think better? Because for many sites IPSec is now much easier setup... :)