@mstanding said in DNS server push for OpenVPN split tunnelling:

I mean we add the company DNS server address into the DNS server settings for the split tunnelling

You have to provide it in the OpenVPN server settings:
e0d58fb2-0691-40b3-a548-8ef82d4e429d-grafik.png

it doesn't get advertised to the clients.

And on the client:
65ade91a-acaa-432d-b526-1d6cbe239dff-grafik.png

If this doesn't work, check the clients OpenVPN log for hints on what's wrong.

@unique24

Yes, you configure that in the server settings under Advanced Client Settings.

@Gertjan said in Ovpn Remote Access Openvpncpnnect Android:

So you use the DNS of pfSense, the one you've set up in the OpenVPN server ?

Yes

@Gertjan said in Ovpn Remote Access Openvpncpnnect Android:

You use a browser that doesn't over ride your DNS ?

It seems that is not happening as same behavior can be replicated with Windows 10 client.

I've tried layer 2 tunnel and works fine for windows, now need to understand what's happening inside Layer3 as some service works and other will not work.

@Bohodir Hi,

Ok, I will try it on another Pfsense.
Now, I downgrade to 2.6 to avoid any problems with this update..., waiting netgate make actions to correct it...

I use User Auth + TLS/SSL on my configuration
Thanks

@BFost said in Looking for ideas on troubleshooting an OpenVPN file transfer speed problem.:

is getting 60-70ms latency which seems totally fine to me

You understand with that latency, your 8mbps is right in the ball part for a window size of 64k.. So you really need to look what is going on.

math.jpg

I take it they are downloading, and not uploading - because upload they have a max of 10 per their isp anyway..

Are they on wifi.. We have lots of users report bad vpn performance - they were just on a shit wifi connection. If they plugged in a wire, no issue with their performance.

@gui-teixeira101 said in OPENVPN CLIENT TCP CONNECTION:

Thanks,

Hi,

When I search on forum with same topics, I think there is a real problem with last update...
So complicated to work with the last version...

Someone of netgate team have an answer for it please ?

@bp81

I believe I solved my own problem. Posting the solution here for anyone else who may encounter a similar problem in the future.

It occurred to me that each VPN server at HQ defined a separate tunnel network. Upon further examination, there were no routing table entries on the router at HQ to move traffic from the tunnel network for branch 1 to the tunnel network for branch 2, and vice versa.

Tunnel network for branch 1 is 172.31.4.0/24. For branch 2 its 172.31.8.0/24

For both servers defined at HQ, in IPv4 local networks, I put in an additional entry. 172.31.0.0/16. This subnet covers all possible tunnel networks I might define that start with 172.31.X.X.

This resolved the issue. Traffic can now move from branch 1, to hq, to branch 2 vice versa without issue. I do not know for sure if this solution is "proper", but I do know that it works and it does this by creating the needed routing table entries to move traffic from one tunnel network to another.

This was never an issue when I had a single server with many clients, because all clients existed in a single tunnel network, but when you have one client to one server, they all have separate tunnel networks, making the extra routing entries a necessity.

The only reason I bothered with this is to use DCO, and it does make a big difference for our offsite backups, so it was worth the trouble.

@viragomann Thanks for your help ... it work! The problem was, that Kaspersky blocked it. after disable kaspersky it also blocked it... i had to go to the firewall port settings and allow it manual. Only deaktivating Kaspersky its not working!

ok thanks

@viragomann it's working without advanced options.
thank you!

@johnpoz I had a trip to Iran and there everything in my laptop was messed up and my program hanged.

An update. I have no idea why it does look like this recently.
Screenshot 2023-08-18 at 10.51.15 PM.png

@viragomann Yes - I had done that originally (and it was working for 6 years with the TLS key), but after the first OpenVPN server just stopped working altogether and I created the new one, all of the Mac/iPhone clients would connect properly with the new ovpn file, but the Edgerouter would not. I know that it can use the TLS key, but for some reason when I include the TLS key now it fails. Something to take up with Ubiquity I think! In any event, the pfSense is working as intended, so it's the Edgerouter now that needs the attention!

Thanks.

Danita

@viragomann I am just trying to configure a single client now with the intention of adding more later. That said, the primary purpose is to be able to access client-side LAN devices from the server.

In order to isolate the issue, I've removed that route from the local networks and am still seeing the exact same results.

To confirm that I am able to ping from another subnet, I just set up a new shared key tunnel between the pfSense devices, and I was in fact able to ping 172.16.2.90 across the tunnel, from a different subnet.

UPDATE: I seem to have connection now. Still testing to make sure everything is working as expected, but setting the client IPv4 Tunnel network to match the server's IPv4 tunnel network seems to have resolved it. Will try adding another client pfsense to see how this works with multiple clients.