Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Site to Site VPN broken TCP Sync issue.

    Scheduled Pinned Locked Moved OpenVPN
    17 Posts 3 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bingo600B
      bingo600 @Bohodir
      last edited by bingo600

      @Bohodir
      I'm using a VPN Server & Port , per site for my S2S setup.
      It's setup with a /30 "connect net" ... "Makes magic happen" , as pfSense then knows it can't be a multisite , ie you can specify local & remote nets on the server (same for the remote client)

      eafaee6d-6542-4c96-99eb-be2492127650-image.png

      077c16fd-01b1-4679-8996-72887f4b77ab-image.png

      Initially the multi VPN Server was chosen for better performance. As i was hoping that the servers, then would be able to utilize more CPU's (as in multi tasks).
      But i got the "/30 magic for free" too.

      My Roadwarrior (dialin) VPN is a single Server w. a /24 , same topology

      Do NOT use the "NET /30 Topology" in the dropdown box, it will be obsolete soon

      I have "Adjusted VPN MTU" to 1450 on S2S connections , and to 1400 on my (Dialin Server) , as i was bitten by the Citrix ICA Client not working wo. that.
      6d0db17a-fa41-4cdf-971a-74abe3ceb9aa-image.png

      The MTU adjust settings has to be equal in both ends, ALSO on the roadwarrior (dialin clients) ... That was no fun to change all the settings for the "dialin cliens".

      You can put the matching roadwarrior (dialin clients) settings in the client export settings here.
      ac9ce3a2-24f9-4593-bfbf-1fc4382a3a75-image.png

      NB:
      If changing/adjusting on a S2S Ovpn tunnel, that is also used to manage the remote Box.
      Change the settings on the remote box first (you'll lose VPN), and then change them on the local (HQ) box after that (VPN will connect again).

      ******** FW OVPN Rules**

      My "OpenVPN" Firewall Rule tab is empty (the one shown is disabled)
      68cee8c3-c826-4b7a-8897-86fc7da198d0-image.png

      I have added my "Servers" on the interface assignent tab , and they're now treated as normal interfaces , where i can apply the rules.
      85a227fc-256a-4fe1-a3a7-f042a13035fe-image.png

      /Bingo

      If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

      pfSense+ 23.05.1 (ZFS)

      QOTOM-Q355G4 Quad Lan.
      CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
      LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

      B 1 Reply Last reply Reply Quote 1
      • B
        Bohodir @bingo600
        last edited by

        @bingo600 Hey appreciate your provided settings information insights. I'm really having hard time after upgrades to 2.7. I'll test your way to setup I liked your approach.
        Are you assigning OpenVPN interface on only Client side or you assigned OpenVPN server side also ?
        Original OpenVPN interface rules has to be empty right ?

        Thanks man

        bingo600B 1 Reply Last reply Reply Quote 0
        • bingo600B
          bingo600 @Bohodir
          last edited by bingo600

          @Bohodir
          Yes - OVPN Rule must be empty , else that overrides the interface settings.

          I'm assigning ovpn interfaces on both client & server side.
          IMHO Makes rules much easier to understand, as they are per instance. Instead of one big "mess" ...

          Edit:
          Btw. I'm still running 2.6 on most sites , but did upgrade my "Test Fwall - Client " to 2.7 , and saw no issues with the S2S VPN.
          The central (HQ) server is still running 2.6

          Edit2:
          I'm using SSL/TLS Certs + TLS-Key for all my VPN's.
          I generate all certs on the "HQ" box.
          I have chosen one (the same) CA for all S2S , but separate (per site) Server/Client Certs

          For Roadwarriors (dialin) , i have 3 Servers (different accesses , as in adm , trusted , untrusted" , each with own CA + own Srv + Client certs.
          My dialin's have def-gw through the pfSense vpn tunnel , the S2S don't (they do local Inet exit)

          I use CSO on some of the dialin's to assign a specific IP , that ip can then be allowed/denyed in the fw interface rules.
          Ie i can allow RDP, to selected users or other stuff.

          /Bingo

          If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

          pfSense+ 23.05.1 (ZFS)

          QOTOM-Q355G4 Quad Lan.
          CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
          LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

          B 2 Replies Last reply Reply Quote 1
          • B
            Bohodir @bingo600
            last edited by

            @bingo600 Yea be cautious upgrading 2.7 on both Server and Client, because my settings working without any issues since I started using Pfsense 5 years ago.
            I'll need your update if you decided to upgrade to 2.7 on your all nodes. Hope it will not break things.
            Let me know how well it went, when you upgrade your all nodes.

            Thanks,

            1 Reply Last reply Reply Quote 0
            • B
              Bohodir @bingo600
              last edited by

              @bingo600 Hey you the man, I have resolved issue regarding your settings on MTU and MSS, appears to be these default values changed some how on newer version of OpenVPN, after exactly specifying MTU/MSS values as you defined it is working like a charm. My old setup working only changing these values.

              As a appreciation for your help, I wanna send you starbucks gift card for coffee, send me your email man.

              bingo600B 1 Reply Last reply Reply Quote 0
              • bingo600B
                bingo600 @Bohodir
                last edited by

                @Bohodir
                I'm glad it worked for you šŸ‘
                What "mss/fragment values" dud you have to use ???

                Thank you for the Starbucks offer, but we don't have many of these here in DK.
                You could give my usefull posts a "Thumbs up" instead

                /Bingo

                If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                pfSense+ 23.05.1 (ZFS)

                QOTOM-Q355G4 Quad Lan.
                CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                B 1 Reply Last reply Reply Quote 0
                • B
                  Bohodir @bingo600
                  last edited by

                  @bingo600 Hey sorry I was little busy over weekend. So your settings on custom options section fixed the issue:

                  fragment 1450;
                  mssfix 1450;

                  After putting this it started working normal.

                  B 1 Reply Last reply Reply Quote 0
                  • B
                    banzai30 @Bohodir
                    last edited by

                    @Bohodir Hi,

                    It seems that I've a similar problem with my openvpn server.
                    I've a Client to Server OpenVPN active to allow my user connect on it and go outside through the VPN.

                    But, since update in 2.7, it's not work.
                    I'm able to ping any services in internal networks through VPN but no TCP trafic is OK, just the ACK.
                    I can make searches on Google but unable to enter on any site.

                    I try to fix fragment and mss to 1400 or 1450 but not work.
                    You only need to fix it in the server configuration or in the customer export configuration too ?

                    Thanks a lot!

                    B 1 Reply Last reply Reply Quote 0
                    • B
                      Bohodir @banzai30
                      last edited by

                      @banzai30

                      I have to put this settings on both ends. On my situation I have been using TLS/SSL method of server client.

                      You have to put these on custom field on both sides:

                      fragment 1450;
                      mssfix 1450;

                      Thank you.

                      B 1 Reply Last reply Reply Quote 0
                      • B
                        banzai30 @Bohodir
                        last edited by

                        @Bohodir Hi,

                        Ok, I will try it on another Pfsense.
                        Now, I downgrade to 2.6 to avoid any problems with this update..., waiting netgate make actions to correct it...

                        I use User Auth + TLS/SSL on my configuration
                        Thanks

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.