OpenVPN questions (DNS, Speed, Reliability etc)
-
Hey,
I just need a little bit direction and assistance.I need a smart way to fix the dns issue on my site-to-site setup.
I set up the site-to-site vpn. Everything works correctly. I can ping and access everything by IP.
However, I also would like to utilize dns on both sites. Manually, updating every dns entry for every site seems too ugly and tedious. Both sites use the same internal domain and clients are registered in the dns resolver of each site.
OVPN Settings:
DH Parameter Length 4096 bits
AES-256-GCM
SHA-512
Peer-to-Peer (SSL/TLS)
UDP
TLS AuthSite A (Server)
Xeon(R) D-2123IT Bare metal pfSense Plus
DNS Resolver
mydomain.org (internal domain)Site B (Client)
Celeron(R) N5105 Bare metal pfSense CE
DNS Resolver
mydomain.org (internal domain)What would be the best way to achieve a unified DNS in this case for site A and Site B?
The other question, Site A has a broadband connection but Site B is using a non-reliable 5G (varying speeds depending on the rush hours. It varies greatly in between 1mpbs to 120mpbs), how to make sure that the connection is more reliable? I noticed using TCP is slower but more reliable and UDP is faster but shaky.
Does lowering crypto settings will help speed things up? I am not short of CPU horsepower though.The last question is about the Client Specific Overrides and related IP settings. which is very confusing to me.
According to docs https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-tls.html, for IPv4 Local Network(s), it says "Enter the LAN subnets for all sites including the server:", however, in the ui, it says
"IPv4 networks that will be accessible from the remote endpoint. Expressed as a comma-separated list of one or more CIDR ranges or host/network type aliases. This may be left blank if not adding a route to the local network through this tunnel on the remote machine. This is generally set to the LAN network."
This seems conflicting to me, as the remote endpoint can access its subnets already, why do I need to redefine it here?
And if I leave the server side ip settings blank other than tunnel network and define it per client in the "client override", will it work?I would very much appreciate if anyone can help me out with these questions for me.
-
@Laxarus said in OpenVPN questions (DNS, Speed, Reliability etc):
What would be the best way to achieve a unified DNS in this case for site A and Site B?
You mean this : pfSense and VPN Tunnel (site to site) sharing DNS ?
@Laxarus said in OpenVPN questions (DNS, Speed, Reliability etc):
I noticed using TCP is slower but more reliable and UDP is faster but shaky.
Well, congratulations
That's a pretty good way to explain the difference between UDP and TCP.@Laxarus said in OpenVPN questions (DNS, Speed, Reliability etc):
Does lowering crypto settings will help speed things up?
Noop.
Lowering the crypto will only expose you to more risks. It won't make the connection more reliable.
That said : when you send less bits, chances that something fails during transport is also less ..
I'll finish up with : it isn't worth it.@Laxarus said in OpenVPN questions (DNS, Speed, Reliability etc):
Site B is using a non-reliable 5G (varying speeds depending on the rush hours. It varies greatly in between 1mpbs to 120mpbs), how to make sure that the connection is more reliable
Even if you go outside, knock on every door in the neighborhood, and ask if everybody can switch of his 5G device so you connection will get better, you still have to deal with the erratic way radio waves behave. Even sun spots have an effect !
Basically : you can't do anything. -
Hey @Gertjan, first, thank you very much for your detailed reply. I really appreciate it.
@Gertjan said in OpenVPN questions (DNS, Speed, Reliability etc):
You mean this : pfSense and VPN Tunnel (site to site) sharing DNS ?
I checked this reddit thread but it is not exactly applicable in my case, since both site A and site B are using the same internal domain name. So, domain overrides will not work. You might ask "why not change the domain name of one of the sites?" The reason is, changing domain names on one of the sites is too complicated. (Need to change local certificates, reverse proxies, and bunch of other things etc)
@Gertjan said in OpenVPN questions (DNS, Speed, Reliability etc):
Noop.
Lowering the crypto will only expose you to more risks. It won't make the connection more reliable.So, correct me if I am wrong, If I switch to AES-GCM-128 from GCM-256 and SHA512 to SHA256, will it not make any noticeable speed difference?
@Gertjan said in OpenVPN questions (DNS, Speed, Reliability etc):
Even if you go outside, knock on every door in the neighborhood, and ask if everybody can switch of his 5G device so you connection will get better, you still have to deal with the erratic way radio waves behave. Even sun spots have an effect !
I thought long and hard about this but could not come to a conclusion, I was thinking of increasing the buffer and play with MTU but could not come to a solid conclusion.
-
@Laxarus said in OpenVPN questions (DNS, Speed, Reliability etc):
I checked this reddit thread but it is not exactly applicable in my case, since both site A and site B are using the same internal domain name. So, domain overrides will not work. You might ask "why not change the domain name of one of the sites?" The reason is, changing domain names on one of the sites is too complicated. (Need to change local certificates, reverse proxies, and bunch of other things etc)
I'll say it upfront : not sure if it's wise to have identical domain names on two different location.
If these two networks are isolated, don't contact each other, the why not.
But you changed the rules : you've interconnected them.
And something in my brain say : no two sites can have the same name.Btw : I'm not saying it isn't possible, but keeping domain names the same seems to be the hard way.
@Laxarus said in OpenVPN questions (DNS, Speed, Reliability etc):
If I switch to AES-GCM-128 from GCM-256 and SHA512 to SHA256, will it not make any noticeable speed difference?
Noop.
Encryption cracking is build into the processor these days. You'll win some micro seconds, for sure. -
@Gertjan said in OpenVPN questions (DNS, Speed, Reliability etc):
I'll say it upfront : not sure if it's wise to have identical domain names on two different location.
It is definitely not wise and the logic says I should switch to an another domain name for one of the sites but it is just too troublesome. The only way I can think of to have an unified DNS is to manually set up the DNS entries on both sites which is too ugly and clearly not a standard approach.
