Connect to OpenVPN Access Server?

damir

So is it working now?

yes, its working, 2 devices are now going over openvpn, thanks to you.

not sure how to check dns thing, but, when i played a movie on netflix, i monitored the traffic on vps and it was definitely going over openvpn.

[root@my ~]# vnstat -l
Monitoring eth0… (press CTRL-C to stop)

rx: 1.53 Mbit/s 138 p/s tx: 1.66 Mbit/s 217 p/s^C

eth0 / traffic statistics

rx | tx
--------------------------------------+------------------
bytes 496.06 MiB | 531.18 MiB
--------------------------------------+------------------
max 49.60 Mbit/s | 53.08 Mbit/s

damir

When you get a chance, if you please can tell me if i need this checked or leave it unchecked:

I promise after this, i will stop bothering you :-X

I appreciate your help.

johnpoz

What is your client using for dns?? The one you want to go over the vpn, you said you set a static on it.. Smart TVs and such and with apps like netflix, etc. could be hard coded to use say googledns.. If so you would want that going down the tunnel because you would want it doing a dns query from the location of the vpn exit point.

Just change your rule on your policy route to be ANY vs tcp for the protocol and your good any traffic that is from that IP that is not too your lan would go down the tunnel. Only issue would be if the client was using your local dns.. So you might want to change it to use some public dns that goes down the tunnel or you could get geo returned IPs that could cause problems.. Lets say for example your in the the EU, and your vpn exit point is in the US.. If your using your local dns, you could get told to go to site in EU based upon where you source dns query came from.. So now your traffic goes down the tunnel to US just to go back to some IP in the EU.

As to blocking rfc1918 and bogon - no on your vpn interface there would be no need or want to block those.. So leave them unchecked is fine.

damir

In my pfSense i have Static DHCP enabled (my MAC) for all devices i have @ Home.
Each device gets a static IP.

Devices / PC's , etc are set to AUTO for IP's / DNS.

pfSense is set to use Google DNS.
8.8.8.8
8.8.4.4

VPS with OpenVPN on it is also set to Google DNS:

[root@my ~]# cat /etc/resolv.conf
nameserver 8.8.8.8
nameserver 8.8.4.4

so, i believe this looks good?

What i don't understand is, on one of the PC's that is connected to my kid's TV (which is also used for Netflix) , when i do tracert to any IP, it the output / path is not going over openvpn's network, its going through my ISPs.
When i go to "whats my IP on google / and check multiple websites " it shows / reports IP of the openvpn.

I used to have OpenVPN's client installed on that Windows, and tracert's output / path was going over the OpenVPN.
Why is this?

(And still, Netflix, downloads, etc, go through openvpn's network, as i am still monitoring the eth0 with vnstat)

Thanks

damir

Actually, nevermind about that tracert part, after i changed to ANY from TCP, its going over OpenVPN's network :o

damir

Also, i am like 99% sure Netflix is showing US stuff

If i go to : http://api-global.netflix.com/apps/applefuji/config

And look for <geolocation></geolocation>it shows US for me;

There is still that 1%, but, not sure if there is any other way to check :)

damir

I just checked logs in pfSense for OpenVPN, and noticed this:

Nov 10 12:21:51 openvpn[21245]: write UDPv4: No buffer space available (code=55)
Nov 10 12:21:52 openvpn[21245]: write UDPv4: No buffer space available (code=55)
Nov 10 12:21:52 openvpn[21245]: write UDPv4: No buffer space available (code=55)
Nov 10 12:21:52 openvpn[21245]: write UDPv4: No buffer space available (code=55)
Nov 10 12:21:52 openvpn[21245]: write UDPv4: No buffer space available (code=55)
Nov 10 12:21:52 openvpn[21245]: write UDPv4: No buffer space available (code=55)
Nov 10 12:21:52 openvpn[21245]: write UDPv4: No buffer space available (code=55)

Also, when i SSH to VPS, it doesn't show my WAN IP any more, but, Local IP from OpenVPN;

root pts/0 172.27.232.2 12:24 0.00s 0.00s 0.00s w

When i do tracert to IP of VPS, it outputs like this:

1 <1 ms <1 ms <1 ms pfSense.home.network [192.168.1.1]
2 26 ms 25 ms 25 ms 168.** (Full IP of VPS)

Also, i am unable to connect to TeamSpeak 3 server hosted on the same VPS.

This is done from my PC, and for this PC there are no rules (firewall) in pfSense.

Googling my IP shows my WAN (ISP's) IP.

Probably i messed up something else?:)

Thanks

johnpoz

your buffers error prob could be a routing issue.. See this pfsense forum

https://forum.pfsense.org/index.php?topic=40405.msg208614#msg208614

https://airvpn.org/topic/11486-error-in-openvpn-logs-on-pfsense/

If you want me to help you really need to show the FULL logs, not just the piece that you think matters.. There is most likely something else in the log that will point to why the error happens.. Like for example with your compression setting in the previous posting..

If your pulling the routes from the vpn client connection its going to cause problems if it hands pfsense a default route down the tunnel, etc..

damir

sorry :'(

i just cleared logs of opevpn, and reboot-ed pfSense

current logs show this:

at this time, still (for about 10 minutes now, there are no buffer errors logs)

As soon as they show (if) i will post another log image (full logs this time :) )

anything that can be done to "fix" the routing issues, so, my VPS doesn't see this PC in "local" (if i saying this correctly), so, i can still use it as i used it for other services before connecting pfSense to OpenVPN-AS hosted on that VPS.

Thanks

damir

um, that "routing" thing is "fixed" i believe.

what i did is setting public IP in Gateway for Monitoring, after i removed it, tracert to VPS is going normally, from my ISP to VPS, regular Path.

When i SSH to VPS, it shows my ISP's (public IP) :o

anyway, good thing? lol

There is also no more buffer errors under OpenVPN (System Logs).

Will keep monitoring - and update the thread of something else comes up.

also, i am able to connect to TS now :D

Not sure if anything should be looked after from the log (image) i posted above this post, please advise.

Big thanks

damir

Definitely everything looks as it should (as i was expecting at least) (not 100% sure about my SysLogs for OpenVPN - but, probably somebody will let me know about this) :)

SysLogs (OpenVPN) still looks almost the same as in previous posts.

Most importantly no Buffer Errors :)

johnpoz - thank you very much for everything - and i apologize for bothering you so much.

Learned a lot from you.

johnpoz

What I am here for to help those that want to help yourself.. And you have been what would hope every user could be that comes here for questions, post info when asked.. Does some playing on their own - not just randomly pushing shit that has nothing to do with the problem at hand.

Hope you got everything working like you want..

To get rid of that mitm error about not checking the server, put this in advanced section of the client config
ns-cert-type server

That should clear that error up. Those option errors are given because your blocking routes from the server..

damir

Understood :) Big thanks!

I will add this now to advanced section and reboot.

damir

After adding that to advanced, reboot, SysLog (OpenVPN) looks like this:

Still no Buffer errors, get around 130-200mbit over OpenVPN-AS, i am happy :)

Big thanks!

damir

I just noticed 2 new lines in SysLog (OpenVPN)

Nov 11 21:26:33 openvpn[22448]: Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1131750 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Nov 11 22:15:56 openvpn[22448]: Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #85096 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

above these 2 lines, everything is still the same as in the image above this post.

Anything i should worry about?

Thanks