Traffic Blocked, Expect Pass
-
Yep, you're right - easy setup, i went ahead and set it up … now to get it working ... LMAO.
A couple questions,
- why is HW acceleration disabled? Would be nice to make use of that.
- trying to use the "Client Export Utility" to get the info for the remote ... but I don't see an Next / Save type button. Likely me, but how to get the output? ... ;)
Thanks!
-
What hardware are you running on? Does it support AES-NI?
Not sure what you mean about next/save on the export. Just pick your instance at the top, what address to use, etc. Then other options you might want to pick and then scroll to the bottom and you will see your different users that you have created in the user manager.. Click what you want to export, either just file, inline, installer even.
-
Thanks! That's what I was missing - I was creating a User Certificate, but it seems you need to do this by adding as a user. Much appreciated! The other secret is that I needed to add a Firewall Rule, to pass the OpenVPN port … correct? I assumed this would happen as part of the server setup, seems I was wrong.
OK, I'm connected - but can't get to any machines on the LAN, or even to the OpenVPN server (ping even fails). Suggestions?
As for the HW acceleration - it's not giving me an option, but does show this on the dashboard,
CPU Type ... Intel(R) Core(TM) i5-2450M CPU @ 2.50GHz Current: 2500 MHz, Max: 2501 MHz 4 CPUs: 1 package(s) x 2 core(s) x 2 hardware threads AES-NI CPU Crypto: Yes (active) Hardware crypto AES-CBC,AES-XTS,AES-GCM,AES-ICM
-
OK, got it up and running - thanks for all the help! Just a few minor things left - please let me know if you have any thoughts,
- the trick was to add a firewall rule for the OpenVPN interface, allow all traffic there … is that the right answer though? ... :).
- actually, to the point above ... I added 2 rules => 1 to allow OpenVPN traffic through, the other to open the WAN to the OpenVPN port ... correct? Any other rules needed?
- DNS back to the pfSense box (from the OpenVPN client) is being rejected (not failing, actually rejected). Do I need to do anything to allow the DNS server to reply. Still digging on this one.
- HW accel is still not working, which is very odd. Any suggestions appreciated.
Thanks again!!!
-
What crypto did you set..
AES-CBC,AES-XTS,AES-GCM,AES-ICMDid you run through the wizard for the server, it would of auto added your firewall rules you need. Yes need WAN rule to allow the connection in. And yes you would need rule on the openvpn interface.. Already went over that - when I blocked ping.
If your dns is being rejected, is your tunnel network in your ACL for unbound?
-
Hi,
A few thoughts / answers - thanks for all the pointers!
What crypto did you set..
AES-CBC,AES-XTS,AES-GCM,AES-ICMCorrect - I left the default that pfSense set up … AES-256-GCM, AES-128-GCM. Perhaps a logic error in the check (with the number in the middle)?
Did you run through the wizard for the server, it would of auto added your firewall rules you need. Yes need WAN rule to allow the connection in. And yes you would need rule on the openvpn interface.. Already went over that - when I blocked ping.
Yep, sorry - long and winding path, I got sidetracked … ;). But that said, nope - no auto-created rules (from the Wizard ... yes, used that).
If your dns is being rejected, is your tunnel network in your ACL for unbound?
Yep, added that. After a reboot though, it's happy.
And one more now it seems … :(. When I try to connect from and Android client (using the Client Export, to OpenVPN Connect), I get the error,
Unknown OpenVPN event occurred: Transport error on 'mydomain.com: NETWORK_EOF_ERROR
Seen this one before?
Thanks again!
-
Openvpn connect for android and ios does not support the new option tls encryption and auth, need to set it to just tls auth.. I ran into that myself, took me a bit to figure out what was different between 2 different instances had running one worked, other didnt ;)
As to the rules for wan – yeah they are created by the wizard.. I have them on my own setup, the comment says created by wizard. If I bring up a new instance - it adds a rule.
-
Thanks for the info on TLS - much appreciated! Sorry you ran into it (can be painful), but sort of glad you did … ;).
Odd on the wizard, no rules here - just the ones I created manually. That said, I may have done something wrong in the wizard (i.e. I'm guessing it's an operator error, not the tool).
Still a bit confused about the lack of HW accel - would like to offload the CPU if possible. Do you know if there is a way to check it from the command line? And I guess either way - is it worth posting as a potential bug? Just thinking I can try to help others, but don't want to cause grief either.
Thanks!
-
You might want to post another thread about the HW thing. I run my home pfsense on vm so no hardware for crypto.
I have a sg-2440 at work, I could look into on monday about the hardware accel for crypto.
-
Cool, sounds good - thanks again for all your help. Really appreciated!
Yep, posted another question about that. If it's a bug, want to be helpful, let folks know.
Have a nice weekend!