@viragomann thank you for the suggestion, I am gonna give it a try, we should fix the issue by having the remote endpoint add a phase 2 for the openvpn subnet but in the meantime this should fix it as well.

Thank you very much! Your solution fixed my problem! I missed to add the tunnel network to the remote networks on site B.

IMO it's impossible to tell active directory domain member to not look for dns record of domain name.

Hey there,
I think the problem is not within the Router but in the testserver.

Even though I did a reinstall recently and never installed anything else than apache2 and openssh-server, a tcpdump confirmed that the packets arrive at my testserver but my testserver does not respond to them for whatever reason. So most probably my fault.

Anyway

Thank you @Rico !

Ce n'est pas agréable de répondre et de se voir attribuer une attitude qui n'est pas la sienne ... C'est donc mieux.

Le VPN_ADMIN est le VPN roadwarrior (qui est très bien avec OpenVPN).
La config que vous indiquez me semble correcte cette fois ci.
Elle est logique puisque le Local est l'ensemble des réseaux de chaque site !
Usuellement, et la doc pfSense l'utilise, le Tunnel est 10.0.x.0/24 (ce qui permet à 63 clients de se connecter).
Si on a plusieurs sites, avec chacun un serveur OpenVPN, on fait varier le x : 8,9,10, ...

Le VPN_SITES devrait passer à IPsec et idéalement en maillé.
Donc chaque site doit avoir des définitions suivantes
pour le site 1 :
phase1 : vers site 2 / phase 2 : lan1 <-> lan2 / 2 rules ipsec : lan1 -> lan2 + lan2 -> lan1
idem pour site 3
idem pour site 4
et on recommence site par site

So your on-prem Webserver is also running as OpenVPN client which is connected to your gcloud pfSense? You are only running this one pfSense? What is your OpenVPN mode?

-Rico

Does anyone have any idea on the implementation of this please?^

@azmodeuz said in OpenVPN SSL Site to Site - I am unable to push DNS to Site B and access a routed network in Site A from Site B:

I set pfSense3 as OpenVPN Server so remote users are connected locally to communicate with our Local Net. Would this still be possible if I use pfSense2 as the OpenVPN Server?

You will need a static route on pfSense3 for the OpenVPN tunnel network 192.168.121.0/24 pointing to pfSense2.

@azmodeuz said in OpenVPN SSL Site to Site - I am unable to push DNS to Site B and access a routed network in Site A from Site B:

Re: NAT, how should I do NAT to get responses back to pfSense3?

You can add an outbound NAT rule on pfSense3 (S-NAT, also known as masquerading) which translates the source IP in packets from the remote site of the VPN into the DMZ interface address. So responses are sent back to pfSense3.
However, that's a dirty solution and is not recommended if there are multiple clients connecting through the VPN.

Hi,

View /etc/inc/openvpn.inc.

Locate the several function calls and definition at the bottom of the function called : openvpn_add_keyfile

This function takes the directory, the extension, the PEM based64 encoded data and writes out the file.
File rights are set to 0600 and that's it.
It's line 760 in the openvpn.inc file.

If something goes wrong at that place, I guess the $data that gets base64 decodes isn't 'ok' ?
Is your cert ok ?
Many cert type files are created using that function. When only "server1.cert" goes wrong, I gues it's input (= $data) is 'wrong'.

An old 2.4.4-p3 bug that got resolved (?) ^^
edit : non. openvpn server was working just for for my when I was using 2.4.4-p3.

OK, I see the logic. Thanks.

Actually what happens is that I have packed drops/high latency when transfers over VPN are getting very slow, not fast. Then VPN server can easily reach half of the speed of my download DSL link (i.e 300Mbit/2=150Mbit) and then everything is OK. There are no issues when VPN is not used at all either. Problem is when the remote end behind VPN (=torrent sources) isn't that fast and download speed drops to say 10Mbit. Then torrent transfers are causing high latency/high packet drop on my link.
This is very similar case to this one (unresolved issue): https://forum.netgate.com/topic/125639/lots-of-packet-loss-and-high-ping-when-torrenting-through-pia-vpn
But it's not PIA VPN that I'm using (it's NordVPN).

What is surprising to me that, as said before, I had no such issues when Asus RT-AC68U was my router.

The interface used by the firewall to originate this OpenVPN client connection
so typically this would be WAN.
In my case for some Sites it is not directly WAN but some Gateway Group containing different WANs.
I've never thought about switching it to any internal Interface like LAN or OPT...why did you do that? Just leave it as default.

-Rico

@Rico sadly doesn't seem to solve the issue.

I deployed the OpenVPN on ubuntu behind the firewall and forwarded the port, now I got it working.
I am not sure why it's not working, to be honest, but the fact that it worked for a while and that its very slow without using any resources makes me believe something is unstable there, possibly with how my hosting solution manages VM's.

Anyway thank you for all the help.

@Rico
word! i do not need to unserstand why i would do this ;)
CSO local networks but here in ausrtia a lot of things are possible ;)

Yes the netmasks are all /24. For now it is 1 peer for testing. But in the future i would like to have the possibility to add more clients. The following is what I'm trying to accomplish:

test.png

@Derelict, thanks so much by your answer.

I have saw the information of link and I don't see it clearly. I am not a expert programmer.

I only want show by Console, or via SSH, in text mode, the same information thar appears in the OpenVPN Status GUI page and be able to capture the output text.

Do you know where can I found examples to do something similar to this?

Regards,

Ramsés

Leí todo tu caso y que genial que lo has resuelto.

@Aba

Никогда не использовать сети 192.168.(0|1).x в продакшене. Меняйте адресацию на 10.10.10.0, например. Это первое, что говорит об "уровне" админа.

Не пользовать DNS Forwarder на пф. Разрабы по умолчанию его откл., задействовав DNS Resolver. Но нет, все еще есть люди, не ищущие легких путей.

Выдавать DNS по ОВПН можно прямо в настройках ОВПН. Возможно, настройки появляются при смене типа овпн.

Зы. Смотрю в связи с #самизнаетечем на пф и аналогичные продукты спрос вырос (удаленный доступ etc).

@mohkhalifa said in access public SIP via remote with openvpn:

VPN and SIP both must be configured with the same protocol.

????

While the VPN normally uses UDP, but can use TCP, SIP is usually TCP and RTP uses UDP. The VPN should be passing both UDP and TCP, as would any other IP path.