Hey there,
I think the problem is not within the Router but in the testserver.

Even though I did a reinstall recently and never installed anything else than apache2 and openssh-server, a tcpdump confirmed that the packets arrive at my testserver but my testserver does not respond to them for whatever reason. So most probably my fault.

Anyway

Thank you @Rico !

Ce n'est pas agréable de répondre et de se voir attribuer une attitude qui n'est pas la sienne ... C'est donc mieux.

Le VPN_ADMIN est le VPN roadwarrior (qui est très bien avec OpenVPN).
La config que vous indiquez me semble correcte cette fois ci.
Elle est logique puisque le Local est l'ensemble des réseaux de chaque site !
Usuellement, et la doc pfSense l'utilise, le Tunnel est 10.0.x.0/24 (ce qui permet à 63 clients de se connecter).
Si on a plusieurs sites, avec chacun un serveur OpenVPN, on fait varier le x : 8,9,10, ...

Le VPN_SITES devrait passer à IPsec et idéalement en maillé.
Donc chaque site doit avoir des définitions suivantes
pour le site 1 :
phase1 : vers site 2 / phase 2 : lan1 <-> lan2 / 2 rules ipsec : lan1 -> lan2 + lan2 -> lan1
idem pour site 3
idem pour site 4
et on recommence site par site

So your on-prem Webserver is also running as OpenVPN client which is connected to your gcloud pfSense? You are only running this one pfSense? What is your OpenVPN mode?

-Rico

Does anyone have any idea on the implementation of this please?^

@azmodeuz said in OpenVPN SSL Site to Site - I am unable to push DNS to Site B and access a routed network in Site A from Site B:

I set pfSense3 as OpenVPN Server so remote users are connected locally to communicate with our Local Net. Would this still be possible if I use pfSense2 as the OpenVPN Server?

You will need a static route on pfSense3 for the OpenVPN tunnel network 192.168.121.0/24 pointing to pfSense2.

@azmodeuz said in OpenVPN SSL Site to Site - I am unable to push DNS to Site B and access a routed network in Site A from Site B:

Re: NAT, how should I do NAT to get responses back to pfSense3?

You can add an outbound NAT rule on pfSense3 (S-NAT, also known as masquerading) which translates the source IP in packets from the remote site of the VPN into the DMZ interface address. So responses are sent back to pfSense3.
However, that's a dirty solution and is not recommended if there are multiple clients connecting through the VPN.

Hi,

View /etc/inc/openvpn.inc.

Locate the several function calls and definition at the bottom of the function called : openvpn_add_keyfile

This function takes the directory, the extension, the PEM based64 encoded data and writes out the file.
File rights are set to 0600 and that's it.
It's line 760 in the openvpn.inc file.

If something goes wrong at that place, I guess the $data that gets base64 decodes isn't 'ok' ?
Is your cert ok ?
Many cert type files are created using that function. When only "server1.cert" goes wrong, I gues it's input (= $data) is 'wrong'.

An old 2.4.4-p3 bug that got resolved (?) ^^
edit : non. openvpn server was working just for for my when I was using 2.4.4-p3.

OK, I see the logic. Thanks.

Actually what happens is that I have packed drops/high latency when transfers over VPN are getting very slow, not fast. Then VPN server can easily reach half of the speed of my download DSL link (i.e 300Mbit/2=150Mbit) and then everything is OK. There are no issues when VPN is not used at all either. Problem is when the remote end behind VPN (=torrent sources) isn't that fast and download speed drops to say 10Mbit. Then torrent transfers are causing high latency/high packet drop on my link.
This is very similar case to this one (unresolved issue): https://forum.netgate.com/topic/125639/lots-of-packet-loss-and-high-ping-when-torrenting-through-pia-vpn
But it's not PIA VPN that I'm using (it's NordVPN).

What is surprising to me that, as said before, I had no such issues when Asus RT-AC68U was my router.

The interface used by the firewall to originate this OpenVPN client connection
so typically this would be WAN.
In my case for some Sites it is not directly WAN but some Gateway Group containing different WANs.
I've never thought about switching it to any internal Interface like LAN or OPT...why did you do that? Just leave it as default.

-Rico

@Rico sadly doesn't seem to solve the issue.

I deployed the OpenVPN on ubuntu behind the firewall and forwarded the port, now I got it working.
I am not sure why it's not working, to be honest, but the fact that it worked for a while and that its very slow without using any resources makes me believe something is unstable there, possibly with how my hosting solution manages VM's.

Anyway thank you for all the help.

@Rico
word! i do not need to unserstand why i would do this ;)
CSO local networks but here in ausrtia a lot of things are possible ;)

Yes the netmasks are all /24. For now it is 1 peer for testing. But in the future i would like to have the possibility to add more clients. The following is what I'm trying to accomplish:

test.png

@Derelict, thanks so much by your answer.

I have saw the information of link and I don't see it clearly. I am not a expert programmer.

I only want show by Console, or via SSH, in text mode, the same information thar appears in the OpenVPN Status GUI page and be able to capture the output text.

Do you know where can I found examples to do something similar to this?

Regards,

Ramsés

Leí todo tu caso y que genial que lo has resuelto.

@Aba

Никогда не использовать сети 192.168.(0|1).x в продакшене. Меняйте адресацию на 10.10.10.0, например. Это первое, что говорит об "уровне" админа.

Не пользовать DNS Forwarder на пф. Разрабы по умолчанию его откл., задействовав DNS Resolver. Но нет, все еще есть люди, не ищущие легких путей.

Выдавать DNS по ОВПН можно прямо в настройках ОВПН. Возможно, настройки появляются при смене типа овпн.

Зы. Смотрю в связи с #самизнаетечем на пф и аналогичные продукты спрос вырос (удаленный доступ etc).

@mohkhalifa said in access public SIP via remote with openvpn:

VPN and SIP both must be configured with the same protocol.

????

While the VPN normally uses UDP, but can use TCP, SIP is usually TCP and RTP uses UDP. The VPN should be passing both UDP and TCP, as would any other IP path.

@kiokoman thanks for the tip, I have configured a bridge with linux tools (brctl) and I'm using virt-io and I thought that would be enough but it is in fact very reasonable that it would actually introduce limitations and weird behaviors like what I'm seeing, I will dig further the issue

The OpenVPN option text should probably be renamed. The engine command in OpenVPN isn't required. When it's unset then it automatically selects a device which supports accelerating whatever cipher it's trying to use.

When it's set to a specific engine, it's supposed to prefer that engine but I don't believe it's restricted to only using that engine. Since most things only have 0-1 available usable engine types, that's not so easy to test.

So really the No Hardware Crypto Acceleration line should be Use any available cryptographic hardware device or something along those lines.

Ok, if you only have a firewall rule with the OpenVPN gateway set it will force all traffic out that way which will break connectivity to the LAN.
Add a rule on the new interface above any rules with a gateway set to pass ping traffic to the LAN.

Otherwise check the firewall logs. Check the state table while you're pinging.

Steve

@Bob-Dig
thanks for the interesting hint, tagging looks like a great feature!
So basically I am tagging all (!) my current rules in the LAN section where I define which traffic is allowed and that it goes through the OpenVPN gateway.
And the I setup a rule which rejects all traffic which is tagged and goes to WAN, correct?

How do I make sure that the only connection the pfsense can do itself will be to VPN Providers DNS and OpenVPN Servers?

As far as I understand this can also be done via "floating rules":

Floating Rules can:
Filter traffic from the firewall itself
Filter traffic in the outbound direction (all other tabs are Inbound processing only)
https://docs.netgate.com/pfsense/en/latest/firewall/floating-rules.html
[...]

-Tom