Traffic Blocked, Expect Pass
-
Hi,
A few thoughts / answers - thanks for all the pointers!
What crypto did you set..
AES-CBC,AES-XTS,AES-GCM,AES-ICMCorrect - I left the default that pfSense set up … AES-256-GCM, AES-128-GCM. Perhaps a logic error in the check (with the number in the middle)?
Did you run through the wizard for the server, it would of auto added your firewall rules you need. Yes need WAN rule to allow the connection in. And yes you would need rule on the openvpn interface.. Already went over that - when I blocked ping.
Yep, sorry - long and winding path, I got sidetracked … ;). But that said, nope - no auto-created rules (from the Wizard ... yes, used that).
If your dns is being rejected, is your tunnel network in your ACL for unbound?
Yep, added that. After a reboot though, it's happy.
And one more now it seems … :(. When I try to connect from and Android client (using the Client Export, to OpenVPN Connect), I get the error,
Unknown OpenVPN event occurred: Transport error on 'mydomain.com: NETWORK_EOF_ERROR
Seen this one before?
Thanks again!
-
Openvpn connect for android and ios does not support the new option tls encryption and auth, need to set it to just tls auth.. I ran into that myself, took me a bit to figure out what was different between 2 different instances had running one worked, other didnt ;)
As to the rules for wan – yeah they are created by the wizard.. I have them on my own setup, the comment says created by wizard. If I bring up a new instance - it adds a rule.
-
Thanks for the info on TLS - much appreciated! Sorry you ran into it (can be painful), but sort of glad you did … ;).
Odd on the wizard, no rules here - just the ones I created manually. That said, I may have done something wrong in the wizard (i.e. I'm guessing it's an operator error, not the tool).
Still a bit confused about the lack of HW accel - would like to offload the CPU if possible. Do you know if there is a way to check it from the command line? And I guess either way - is it worth posting as a potential bug? Just thinking I can try to help others, but don't want to cause grief either.
Thanks!
-
You might want to post another thread about the HW thing. I run my home pfsense on vm so no hardware for crypto.
I have a sg-2440 at work, I could look into on monday about the hardware accel for crypto.
-
Cool, sounds good - thanks again for all your help. Really appreciated!
Yep, posted another question about that. If it's a bug, want to be helpful, let folks know.
Have a nice weekend!