Re: [pfSense] OpenVPN connects fine, no internet
On Fri 12 Dec 2014 06:19:37 NZDT +1300, Karl Fife wrote: The VPN should protect from all MITM attacks and snooping between the VPN client and server. This is a great idea, but I find that routing all traffic through VPN causes problems in marginal (lossy or congensted) networks. I'm curious to know if others have also had this pain point, and whether you've had any success by simply sending VPN over TCP. What you are seeing is the additional overhead of the VPN, both in encapsulation and in delay. There is no way around that. I expect tcp to be even worse (but able to detect missing packets). That's the price you pay. Ideally I'd like to have flexible and user-friendly control over what data goes over the VPN and which DNS is used. It happens that one has to look up some hosts of the provider and can't tunnel the DNS, which is always annoying. It is possible that other VPNs, in particular IPsec, have lower overheads. Volker -- Volker Kuhlmann http://volker.top.geek.nz/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] OpenVPN connects fine, no internet
did you configure tunnelblick to send *all* traffic to the vpn? if so, you have to add allow rules to the openvpn interface to permit that traffic, and probably set up a NAT on there as well. If the network the client is connecting from (e.g. while travelling) is in any way not totally trustworthy it would be prudent to at least route the DNS traffic through the tunnel, if not all traffic. The VPN should protect from all MITM attacks and snooping between the VPN client and server. Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] OpenVPN connects fine, no internet
Agreed. That is the reason that I do not need it. What I need is to find out why connected clients to vpn do not have Internet access. Is it an issue with the tunnelblick client in os x or do I need to fix something in the Pfsense box? Best regards Kostas Sent from my iPhone On 11 Δεκ 2014, at 12:11, Volker Kuhlmann hid...@paradise.net.nz wrote: did you configure tunnelblick to send *all* traffic to the vpn? if so, you have to add allow rules to the openvpn interface to permit that traffic, and probably set up a NAT on there as well. If the network the client is connecting from (e.g. while travelling) is in any way not totally trustworthy it would be prudent to at least route the DNS traffic through the tunnel, if not all traffic. The VPN should protect from all MITM attacks and snooping between the VPN client and server. Volker -- Volker Kuhlmannis list0570 with the domain in header. http://volker.top.geek.nz/Please do not CC list postings to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] OpenVPN connects fine, no internet
On Thu, Dec 11, 2014 at 5:37 AM, Kostas Backas kos...@i-system.gr wrote: Is it an issue with the tunnelblick client in os x or do I need to fix something in the Pfsense box? We don't know what you did, still, so we have no clue. Did you or did you not tell tunnelblick to send all traffic to the VPN tunnel? In either case, you need to allow traffic you want on the OpenVPN tab of the firewall rules. This should only affect traffic destined to the inside of your tunnel not all internet traffic. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] OpenVPN connects fine, no internet
Thank you, I don't want to route all traffic. I just want to find out why connected clients cannot access the internet. Best regards Kostas Στάλθηκε από το iPad μου 11 Δεκ 2014, 7:19 μ.μ., ο/η Karl Fife karlf...@gmail.com έγραψε: The VPN should protect from all MITM attacks and snooping between the VPN client and server. This is a great idea, but I find that routing all traffic through VPN causes problems in marginal (lossy or congensted) networks. I'm curious to know if others have also had this pain point, and whether you've had any success by simply sending VPN over TCP. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/ ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] OpenVPN connects fine, no internet
On Thu, Dec 11, 2014 at 1:30 PM, Kostas Backas kos...@i-system.gr wrote: I don't want to route all traffic. Ok we now know you don't want to do this. We still don't know if you actualy did it on your client config. Try this... On your mac, with the vpn on, run traceroute -n www.google.com and see where the traffic goes. You could even show us if you would like help interpreting it. If you can't get the DNS to resolve, then traceroute -n 8.8.8.8. If you're not going to actually answer technical requests for details, then nobody can help you no matter how much they may want to. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] OpenVPN connects fine, no internet
Hello, We are using openvpn with tunnelblick and viscosity clients in OS X. Our main issue is that when the users are connected to the vpn, the cannot access the Internet. I have tried to forward traffic through vpn, add DNS servers etc, but nothing worked. How can I determine what keeps it from working? Best regards Kostas Sent from my iPhone ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] OpenVPN connects fine, no internet
Agreed - usually means there’s no route on the VPN server to handle outside traffic to the world. On Dec 10, 2014, at 1:26 PM, Vick Khera vi...@khera.org wrote: did you configure tunnelblick to send *all* traffic to the vpn? if so, you have to add allow rules to the openvpn interface to permit that traffic, and probably set up a NAT on there as well. it is easiest to not send all traffic there unless that is your goal to mask your origin. my goal is to access internal resources to my office network, so i do not configure tunnelblick that way. On Wed, Dec 10, 2014 at 2:11 PM, Kostas Backas kos...@i-system.gr mailto:kos...@i-system.gr wrote: Hello, We are using openvpn with tunnelblick and viscosity clients in OS X. Our main issue is that when the users are connected to the vpn, the cannot access the Internet. I have tried to forward traffic through vpn, add DNS servers etc, but nothing worked. How can I determine what keeps it from working? Best regards Kostas Sent from my iPhone ___ List mailing list List@lists.pfsense.org mailto:List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] OpenVPN connects fine, no internet
On 12/10/2014 11:38 PM, Kostas Backas wrote: Thank you my goal is to access internal resources to my office network, so i do not configure tunnelblick that way. Mine too. I just need to have internet access while connected. I do not need to pass all traffic through the tunnel, I just tested if it works. What other firewall rules are needed for this to work? Best regards Kostas Στάλθηκε από το iPad μου 10 Δεκ 2014, 9:26 μ.μ., ο/η Vick Khera vi...@khera.org έγραψε perhaps this? https://code.google.com/p/tunnelblick/wiki/cMountainLionDnsIssue additionally, i seem to remember that this was a bug in some version of tunnelblick, but that was a while back ... cheers , ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list