Messages

Actually, no, I take it back. Doesn't work. I had, how embarrassing, the blocklist functionality unchecked...and hence it worked...so, no, still no joy.

Thank you for your response.

I was able to solve it. I had to enter:

*.giphy.com
giphy.com

The first entry was needed as giphy is using subdomains for the content delivery.

Thank you for your response.

That's the first thin I tried and it didn't work...it loads partially the website, but no gifs.

I have the same on OPNsense 23.1.9

Maybe I am doing it wrongly?

Many thanks, this helps. However, may I invite knowledgeable people to chip-in? I am hoping that we could create a howto for my described use-case. The further we lower the bar for people to have a safe environment the better. 

Hmmm...not sure, but I think this is not what I mean.

I would like to establish a OpenVPN connection first and then use my squid/proxy to improve performance and also to filter unwanted sites. I am using the OpenVPN server on port 443. Squid is only listening on port 80 (no SSL certificate).

Can I provide further information? What would you need?

No, and I start to think that it is not possible as it would break the secure connection...  :-/

Anyone? I tried it with Port Forwarding with no effect.

Just for the record, I solved the problem by NOT using "keepalive". Now I have a stable connection.

Hi guys,

Might be a simple question for you, but I can't figure this quite out. I have a working squid for my LAN, but now I would also make use of it when connected through a OpenVPN connection. How can I achieve this?

Many thanks,
Minime

Hi,

Interesting information. Would that also be true for SSL? The reason I'm asking this is, that this would more or less affect everything as more and more websites are delivered with SSL end-to-end encryption....

I think I'm going to ignore this potential requirement of getting an import license, defeats a bit the whole purpose of privacy if you announce in a not-so-safe country that you want to keep your privacy, right?

Just donated €100, thanks for this project and the great support we are getting!

[Scenario:]

Hi,

Soon I will relocate to a not so safe country. I already have a OPNsense box at the moment up and running incl. OpenVPN. However, at the moment it is not that much important whether I did a configuration mistake or not, but soon I have at least the perceived feeling that it is critical to get it right. Hence I am asking the expert on this forum for guidance, advice and tips. Any help is much appreciated!

Scenario: Living in a not so safe country and getting a secured connection into a safe country
Goal: Routing ALL internet traffic securely from Country B through Country A, while making sure the OPNsense boxes themselves are secured as well

Country A (safe)

• Modem (1gbit symmetric)
  
• Dedicated OPNsense box
  
• NAS connected to the OPNsense box
  

Country B (not so safe)

• Modem (1gbit symmetric)
  
• Dedicated OPNsense box
  
• Wireless Router connected to a Switch that is connected to the OPNsense box
  

Line of thinking

• Creating a site-2-site OpenVPN connection on the two OPNsense boxes
  
• Attaching the Wireless Router to Switch that is connected to the OPNsense box in Country B
  
• Mobile devices directly connect to the OPNsense box in Country A
  

Questions

• Without a OpenVPN connection I can saturate my 1gbit line (achieving ~950mbit), with a OpenVPN I achieve on my current OPNsense box (i5-6200u) ~350mbit. Is that to be expected? What system would allow me to saturate the line with a OpenVPN connection? Any experience?
  
• Inline Intrusion Prevention System is currently deactivated as the performance impact is without a OpenVPN connection already quite high (down to 500-700mbit depending on the activated options). From a security point of view, do you recommend having this feature activated? If yes, in combination with my previous questions, what system would allow me to saturate my line and do you have experience with this?
  
• As the configuration options in OPNsense exceeds my full understanding and I can't make a mistake here, is there any configuration guidance/recipe for a scenario like I have? No frills, just having a secured connection and secured OPNsense boxes (like login/management, certificates/keys, making sure the system can't get manipulated => read-only system, etc.)?
  

Many thanks for your support!

Not stable with:

Remote Access (SSL/TLS + User Auth)
Local Database
tun UDP 443
TLS authentication with static key
Local CA
DH 4096
AES-256-CBC
SHA512
Intel RDRAND engine - RAND
cert depth one (client+server)
Strict User/CN Matching deactivated
Redirect Gateway activated
Concurrent connections empty
Compression: No Preference (if I deactive I can't get a connection established)
Inter-Client communication activated
Duplicate Connections activated
IPv6 is disabled
Dynamic IP activated
Address Pool activated
Topology activated
DNS Default Domain deactivated
DNS Servers defined
Force DNS cache update activated
NTP Servers deactivated
NetBIOS Options deactivated
Client Management Port deactivated
Use common name deactivated
Advanced Configuration: keepalive 150 450
Verbosity level 1
Renegotiate time empty


Client:
OpenVPN for Android 0.6.63 (Arne Schwabe)

Interesting, I was just heading to this forum as I'm lost of what else I could do to get a proper working OpenVPN connection.

I am using an i5-6200U, which is usually not at it's limit at all (it can saturate 350mbps over OpenVPN), but I can't get my system to keep the connection up. I have to reconnect to get it working again (it often seems that I am still connected, but in fact it lost it already), which is not a deal breaker, but I wonder why I can't get it to work properly.

I tried a lot of "keepalive" variations and followed a lot of different advice you can find with Google, now I am wondering, am I the only one or not. It seems I am not...

Who gets a stable connection working and with what settings?