OpenVPN

OpenVPN client IPs see each other

sgw — Wed, 10 Jun 2026 12:27:42 GMT

@MalagaFirewall8 said in OpenVPN client IPs see each other: I would solve this on the OpenVPN firewall rules, not with the CSO "local network" field. That field only decides what routes get pushed/installed; it is not an ACL. It would be a great feature if an ACL would be created out of these CSO-configs. Very helpful: I'd have every client plus its target-VM-IP in one place. For production I would make it explicit: pass rules first for each client tunnel IP/alias to only its allowed VM and port(s), for example 172.31.0.16 -> 172.31.110.60 TCP/3389 plus ICMP if you need it. Then add a reject/block rule below for source 172.31.0.0/23 to destination 172.31.0.0/23 and to the local server subnets you do not want reachable. The rule order matters, so test with one client before copying it to the rest. I will test this out with a test user asap. Thanks. I have to come up with a rather compact ruleset, as I have to create rules for all the already existing clients.

2.6.20 Upgrade Issues with OpenVPN & pfBlockerNG

SuperTechie — Mon, 01 Jun 2026 16:01:31 GMT

Troubleshooting & Workarounds so far: Main Workaround: Turn off pfBlocker. Suricata on/off made no difference. pfBlocker IP blocks on but DNSBL off worked. pfBlocker IP blocks on and DNSBL with malware & other filters on but porn filter off works, but connections are slower to establish. Note the porn filter is the single biggest filter list. Of course testing the different DNSBL options takes a lot of time as after each change pfBlocker must be reloaded, which with a lot of lists can take 30 min to an hour each time. I'll do more testing as time allows, but hopefully this may help someone else. What is odd to me is that it only affects the Tun VPN's as Tap VPN's are so much more complicated. If anyone has any other ideas they would like me to test/try let me know!

OpenVPN client certificate issue

7up — Mon, 25 May 2026 14:12:55 GMT

issue resolved. please ignore

OpenVPN Log

Unoptanio — Sun, 24 May 2026 16:48:58 GMT

@Gertjan ok thanks

OpenVPN - make Client Specific Overrides persistent after reboot

Gertjan — Wed, 20 May 2026 12:34:42 GMT

@eegclbugs said in OpenVPN - make Client Specific Overrides persistent after reboot: with a script and not with the GUI for each user individually. You're already close to the answer ^^ If you found this : [image: 1779291236149-99d2d10a-8edf-4b54-9294-543f6218e683-image.png] you actually use this : [image: 1779291275273-b52bf3f7-9b15-456a-b197-75f3670153cd-image.png] That file can be found here : /usr/local/www/vpn_openvpn_csc.php Read that file (it's a script, world's most known : php) The bottom part is what your browser shows you. The top part is where the user's input (the pfSense admin), is validated, stored in the "one and unique pfSense config file" and you also find where the scs file are created etc. So ... if your script can use this script as a source, model (etc) you'll have the best of both worlds : Your script adds/edit/whateber the scs file. The - your - info is stored into the "one and unique pfSense config file" so when pfSense restarts, everything is setup according to its "one and unique pfSense config file" info. And you can still use the GUI to look/edit/delete things. Btw : this is a 'how I would do it solution'. Commanding pfSense from the command line without doing it the 'pfSense' way is generally a bad idea.

ifconfig option in OpenVPN server config for Peer to Peer necessary?

slu — Mon, 18 May 2026 10:55:02 GMT

@Gertjan said in ifconfig option in OpenVPN server config for Peer to Peer necessary?: Then restart the openvpn server (client) and see what happens. That's one idea I had, but since the traffic is routed to the remote side via IP 10.0.0.2 this will break my connection. It's a router to router connection, but this must also possible with the "Remote Access" mode? So whats the exactly benefit of the peer to peer Mode?

OpenVPN CVE-2026-40215 | will CE 2.8.1 also received the update to 2.6.20?

slu — Mon, 11 May 2026 20:54:52 GMT

It's now fixed in Plus and CE: https://forum.netgate.com/post/1242673

openvpn-client-export remove persist-key from regular export (deprecated)

jimp — Thu, 07 May 2026 13:43:16 GMT

It's only ignored, not a fatal error, so it's not critical to remove yet. They do not have a timeline for its removal, so there's no hurry to change it at the moment. We usually drop options to "legacy" when they cause a failure or otherwise have a negative impact. Leaving them in place as they are now increases the compatibility of the generated configuration files with a wider range of OpenVPN client versions.

OpenVPN issue when unautorized login attempt

Gertjan — Mon, 04 May 2026 09:08:37 GMT

@Autourdupc said in OpenVPN issue when unautorized login attempt: One side, external : LAN2 with NAS2 -> Freebox (router) -> WAN Other side, office : LAN1 with NAS1 -> pfsense (router) -> Freebox (router) -> WAN Purpose : NAS1 sends backup to NAS2 Replace 'Freebox' with 'Livebox' and you have exactly my same setup. I backup my work Synology diskstation to my home Syno diskstation, using Hyper Backup on one side (work) and the counterpart 'The Vault' at the home side. Since I have fiber at home and at work, this has became a usable option. Renting 10 Tera somewhere was way more expensive. Previous upload speeds (VDSL) made this nearly impossible anyway. I used OpenVPN in the beginning ... but then I started to think : the communication channel is 'ssh' and the distance isn't that far. SSH means : traffic is TLS encrypted. The data copied are already encrypted Macrium Reflect backup files. Do I really need an encrypted VPN channel over an encrypted channel with data already encrypted ? Btw : the data is company related (a hotel) and we don't store private client info, maybe just their name, and their bills and so on. Since I stopped using VPN, my backups always terminate every night, and it takes some 60 minute s or so to transfer something like 250 Gbytes. I do use OpenVPN for remote admin access. Just UDP. Never had any issues with that. The only 'VPN' "errors" I see are these : [image: 1778046306704-e46a8a08-5bbd-4e60-8c34-9876e6a2fd1e-image.png] and these are, imho, just packets from scanners trying. The OpenVPN isn't restarted.

Renegotiation Time with MFA

SanDwest — Sat, 02 May 2026 03:42:37 GMT

We recently deployed Entra ID MFA with our OpenVPN setup. It’s working well overall, but we’ve run into one issue.

We currently have reneg-sec set to 36000 on both the server and client. However, we’re finding that clients that remain connected for the full duration are only staying connected for about 9 hours, rather than the expected 10 hours.

Aside from increasing the renegotiation time to compensate, has anyone seen these settings fail to honor the full timeout value?

Configure pfSense with Microsoft MFA for VPN

rperez79 — Mon, 20 Apr 2026 09:12:28 GMT

Is it possible to configure Entra ID users from a Microsoft tenant for validation with Microsoft Authenticator MFA for VPN access validation? Would it be possible to integrate this validation through SAML? Is an intermediate server or any specific CPU hardware requirement needed for this purpose?

We have been searching for information but haven't found exactly what I'm referring to.

If it's not possible through SAML, would it be feasible to set up this MFA Authenticator for 2FA using an intermediate RADIUS server?

Thank you in advance for your help.

pfSense OpenVPN multiple servers crash

slonpro — Thu, 16 Apr 2026 20:10:05 GMT

I am running pfSense with multiple OpenVPN servers configured (several instances on different interfaces).

Total number of connected users is around ~200.

Authentication is done via:

RADIUS (FreeRADIUS)
2FA (OTP / push-based)

When the main WAN link briefly goes down (even for a few seconds), all VPN clients disconnect.
After the link is restored, all clients attempt to reconnect simultaneously (reconnect storm).
At that moment pfSense becomes unstable and starts behaving incorrectly:
OpenVPN clients fail to reconnect properly
OpenVPN see "Unable to contact daemon
Service not running?"

What is the correct way to handle mass OpenVPN reconnect storms on pfSense?

OpenVPN Crash after update

PJHaan — Thu, 16 Apr 2026 11:58:04 GMT

@Gertjan Are there by any chance any other logs I can check?

OPEN VPN MULTISITE ON HIRING PFSENSE CLOUD

netblues — Fri, 10 Apr 2026 07:23:37 GMT

@Manhbkas270495 Read the documentation https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/index.html And read about iroute. This is what you need

OpenVPN clients sometimes receive a DHCP address instead of the address assigned by FreeRADIUS

itnl — Wed, 08 Apr 2026 07:35:39 GMT

After the adjustment, it has been working well for some time now, and the issue appears to be resolved.

OpenVPN Gateway Issues

kevin bradt — Sun, 29 Mar 2026 19:50:02 GMT

i have the exact same problem as you do and pfsense has set it to dynamic and grayed out the option to change it to static and netgate support wont help at all

VPN access for specific user only

osnaabay — Tue, 24 Mar 2026 11:36:34 GMT

@Gertjan Ah haha Noted. And thank you so much for the help.

OpenVPN Connectivity Issue from Public Network | Pfsense VM

stephenw10 — Mon, 16 Mar 2026 13:16:07 GMT

And it still fails the same way? Check the states in pfSense when you're trying to connect. Do you see the incoming state on WAN? If you don't see a state do you see blocked traffic in the firewall log?

ExpressVPN CA Certificate Expiration

weavers — Sat, 14 Mar 2026 09:44:45 GMT

@Gertjan Previously, swapping locations would sometimes still get TLS errors, but that was due to not separating the CA authorities, like you did in your photo. Thanks for capturing that. Now, as of 11 April at least one .ovpn file (chosen at random) downloaded without the second CA. Fortunately, by offering just the CA 3 that matches your photo, it all works again. The authority now expires in 2124, and certificate 2066 as you documented. With that, reviewed all settings, and that finally resolved the TLS errors/cert expirations/or connection failures. ExpressVPN / pfSense immediately connect. Everything is looking great. ***While at it, another major company has Certs expiring this summer too (related to secure UEFI keys for booting). So, ensure auto update / latest updates are on for systems/devices before the expiration this summer. Auto update seems to be the preferred route.

Cannot connect to LAN servers apart from the pfSense LAN Interface IP address

the other — Mon, 09 Mar 2026 09:01:37 GMT

okay, thought it might be just a typo... Is your openVPN server running on pfsense itself? What are your rules for the openVPN Interface? Your openVPN tunnel IP range is 10.8.0.0/24 (?)), so your vpn client gets some out of there... As @Gertjan said: make sure your openVPN inteface has the rules needed to ping and reach your LAN (192.168.4.0/24)... Also as @johnpoz said...do you have your vms and servers and other stuff behind another firewall? VMs i.E with proxmox server and there firewall active? NAS running with its own firewall active? Then go there and allow either your VPN tunnel net or (better imho) give your VPN client a static IP (iE 10.8.0.2/24) and allow just that one...(and others, if needed). :)

Disconnect inactive clients after 2 hours

KOM — Thu, 05 Mar 2026 16:31:22 GMT

@shaunmccloud You've tried the inactive switch on their client .ovpn configs?

OpenVPN server error | MULTI: new incoming connection would exceed maximum number of clients (1)

vegard — Thu, 05 Mar 2026 12:54:57 GMT

I have issues with my setup regarding a OpenVPN server running on my pfSense instance. I have one client connected to it, which is a Synology NAS. For some reason the NAS tries to reconnect, but the server seems to see the NAS as a new client and not a reconnect of existing client. Any ideas on what the issue could be? The config have worked for several weeks and suddenly this became a problem, nothing have been changed in the config or update of any software in this period.

Sorry in advance for any missing information in helping me solve this, I will try to provide whatever is needed.

Log:
MULTI: new incoming connection would exceed maximum number of clients (1)

Differentiating between OpenVPN servers with RADIUS auth

frozenmsp — Thu, 26 Feb 2026 12:18:35 GMT

@Gertjan My assumption is #3686 was not implemented as outlined, and that functionality was implemented as "nas-port" - which unfortunately isn't recognized by Windows Server NPS as far as I can see.

Rewrite OpenVPN client subnet

sgw — Fri, 20 Feb 2026 13:22:39 GMT

Hm, that doesn't work fully ... now that I try to deploy that. Do I need a second rule to also rewrite the reply packets? I 1:1 even the correct method here? Shouldn't I do Outbound NAT maybe? I had assumed to be able to access IPs in the LAN of the ovpn-client via their mapped counterpart: LAN-IP: 192.168.0.12 accessable from the OpenVPN-server side via 172.16.1.12 AND: I assume I would have to edit "Remote IPv4 networks" for that CSO to 172.16.1.0/24. In a packet capture on the client I see (ping-test) ICMP packages, but they don't get back through the tunnel somehow. I try to ping 172.16.1.12 from the ovpn-server pfSense.

OpenVPN peer-to-peer DNS question

jhg — Wed, 18 Feb 2026 17:07:22 GMT

I have configured a peer-to-peer OpenVPN connection between two pfSense instances.

The issue is that I don't get DNS resolution at the client for server-side LAN DNS (which is hosted on the pfSense server) unless I configure a specific "Domain Override" on the client under Services/DNS Resolver/General Settings

Client-side Domain Override

On the server I have configured a Client Specific Override:

And on the client I have set "Pull DNS"

I expected that those two settings would eliminate the need for a Domain Override in the client's DNS resolver configuration. Without this Domain Override, the client resolver never attempts to send DNS queries to the server.

Did I misunderstand this? Is a Domain Override always necessary?