1. Home
  2. pfSense® Software
  3. OpenVPN
Log in to post
Load new posts
  • jimpJ

    HEADS UP: OpenVPN deprecating shared key mode, requires TLS, deprecating cipher selection

    Pinned
    24
    10 Votes
    24 Posts
    35k Views
    V
    What is up with OpenVPN on 2.8.1 CE? Symptom: Remote access does not work as previously after upgrading the client from: OpenVPN-2.5.10-I601-amd64 (This is latest stable version what works pretty.) Server: Mode: Remote Access ( SSL/TLS + User Auth ) Data Ciphers: AES-256-GCM, AES-128-GCM, CHACHA20-POLY1305, AES-256-CBC Digest: SHA256 D-H Params: 2048 bits Client: Mode: Peer to Peer ( SSL/TLS ) Data Ciphers: AES-256-GCM, AES-128-GCM, CHACHA20-POLY1305, AES-256-CBC Digest: SHA256 At the client export the latest version is: OpenVPN-2.6.17-I001-amd64 Everything has the same setting than previously, connecting smoothly, but SMB does not work, first of all. I do not think it should be rebuilt every setting because of a new client version. Data Channel Offload is working on the Plus version I have read.
  • jimpJ

    Scaling OpenVPN (and VPNs in general)

    Pinned
    12
    5 Votes
    12 Posts
    20k Views
    M
    I have discovered that OpenVPN implementation in PFsense is slow even without ciphering data, look at my post: link text
  • C

    OpenVPN Documentation

    Pinned Locked
    1
    0 Votes
    1 Posts
    39k Views
    No one has replied
  • D

    Cannot connect to LAN servers apart from the pfSense LAN Interface IP address

    8
    0 Votes
    8 Posts
    47 Views
    the otherT
    okay, thought it might be just a typo... Is your openVPN server running on pfsense itself? What are your rules for the openVPN Interface? Your openVPN tunnel IP range is 10.8.0.0/24 (?)), so your vpn client gets some out of there... As @Gertjan said: make sure your openVPN inteface has the rules needed to ping and reach your LAN (192.168.4.0/24)... Also as @johnpoz said...do you have your vms and servers and other stuff behind another firewall? VMs i.E with proxmox server and there firewall active? NAS running with its own firewall active? Then go there and allow either your VPN tunnel net or (better imho) give your VPN client a static IP (iE 10.8.0.2/24) and allow just that one...(and others, if needed). :)
  • F

    Differentiating between OpenVPN servers with RADIUS auth

    5
    0 Votes
    5 Posts
    85 Views
    F
    @Gertjan My assumption is #3686 was not implemented as outlined, and that functionality was implemented as "nas-port" - which unfortunately isn't recognized by Windows Server NPS as far as I can see.
  • S

    Disconnect inactive clients after 2 hours

    2
    0 Votes
    2 Posts
    34 Views
    KOMK
    @shaunmccloud You've tried the inactive switch on their client .ovpn configs?
  • V

    OpenVPN server error | MULTI: new incoming connection would exceed maximum number of clients (1)

    1
    0 Votes
    1 Posts
    18 Views
    No one has replied
  • S

    Rewrite OpenVPN client subnet

    5
    0 Votes
    5 Posts
    92 Views
    S
    Hm, that doesn't work fully ... now that I try to deploy that. Do I need a second rule to also rewrite the reply packets? I 1:1 even the correct method here? Shouldn't I do Outbound NAT maybe? I had assumed to be able to access IPs in the LAN of the ovpn-client via their mapped counterpart: LAN-IP: 192.168.0.12 accessable from the OpenVPN-server side via 172.16.1.12 AND: I assume I would have to edit "Remote IPv4 networks" for that CSO to 172.16.1.0/24. In a packet capture on the client I see (ping-test) ICMP packages, but they don't get back through the tunnel somehow. I try to ping 172.16.1.12 from the ovpn-server pfSense.
  • I

    OpenVPN server feature proposal

    3
    0 Votes
    3 Posts
    116 Views
    I
    @Gertjan done. Thanks. Hope there will be improvment in 2FA on OpenVPN.
  • N

    Server keeps disconnecting clients every 5 minutes

    keepalive inactive
    6
    0 Votes
    6 Posts
    121 Views
    GertjanG
    @NickJH said in Server keeps disconnecting clients every 5 minutes: DCO mode Nice catch. DCO mode makes "Inactivity Timeout" goes away. That explains the difference. That said, I'm not sure at all that this setting (which I don't have) is your issue. Set it to some huge value, and you'll be sure it won't interrupt your connection.
  • J

    OpenVPN peer-to-peer DNS question

    1
    3
    0 Votes
    1 Posts
    25 Views
    No one has replied
  • J

    OpenVPN peer-to-peer: server side DNS resolution stopped working

    1
    0 Votes
    1 Posts
    25 Views
    No one has replied
  • ?

    Adding a cipher on linux

    2
    0 Votes
    2 Posts
    69 Views
    patient0P
    @Fugazi1978 is the OpenVPN server running on pfSense? If yes what version of pfSense are you using. If no then a Linux or Linux Mint forum is the right place to ask that question.
  • J

    IPv6 tunnel track not seeing PD?

    10
    0 Votes
    10 Posts
    285 Views
    M
    I took a closer look at the code and the feature only supports WAN interfaces configured as 6rd Tunnel. I did see that the prefix ID calculation doesn't work on the OpenVPN Server settings page. I've pushed a fix for that and updated the GUI text to clarify the 6rd support. A redmine issue has been created here: https://redmine.pfsense.org/issues/16706
  • B

    Can OpenVPN send "Calling-Station-ID" attribute to RADIUS as client IP?

    3
    0 Votes
    3 Posts
    389 Views
    M
    @bitscrubber someone posted a patch to fix this at https://redmine.pfsense.org/issues/8087#note-9.
  • lifeboyL

    Grant a User Permission to ONLY Start/Stop (OpenVPN) service

    1
    0 Votes
    1 Posts
    39 Views
    No one has replied
  • A

    Client - Server Disconnection

    2
    0 Votes
    2 Posts
    95 Views
    JKnottJ
    @affanghazali You're still using GSM? That's ancient 2G tech from 30 years ago. We're up to 5G now.
  • S

    PIVPN on pfSense as OpenVPN Client (Traffic moved to WAN network after OpenVPN Service is stopped)

    3
    4
    0 Votes
    3 Posts
    128 Views
    S
    @patient0 Thank you so much for pointing me in the right direction. Created a tag and blocked the traffic based on the tag.
  • M

    DCO unable to connect (unsolvable)

    13
    0 Votes
    13 Posts
    3k Views
    yon 0Y
    2026-02-01 01:28:40 PUSH: Received control message: 'PUSH_REPLY,cipher AES-256-GCM,tun-mtu 1500' 2026-02-01 01:28:40 OPTIONS IMPORT: Server did not request DATA_V2 packet format required for data channel offload 2026-02-01 01:28:40 OPTIONS ERROR: pushed options are incompatible with data channel offload. Use --disable-dco to connect to this server 2026-02-01 01:28:40 ERROR: Failed to apply push options 2026-02-01 01:28:40 Failed to open tun/tap interface 2026-02-01 01:28:40 SIGUSR1[soft,process-push-msg-failed] received, process restarting 2026-02-01 01:28:40 Restart pause, 128 second(s)
  • G

    OpenVPN Site to Site: Route traffic from server's LAN via client's Internet

    6
    0 Votes
    6 Posts
    1k Views
    M
    Actually got it all working, thanks guys!
Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.