So additionally I've disabled the OpenVPN and recreated the tunnel using IPSec and it's still having the same issue..

@The-Party-of-Hell-No - thanks for your input
This is what I have :
49f1e450-dc52-4847-b4ca-5e7f6948c230-image.png
Servers are setup but the problem is that both servers 'PUSH' the same ifconfig and route-gateway numbers, so they clash when both are on simultaneously.
I can filter and redefine them to be on separate subnets but I don't get web as the server for each one is still on 10.100.0.1 and not on the subnets (10.1.10.1 and 10.1.11.1)

Have you split your multiple simultaneous profile connections over separate subnets?

I think I'm missing either a key openvpn client command I'm not aware of to redirect the gateway to be a specified ip, or another different way of doing this completely.
Again - thanks for any advice or pointers you can give!

Interestingly, the OpenVPN Client end is quite happy to have no tunnel specified.

So, as an experiment I commented out the line of code that was producing the error (line 612 in /usr/local/www/vpn_openvpn_server.php) and then configured the OpenVPN Server with no tunnel address.

Everything appears to work perfectly. I have an OpenVPN tap mode tunnel, connect it to a bridge and it works as expected.

So how am I supposed to do this without messing with the code?

Tim

@jimp said in OpenVPN CA expiring, impacts of renewing it?:

If the CA is not yet expired, then renewing the CA and reusing the serial number will allow existing clients to work until the CA expires, while new clients you roll out can also connect to the same server.

Okay so I think I understand.

1> Renew CA with same serial #, certs will be recognized by existing clients but only until original CA expiration date.
2> Roll out new configs with new CA cert and those will work now until the new CA expiration.

I really appreciate the help

Thanks
-S

@Shack Take a look similar, protonvpn or mullvadvpn have updated guides to set up openvpn or wireguard. All the same)))

@viragomann That actually sounds like a proper idea. not happy with this vpn service at all..

thanks for your help, I think I'll go that route this has not got me very far, just have to find a good VPS and go with that

thanks

@johnpoz It definitely shouldn't. I never configured it to. It looks like I can select any option in "Potentially Dangerous" without it no longer working. But once I select "Allow only local requests" I can no longer reach the internet. Just my local resources.

@viragomann
A) Sorry for not providing enough information.
B) Your last suggestion made me make a few changes to confirm whether or not the CSOs were being applied and I stumbled upon the fact I had a REMOTE network define in both the CSO as well as the remote ends' VPN Client config.
Removing the client config and leaving only the CSO remote network (ironically, exactly how the docs say to do it!) and changed tunnel net back to a /24 and everything is working.

Thank you for the assist.

@Gamienator-0 yes the openvpn client can handle password on cert.

As to the cert being saved - you could put it on thumbdrive if you wanted. But the device be it a phone or a laptop or a tablet is the thing they have.. with the cert on it. Which again they most likely need to auth to access this saved cert, etc.

If this is work laptop the drive is most likely encrypted, if lost. And if you put a password on the cert, not only would they have to break the encryption of the drive, but also know or break the encryption for the password on the cert.

So have to have the laptop, have to auth to the devices OS. Which could also need 2nd factor different than the vpn. Have to then know the password to the cert, then have to know the username+password to auth to the vpn. Also need the OTP. Which you could have to auth to the OTP application as well.. I use authy for my otp, which can be set to have to auth to even run. Not sure about google and MS apps if they can also be set to have to auth to even run, etc. And this most likely be on a different device if a work laptop for example which will also have to auth to use.

Is that enough factors for you? ;)

Device (laptop)
Device password
Possible Device 2FA
VPN Cert
Cert Password
VPN username+password
OTP Device (phone)
OTP device password
OTP software password

Pretty sure that should be enough.. Now they are ready to launch the nukes ;)

Even if you rollup the latop to 1 device since it has the cert on it, you need to auth to it to access the cert, and you have to have this device so that is 2FA right there. So cert password is 3FA, then username and password is 4FA, then the OTP device even without password on app your at 6FA..

You could add restrictions on what IPs they can come from, either ASN, or isp or region of the world so now your at 7FA. With a password on the OTP app your at 8FA.

@pinguimdocerrado said in Pfsense for openvpn server only:

Note: pfsense is not the gateway for my network.

So you either have to configure the routing accordingly of do masquerading on pfSense.
Did you do any of these?

The latter is the simplest way if the only goal is to access the server sites devices for maintenance.

@eiger3970-0 said in Can it be used to change regions?:

free Opera browser VPN is enough

Then use that..

@selcuk_ks Do you mean force general internet traffic out the clients local gateway, and only all VPN for services you host ?
If so, this is standard split tunnel, so un-select the "Force all traffic through tunnel" option

c2ef77b5-4e3b-4919-9504-7d2d4e23d0a3-image.png

@sourish
So you have to recheck your WAN NSG configuration in Azure.

Can you even reach pfSense with a different protocol, e.g. ping? Ensure to allow it in the NSG and on pfSense.

@Antibiotic Given DCO and IIMB both AES and ChaCha will be accelerated. AES will still be slightly faster, just because it's a faster algorithm.

@Gertjan: Thanks very much for pointing that out! As you can see from my latest topic in this forum, I changed the tunnel network to a /24 address.

@Gertjan
right. certs are not "old", they are obsolete. sha1