Although SSL certificate was valid I still was unable to connect using ldapsearch client or openvpn. May be CA certificate is expired on LetsEncrypt end or it is because of free cert. Not sure. But again in pfsense under user management -> ldap configuration were not issues after certificate was renewed on ldap server.

Anyway

Was able to solve the issue by adding.
TLS_REQCERT allow

to

/usr/local/etc/openldap/ldap.conf

Now openvpn connects fine as well as ldap cmd client

Well it's working now.
It had been assigning .3 to the second client (the client had .3)
But the server's route table was showing it's subnet routed to .2
Not sure why.
And not sure how it got fixed.

The ipsec internal routing is a bit confusing as well.
I'm not used to that yet.
Seems like it has it's own routes and not what you see out at the routing table.
Are there tools to much better see what's going on with it.
To make matters even more fun in packet capture you can choose the ipsec "interface".
But capture does not work when you click start. (1.7dev)
Anyhow I have a working single server instance and two site-site remote clients.
I have a lot more to learn.. and not a super pro yet here :)

Ok, so apparently it just wanted me to create this topic in order to start working. 😉

I had previously come across this link: https://forums.openvpn.net/viewtopic.php?t=33561 where the person had to go to http(s)://pfsense.router.ip.address/status_filter_reload.php to get things working again. Well I had tried that at the very beginning, but not again since reconfiguring the server settings on the one upgraded to pfSense 2.6.0. After writing the opening for the thread, I went back over my steps, and figured it couldn't hurt to run the filter reload again, even though I had been applying changes to the firewall filters during troubleshooting. As soon as I reloaded the filter, I began receiving pings from a LAN address on the internal network through OpenVPN that was a separate address from the pfSense box. The only other thing I additionally did was to add outbound NAT rules, specifically for my OpenVPN ranges to LAN, although automatic created the same rule plus more. I suspect this was the answer as typically you need some sort of a NAT to route through a firewall. However, there wasn't one setup in the previous config (pfSense 2.4.5-RELEASE-p1), so... 🤷 Hopefully writing up this response will help someone (possibly even myself in the future) if they experience the same problem.

@richie1985

Easy : and I'll excuse upfront for the answer : set an alarm on whenever is "during night" and then do whatever you need to do.
There is no such thing as "pre set" a setting, and have it taken in account at a pre determined (date) time.

A openvpn server restart will disconnect all the connected users, I get it.

If you 'really' need this possibility, there is only one solution :
As the GUI handles everything that is 'settings' and 'functionality start' and 'functionality start' the good old "script it yourself" will work just fine ( open source means also IMHO : do what you want with your copy 😊 ).
The good news or the bad news - whatever applies to you : it's just PHP.

If not : go here - or here.

NetSetMan let you change fast the IP of your PC to swap fast over into another subnet or network. Perhaps it will be supporting one or more of the other given tips and hints related to that problem.

I have now tried stopping both OpenVPN tunnels and restarted them one after another and they are now both up again. Not sure what the issue is but at least I now have a way to get the link up.
I will see if the die again in a couple of hours...

@michmoor said in Remove OpenVPN access admin:

@jimp Curious is there a way to use certs if you have an internal PKI? It would be more scalable using that then the firewall itself to manage all my users and certs.

Sure, you just import the CA cert (not the key) and the server cert on the firewall, then pick those in OpenVPN. The other certs never need to touch the firewall, they only need to validate against the chosen CA.

@hope-it-works said in Having problems connecting two OpenVPN-Servers:

That's what I had configured before. There I couldn't use the same subnet for both VPN servers.

That's correct. But is there any reason for needing both to be within the same layer 2?
For accessing services that's not a requirement at all.

I should mention that we currently don't have a LAN Interface. Is a LAN interface required for this setup?

You only need access to the pfSense GUI to configure it. If you have open the WAN for this purpose, you don't need a LAN interface.

Dear @jimp
Thank you very much for your suggestion,
the problem was resolved by just removing the tunnel network!

07e6c93d-99c8-473a-abea-932b70ace8bb-image.png

@dlogan
Basically OpenVPN is designed to connect multiple clients to a server. But this is only possible if the mask is larger than /30. Consequently that gateway is not unique and you need another method to tell pfSense the correct gateway to route traffic to.
You can enable routing in such setup a adding client specific overrides for each client on the server, where you define the remote networks.

However, if you don't want to create CSO (which makes no sense in your case as you have a separate server for each client), you can set the tunnel to /30, so the gateway is unique.

But I can't tell you, why this is not an issue with a pre-shared key setup.

@tjrjcj You can do what I (and others) do and have your VPN connection be dedicated to a single network and then change which network you use... on my iMac I can do that one of two ways: Service Order in the Mac or switch port at my desk. But it depends on your employer's VPN on if this is possible.

@rcoleman-netgate That makes sense if I were hitting the 10 year mark but it'll be awhile until that happens. My concern is from upgrading pfSense. My first 2.6.0 upgrade that had OpenVPN fell apart so I've been holding back until now when I can devote a large amount of time to both the upgrades and supporting the influx of calls. Now that I've upgraded a second unit and it didn't have the issues I'm trying to determine what to expect on the next 30 or so upgrades. Until now I thought that the upgrade necessitated a change in OpenVPN that would cause issues with remote users until a new cert was put in place but it appears not.

@michmoor Cool, thanks for clarifying that 👍

@gertjan
I agree, I have the same rules.
I'll try to return the default settings and configure a different vpn server for each interface. thank you for your help.

If you changed nothing then perhaps the ISP changed something to allow IPv6 to work.

The 'correct' settings here are very much dependent on what your ISP provides.

Steve

Finally had a chance to look at this again after many days... I noticed my webConfigurator certificate was about to expire, even though I was pretty certain I had renewed everything. After renewing, I couldn't reach the server at all from my phone/client. Restarted the OpenVPN service on my Netgate, then phone/client connected but went back to "Authentication Error".

In a fit of desperation, I tried resetting my user password once more and everything started working again. Even after I changed it back to something secure, it has continued working.

Therefore, I guess I screwed up resetting my password before...Very embarrassing lol

@steveits

/facepalm - Again, I am new to this and I see what I needed to do! I installed the patches package and applied all, did the reboot, and bingo! Back in business! Thank you so much!