1. Home
  2. pfSense® Software
  3. OpenVPN
Log in to post
Load new posts
  • jimpJ

    HEADS UP: OpenVPN deprecating shared key mode, requires TLS, deprecating cipher selection

    Pinned
    23
    10 Votes
    23 Posts
    25k Views
    GertjanG
    @Bambos said in HEADS UP: OpenVPN deprecating shared key mode, requires TLS, deprecating cipher selection: for the remote access VPN, if is SSL/TLS + User auth, does this working with freeradius as well ? I'm using FreeRadius myself for the captive portal. Never tried to do this ... You probably want also see this one also : FreeRadius on pfSense software for Two Factor Authentication although I presume that article was written for those who wanted to "why do things the easy way if much harder is so much better ?" @Bambos said in HEADS UP: OpenVPN deprecating shared key mode, requires TLS, deprecating cipher selection: i have many 2.6 versions clients to upgrade Keep in mind that 2.6.0 uses the "old" (now completly ditched because of security) OpenVPN (and now also old OpenSSL !!) libaries. The recent pfSense uses the more modern OpenVPN and OpenSSL. All this means that some options won't work anymore. Some more options will work, but will be depreciated soon (as usual). I Use OpenVPN myself, so I always have a look at the "source" : web pages like this and the classic openvpn support forum. The OpenVPN client also changed to support the newer OpenVPN server. And yes, I agree, syncing the entire openvpn user fleet can be a hassle.
  • jimpJ

    Scaling OpenVPN (and VPNs in general)

    Pinned
    12
    6 Votes
    12 Posts
    14k Views
    M
    I have discovered that OpenVPN implementation in PFsense is slow even without ciphering data, look at my post: link text
  • C

    OpenVPN Documentation

    Pinned Locked
    1
    0 Votes
    1 Posts
    36k Views
    No one has replied
  • I

    I need BF-CBC

    4
    0 Votes
    4 Posts
    107 Views
    GertjanG
    @ipguy said in I need BF-CBC: https://forums.openvpn.net/viewtopic.php?t=35809#p111709 These openvpn options : providers legacy default data-ciphers-fallback BF-CBC compat-mode 2.3.18 check if they still exist in the version used by pfSense. First : check the Openvpn version used by pfSense. Then, with that version number, look them up in the openvpn user manual. If it's the case, then use them here : [image: 1754303064757-c6da93cf-9502-4171-b791-b119919f5e6f-image.png] for example, I use the option status /var/log/openvpn.status; status-version 1; for my own needs. When yous aved tehse option, check how OpenVPN sarts up (the logs) and see if it doesn't scream with errors. Also check the openvpn config file (the one created with the GUI parameters) for consistency. You can find the file here : /var/etc/openvpn/server1/ and look for the file "config.ovpn". It's an ordinary text file. Don't (bother) edit(ing) this file as it is auto generated by the GUI.
  • A

    I'm just missing a bit, can you help?

    3
    0 Votes
    3 Posts
    76 Views
    A
    Thanks but I'mafraid to say I've had a conversation with chatgpt about it and it didn't take long to find the solution, firstly as you suggested I binded to any interface, then created a dedicated firewall rule in the LAN interface. Then got Connection Attempt write UDPv4: No route to host (fd=6,code=65) in OpenVPN logs Which again chatgpt advised creating a default gateway route back to the UDM in System/Routing Hope this helps someone else in the future.
  • A

    Streaming through VPN and randomly stops

    1
    0 Votes
    1 Posts
    34 Views
    No one has replied
  • J

    Client connects - get route add error and unable to route to internal network

    2
    0 Votes
    2 Posts
    46 Views
    J
    I made a mistake in my config, for the local network in the VPN config I enter 192.168.0.1/24 and should have been 192.168.0.0/24
  • S

    OVPN & Google search results showing wrong location

    1
    0 Votes
    1 Posts
    81 Views
    No one has replied
  • M

    VPN Site to Site + OpenVPN

    5
    0 Votes
    5 Posts
    99 Views
    M
    @chpalmer Segue Rotas da Matriz [image: 1753697447474-rota_eft_matriz.png] Obrigado pela ajuda.
  • L

    How to NAT a WAN port to a SIteToSite Lan Address

    2
    0 Votes
    2 Posts
    59 Views
    V
    @labu73 The sentence in bold letters is still the essential message to get this work.
  • mav3rickM

    OpenVPN on 2 pfsense instance with HA - service is running on both pfsense instances

    12
    0 Votes
    12 Posts
    461 Views
    M
    @mav3rick said in OpenVPN on 2 pfsense instance with HA - service is running on both pfsense instances: So setting openvpn to bind only to the CARP VIP works fine for me Multi-WAN with HA there? If so, it would be a better idea to run openVPN server on localhost instead. This would allow it to receive connections from all WANs. No need to select a VIP, just forward packets from the WANs VIPs to localhost. You can use DNS, thus the client would connect to the WAN that is UP. Or You can use two remote entries in the .ovpn, with timeout lets say, 2 seconds. Then, just create the NAT rule to access the firewall-2, using the SYNC address as previously mentioned.
  • S

    route everything through openvpn connection: issues with interface active

    11
    0 Votes
    11 Posts
    231 Views
    S
    @viragomann I lost oversight. The customer edited stuff on his own ... and wrote he succeeded by adding fw rules and policy-based-routing. Sounds like overkill a bit, but ok if he's happy. I have to accept that this box is out of my control somehow now ;-) thanks for your help. I might report back if I get access again and see things.
  • P

    SG-1100 as VPN client only (no dhcp) adding to existing network

    6
    0 Votes
    6 Posts
    147 Views
    V
    @phthatcher said in SG-1100 as VPN client only (no dhcp) adding to existing network: just assure that when the server reaches out to the web it is behind the vpn So all you need is to configure pfSense as default gateway on the server. The pfSense only needs a single interface (LAN, router-on-a-stick), connected to your LAN. On the VPN interface you have to add an outbound NAT rule, as mentioned in the ExpressVPN tutorial.
  • M

    site to site no ping server to client

    1
    0 Votes
    1 Posts
    41 Views
    No one has replied
  • M

    error connection openvpn site to site

    12
    0 Votes
    12 Posts
    263 Views
    M
    @viragomann banally ho quest problem, per riassumere If you download your pc from the lan dove and install the pfsense with opnvpn site to site client, pingo i server windows o i pc della lan pfsense server, invece dalla parte server non pingo nessun pc, nemmeno il pfsense client. Invece dal ping di pfsense pinggo calmly. What can you control that the server does not function?
  • JeGrJ

    OpenVPN Config Export (and other) permission won't show VPN menu

    2
    0 Votes
    2 Posts
    145 Views
    H
    Hi Jens, I would suggest the following: Set the ‘WebCfg – OpenVPN: Client Export Utility’ permission as the user's first permission (i.e. so that it appears at the top of the list). This will allow the user to access the Client Export Utility via the pfSense logo, as the first permission effectively sets the ‘homepage’. Best regards, Hagen
  • T

    OpenVPN generates error "Private Key Password"

    7
    0 Votes
    7 Posts
    428 Views
    N
    Just in case anyone else is losing hair over this for me with pfsense + 24.11 OpenSUSE 15.6 (I'm sure other distros are similar) and OpenVPN client 2.6.8 though NetworkManager. No edit of /etc/ss/openssl.conf was needed No hacking of OpenVPN conf files was needed. No exporting user certs from System-Certificates was needed. In VPN-OpenVPN Client Export Microsoft Certificate Storate - Untick (We are using Linux) Password Protect Certificate - Tick Certificate Password - Add something meaningful. Download from Bundled Configuration - Archive (Inline did not work) Extract somewhere sensible In NetworkManager: Client on "+" Add New Connection in bottom left Scroll down to bottom Import VPN Connection & choose the .ovpn from the extracted archive zip. Optional but sensible: fill in the certificate password Change to save password for user only (not system-wide) Make sure you fill in the username (required) and password (optional) or client login fails Change to save password for user only (not system-wide) Really could have used this in the pfsense documentation!
  • N

    best way to access home network from anywhere ?

    9
    0 Votes
    9 Posts
    370 Views
    N
    @johnpoz ...good point on the lease time, I would have not thought of that, and wondered why things were not working... Cheers!!
  • JonathanLeeJ

    NAS use have you tried push "route ????

    open vpn vpn nas nas on ap smart phone
    1
    0 Votes
    1 Posts
    70 Views
    No one has replied
  • F

    Intermittent packet loss - pfsense 2.8

    2
    0 Votes
    2 Posts
    103 Views
    F
    Well Comcast was the fault - WAN_DCHP gateway ping automatically set to ip address but no response gateway down - only it wasn’t and the straight to isp was working Reset to 8.8.8.8 VPN vlan came back
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.