@Gil said in Removing a CA key: That does appear to be a bit of a bug. I'll manually edit the xml. Thanks. Fix: https://redmine.pfsense.org/issues/10509

Point taken. As I said, I can always include that within the CN for each P2P router.

Ahhh I see....meant if you really care about security I suggest you not to install any custom/unofficial pfSense packages via the commandline. Only use the official repository. -Rico

I want to solve my own issue. After hours and hours of testing things out, the problem was rather simple. I just had to go to the OpenVPN Server settings -> Tunnel Settings -> IPv4 Local network(s) and just add my WAN network to the list. I guess that's why it never showed up in the logs. Because it wasn't ever blocked by the firewall. The VPN-users just never had any access to it I still can't login via my LAN-net IP. Not sure why that doesn't work, still. but it works via HAproxy. So maybe it's an http/https issue

OK, so there is no way. Thanks again!

Interestingly, when I went to upgrade the openvpn-client-export, the upgrade hung on, "Please wait while the update system initializes." I gave it some time and then clicked back to Installed Packages tab and it looked like it installed. As a test, I removed the openvpn-client-export and the same hang occurred, "Please wait while the update system initializes." I gave it some time and then clicked back to the Installed Packages tab and it looks like it was removed. I then went to the Available Packages tab and installed the openvpn-client-export and the Package Installer tab showed the installation process all the way to "Success." Odd...I remember when an upgrade or removal showed the process, not just the install.

@viragomann Got it working. Thank you!

I "solved" the problem as follows: The operating system on my remote computer is Windows10 and my installed version of the TAP Windows adaptor is 9.25. In desperation, I also installed an older verson 9.21 which I found on the Internet. Suddenly the 9.25 adaptor started working and I have had no problems ever since. I can disable the 9.25 version, and the 9.21 version works. I can disable the 9.21 version and the 9.25 version works. Obviously I don't understand this but my VPN is working now and I can successfully communicate with the office from my remote computer. I am not an operating system or networking expert and I don't understand all of the fine details of a VPN. But my simple VPN is working and I am happy. Thanks to everybody who tried to help me.

Glad you have it working now. -Rico

I would go a road like that Write information useded in that email into a text file Send this file via cron to another machine Doin the reporting stuff there Sounds like a nice project

Many thanks to all who provided assistance. Here is the finished script for anyone who may want to use/adapt it. If anyone wants to review/ provide suggestions or sees that I've done anything that could cause issues, please feel free to do so. #!/bin/sh # # restartvpn: Restart the OpenVPN client if it is down. The restart is supressed # if the WAN is down. # # -f / -F : Force: Force reset even if VPN is not down # -q / -Q : Quiet: Supress printed output # WAN_ID='WAN_DHCP' # WAN Gateway ID String VPN_IDs='XXXXX_VPNV4' # VPN Gateway ID Strings (Separate with a space) VPN_GWs='1' # VPN Client ID of gateway GW_DOWN='down' # Gateway down status string # -q / -Q : Quiet: Supress printed output silent=$(echo $@- | awk '{print (/-[qQ]/ ? 1 : 0)}') # -f / -F : Force: Force reset even if VPN is not down force=$(echo $@ | awk '{print (/-[fF]/ ? 1 : 0)}') restartvpn(){ # # Restart VPN client $VPN_GW # WD=$([ "$WAN_STAT" = "$GW_DOWN" ] && echo "WAN DOWN:" || echo "") FC=$([ $force -eq 1 ] && echo "FORCED:" || echo "") msg=$(echo $(date +%y/%m/%d-%H:%M:%S-)${ID}-${WD}${FC}$(/usr/local/sbin/pfSsh.php playback svc restart openvpn client $VPN_GW)) [ $silent -eq 0 ] && echo $msg logger "***** ${msg}" } gwstat=$(pfSsh.php playback gatewaystatus) WAN_STAT=$(echo "$gwstat" | awk '/'$WAN_ID'/{print $NF}') PUBLIC_IP=$(echo "$gwstat" | awk '/'$WAN_ID'/{print $3}') if [ $silent -eq 0 ];then echo -e "$(basename $0) - Public IP: $PUBLIC_IP - $(date)\n\n$gwstat\n" fi if [ "$WAN_STAT" = "$GW_DOWN" -a $force -eq 0 ];then msg=$(echo "$(date +%y/%m/%d-%H:%M:%S-)WAN is down-VPN restart not attempted.") [ $silent -eq 0 ] && echo $msg logger "***** ${msg}" return 1 fi gw=1 for ID in $VPN_IDs;do VPN_STAT=$(echo "$gwstat" | awk '/'$ID'/{print $NF}') VPN_GW=$(echo $VPN_GWs|cut -w -f $gw) if [ -n "$VPN_STAT" ];then [ $silent -eq 0 ] && echo VPN Gateway: $ID - $([ "$VPN_STAT" = "$GW_DOWN" ] && echo "DOWN" || echo "UP") if [ "$VPN_STAT" = "$GW_DOWN" -o $force -eq 1 ];then restartvpn return 1 fi else [ $silent -eq 0 ] && echo No active gateway $ID fi gw=gw+1 done

That NAT must be done on the client side, as others have stated, but since you are using OpenVPN there is a chance you can pull it off. I have not tried this but OpenVPN also has built-in NAT: --client-nat snat|dnat network netmask alias This pushable client option sets up a stateless one-to-one NAT rule on packet addresses (not ports), and is useful in cases where routes or ifconfig settings pushed to the client would create an IP numbering conflict. network/netmask (for example 192.168.0.0/255.255.0.0) defines the local view of a resource from the client perspective, while alias/netmask (for example 10.64.0.0/255.255.0.0) defines the remote view from the server perspective. Use snat (source NAT) for resources owned by the client and dnat (destination NAT) for remote resources. So you could try this in the client config: client-nat dnat 10.100.0.0/255.255.255.0 192.168.0.0/255.255.255.0 That could be pushed in a client-specific override as well.

@JKnott The pfsense is used as only a VPN box, it is not used as a gateway by any other equipment. I think i should have mentioned this in the beginning. The pfsense only has an interface on that subnet with an IP. Like i mentioned, right now what i set up is working. But this does not get to the question i was asking, which is if i can change the server virtual ip address which the openvpn raises on the interface, disregarding on what i am trying to implement or not.

Hi, I had this working but changed the OpenVPN Settings recently to not route all traffic through the vpn and it has stopped working. Once I resolve the VPN Issue I will confirm the full configuration to help others out. Regards,