@cotton "Great success"...if you know what i mean.

@Bridger yeah if you put pfsense behind the isp "router" then no need for pppoe - mystery solved.

If you use SHA1 in clients. Temporary add "tls-cert-profile insecure" in "Advanced Configuration -> Custom options" on your Server.

@br8bruno Gateways seem to get created for both openvpn server and client instances. Whilst I believe it is not absolutely necessary, that is how it is done in pfsense and you are then able to policy route (select a non-default gateway) in your firewall rules. EDIT: You can turn off the gateway creation in the openvpn server|client config.

@Draco By any chance you upgraded the pfsense (and or openvpn package) recently ? I got 'similar issue' that left me baffled till this day see here , maybe it is similar with what you experiencing.

@Stefano-Coccia I created an networks alias: [image: 1730326497463-cf232d43-b3ac-44d1-86f5-f2d45c837db7-grafik.png] Then I use this in the firewall rules to allow internet access: [image: 1730326609280-b9b952ec-707f-4674-9296-b40cfedb19b0-grafik.png] The alias includes all RFC 1918 (private) network ranges. Note that in the rule "invert. match" is checked. So the pass rule is only applied to traffic with other destinations then the alias. To allow access to internal services like DNS, you need to add additional rules then. E.g. [image: 1730326826680-74728306-3bf6-47bf-9450-6bb6b783013d-grafik.png]

@davek79 I’d try to kill all states and let Pfsense rebuild the state table. I believe a restart would do the same thing. If that doesn’t resolve it then you’re going to have to start posting info. Your OpenVPN rules and OpenVPN settings.

The same thing happens to me too. With the previous version of PFSENSE it did not happen, and now with version 2.7.2 when I click on client export it takes a long time to load. It must be some error on the part of the package or the 2.7.2 update. Yes, it is true that I have many certificates created, but before it did not happen and now it does. Can Netgate fix this?

@Gertjan Yeah it been rock solid on 2.6.0, I think it has a year plus uptime before it finally gave away (the disk). I did see the post you linked, but I can't see how it apply to my config. I have not used shared keys, compression for my setup in 2.6.0 The same config 'migrated' to 2.7.2 as you can see the config in above post. Is the config version 22.2 (from 2.6.0) incompatible with version 23.3? When installing 2.7.2, it gladly accept it via config.xml. I did read a post that 2.6.0 was forgiving for 'bad config', but I can't pin point what was wrong in 2.6.0 that 2.7.2 is now enforcing and create the problem. I guess I'm now experiencing it, sometime works sometime it doesn't. This baffled me Anyone can help point out what could be the reasons for this inconsistent behavior ? Thanks in advance

@netgate_user_2024 FYI There seems to be no way to accomplish this. At least according to this thread from 2019. Not sure if there was ever a feature request submitted for it or not: https://forums.openvpn.net/viewtopic.php?t=27876

@SteveStone Not me. I have several OpenVPN servers on multiple PfSense boxes, and the logs are correct on all of them.

@dlogan I had a similar problem. I set the force logoff after x amount of time of no activity. Here is a pretty good post on the matter. https://serverfault.com/questions/748890/openvpn-force-maximum-session-length Another option is to set a variable in the Config files on each workstation - sorry there is no Server setting for this one. I set my users as follows. reneg-sec 21600 This equates to every 6 hours

@ariban99 You need a separate route line for each remote subnet. Also you need a client file for each client, which you want to access a network behind.

Up

A Reboot is needed, yes you need a maintenance Window.

@Snailkhan Sure. Just grab the .msi installer and deploy it with GPO, or like I do with a Powershell script that calls msiexec /qn $StartTime = Get-Date ############################################################################################# ## Variables ############################################################################################# $PackageName = "OpenVPN Connect" [version]$CurrentVersion = "3.5.0" $InstallerFileName = "openvpn-connect-3.5.0.3818_signed.msi" $MSIPackage = "$PSScriptRoot\$InstallerFileName" $LogDir = "C:\Admin\Logs" $MyDate = Get-Date -Format "MM-dd-yyyy_HHmm" $LogName = $PackageName + "_Install_" + $MyDate + ".txt" $UpdateLogName = $PackageName + "_Update_" + $MyDate + ".txt" $Log = "$LogDir\$LogName" ############################################################################################# ## Function to get software version - just pass it the package name found in registry ############################################################################################# function Get-InstalledSoftwareVersion { Param ( [Parameter(Position=0, Mandatory=$true)] [string]$PackageName ) $InstalledSoftware = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*' | Where-Object {$_.DisplayName -ne $null} | Select-Object DisplayName,Displayversion | Sort-Object -Property DisplayName [version]$PackageInstalledVersion = ($InstalledSoftware | Where-Object {$_.DisplayName -eq "$PackageName"}).DisplayVersion return $PackageInstalledVersion } ############################################################################################# ## Function to install MSI base package ############################################################################################# function Install-MSIPackage { $MSIArguments = @( "/i `"$MSIPackage`"" "/qn" "/L*V `"$Log`"" ) Write-Host "Starting msiexec installation." Write-Host "Start-Process msiexec -ArgumentList $MSIArguments -Wait" Start-Process msiexec -ArgumentList $MSIArguments -Wait } ############################################################################################# ## Main ############################################################################################# #Check if agent is installed and current Write-Host "Checking if $PackageName is installed." [version]$PackageInstalledVersion = Get-InstalledSoftwareVersion -PackageName $PackageName if ($PackageInstalledVersion -eq $null){ Write-Host "$PackageName not found. Running installer." -ForeGroundColor Yellow Install-MSIPackage } elseif ($PackageInstalledVersion -lt $CurrentVersion) { Write-Host "$PackageName $PackageInstalledVersion found but is out of date. Current version is $CurrentVersion" Write-Host "Running installer." Install-MSIPackage } else { Write-Host "Package is up to date, checked against version:$CurrentVersion" -ForegroundColor Green } $EndTime = Get-Date $RunTime = $EndTime - $StartTime Write-Host "Script run time:" $RunTime | Select Hours,Minutes,Seconds,Milliseconds

@johnpoz This is the way