Interestingly, the OpenVPN Client end is quite happy to have no tunnel specified. So, as an experiment I commented out the line of code that was producing the error (line 612 in /usr/local/www/vpn_openvpn_server.php) and then configured the OpenVPN Server with no tunnel address. Everything appears to work perfectly. I have an OpenVPN tap mode tunnel, connect it to a bridge and it works as expected. So how am I supposed to do this without messing with the code? Tim

@jimp said in OpenVPN CA expiring, impacts of renewing it?: If the CA is not yet expired, then renewing the CA and reusing the serial number will allow existing clients to work until the CA expires, while new clients you roll out can also connect to the same server. Okay so I think I understand. 1> Renew CA with same serial #, certs will be recognized by existing clients but only until original CA expiration date. 2> Roll out new configs with new CA cert and those will work now until the new CA expiration. I really appreciate the help Thanks -S

@Shack Take a look similar, protonvpn or mullvadvpn have updated guides to set up openvpn or wireguard. All the same)))

@viragomann That actually sounds like a proper idea. not happy with this vpn service at all.. thanks for your help, I think I'll go that route this has not got me very far, just have to find a good VPS and go with that thanks

@johnpoz It definitely shouldn't. I never configured it to. It looks like I can select any option in "Potentially Dangerous" without it no longer working. But once I select "Allow only local requests" I can no longer reach the internet. Just my local resources.

@viragomann A) Sorry for not providing enough information. B) Your last suggestion made me make a few changes to confirm whether or not the CSOs were being applied and I stumbled upon the fact I had a REMOTE network define in both the CSO as well as the remote ends' VPN Client config. Removing the client config and leaving only the CSO remote network (ironically, exactly how the docs say to do it!) and changed tunnel net back to a /24 and everything is working. Thank you for the assist.

@Gamienator-0 yes the openvpn client can handle password on cert. As to the cert being saved - you could put it on thumbdrive if you wanted. But the device be it a phone or a laptop or a tablet is the thing they have.. with the cert on it. Which again they most likely need to auth to access this saved cert, etc. If this is work laptop the drive is most likely encrypted, if lost. And if you put a password on the cert, not only would they have to break the encryption of the drive, but also know or break the encryption for the password on the cert. So have to have the laptop, have to auth to the devices OS. Which could also need 2nd factor different than the vpn. Have to then know the password to the cert, then have to know the username+password to auth to the vpn. Also need the OTP. Which you could have to auth to the OTP application as well.. I use authy for my otp, which can be set to have to auth to even run. Not sure about google and MS apps if they can also be set to have to auth to even run, etc. And this most likely be on a different device if a work laptop for example which will also have to auth to use. Is that enough factors for you? ;) Device (laptop) Device password Possible Device 2FA VPN Cert Cert Password VPN username+password OTP Device (phone) OTP device password OTP software password Pretty sure that should be enough.. Now they are ready to launch the nukes ;) Even if you rollup the latop to 1 device since it has the cert on it, you need to auth to it to access the cert, and you have to have this device so that is 2FA right there. So cert password is 3FA, then username and password is 4FA, then the OTP device even without password on app your at 6FA.. You could add restrictions on what IPs they can come from, either ASN, or isp or region of the world so now your at 7FA. With a password on the OTP app your at 8FA.

@pinguimdocerrado said in Pfsense for openvpn server only: Note: pfsense is not the gateway for my network. So you either have to configure the routing accordingly of do masquerading on pfSense. Did you do any of these? The latter is the simplest way if the only goal is to access the server sites devices for maintenance.

@eiger3970-0 said in Can it be used to change regions?: free Opera browser VPN is enough Then use that..

@selcuk_ks Do you mean force general internet traffic out the clients local gateway, and only all VPN for services you host ? If so, this is standard split tunnel, so un-select the "Force all traffic through tunnel" option [image: 1714748201927-c2ef77b5-4e3b-4919-9504-7d2d4e23d0a3-image.png]

@sourish So you have to recheck your WAN NSG configuration in Azure. Can you even reach pfSense with a different protocol, e.g. ping? Ensure to allow it in the NSG and on pfSense.

@Antibiotic Given DCO and IIMB both AES and ChaCha will be accelerated. AES will still be slightly faster, just because it's a faster algorithm.

@Gertjan: Thanks very much for pointing that out! As you can see from my latest topic in this forum, I changed the tunnel network to a /24 address.

@Gertjan right. certs are not "old", they are obsolete. sha1

@DominikHoffmann said in OpenVPN with Netgate connected directly to Starlink dish.: The only way to get around that would be to subscribe to a static IP address. How much does Starlink charge for that? I don't think its even an option at any price. But you can get a dynamic public IP https://support.starlink.com/topic?category=10&category=46 How do I set my IP address to Public? The ability to update the IP policy to a Public IP is only available with a Priority or Mobile Priority service plan: Login to your account www.starlink.com/account Select "Manage" in the Your Starlinks section Select the "pencil" icon next to "IP Policy" Select "Public IP" from the drop down menu Save Reboot your Starlink But you would need priority plan.. They are suppose to be rolling out IPv6 - if you have that you could use that for an unsolicited inbound connection for you vpn. Or there are other ways to work around the cgnat issue, with creating the outbound connection. Something like tailscale or wireguard could work. https://www.starlink.com/service-plans/all Wonder if have public inbound data is metered.. That can get pretty expensive. [image: 1714445221458-publicip.jpg] Not exactly how those priority tiers work.. But 20$ more a month isn't horrible for a public IP. But 250 a month for 1TB seems a bit high!