@richie1985 Easy : and I'll excuse upfront for the answer : set an alarm on whenever is "during night" and then do whatever you need to do. There is no such thing as "pre set" a setting, and have it taken in account at a pre determined (date) time. A openvpn server restart will disconnect all the connected users, I get it. If you 'really' need this possibility, there is only one solution : As the GUI handles everything that is 'settings' and 'functionality start' and 'functionality start' the good old "script it yourself" will work just fine ( open source means also IMHO : do what you want with your copy ). The good news or the bad news - whatever applies to you : it's just PHP. If not : go here - or here.

NetSetMan let you change fast the IP of your PC to swap fast over into another subnet or network. Perhaps it will be supporting one or more of the other given tips and hints related to that problem.

I have now tried stopping both OpenVPN tunnels and restarted them one after another and they are now both up again. Not sure what the issue is but at least I now have a way to get the link up. I will see if the die again in a couple of hours...

@michmoor said in Remove OpenVPN access admin: @jimp Curious is there a way to use certs if you have an internal PKI? It would be more scalable using that then the firewall itself to manage all my users and certs. Sure, you just import the CA cert (not the key) and the server cert on the firewall, then pick those in OpenVPN. The other certs never need to touch the firewall, they only need to validate against the chosen CA.

@hope-it-works said in Having problems connecting two OpenVPN-Servers: That's what I had configured before. There I couldn't use the same subnet for both VPN servers. That's correct. But is there any reason for needing both to be within the same layer 2? For accessing services that's not a requirement at all. I should mention that we currently don't have a LAN Interface. Is a LAN interface required for this setup? You only need access to the pfSense GUI to configure it. If you have open the WAN for this purpose, you don't need a LAN interface.

Dear @jimp Thank you very much for your suggestion, the problem was resolved by just removing the tunnel network! [image: 1682069814913-07e6c93d-99c8-473a-abea-932b70ace8bb-image.png]

@dlogan Basically OpenVPN is designed to connect multiple clients to a server. But this is only possible if the mask is larger than /30. Consequently that gateway is not unique and you need another method to tell pfSense the correct gateway to route traffic to. You can enable routing in such setup a adding client specific overrides for each client on the server, where you define the remote networks. However, if you don't want to create CSO (which makes no sense in your case as you have a separate server for each client), you can set the tunnel to /30, so the gateway is unique. But I can't tell you, why this is not an issue with a pre-shared key setup.

@tjrjcj You can do what I (and others) do and have your VPN connection be dedicated to a single network and then change which network you use... on my iMac I can do that one of two ways: Service Order in the Mac or switch port at my desk. But it depends on your employer's VPN on if this is possible.

@rcoleman-netgate That makes sense if I were hitting the 10 year mark but it'll be awhile until that happens. My concern is from upgrading pfSense. My first 2.6.0 upgrade that had OpenVPN fell apart so I've been holding back until now when I can devote a large amount of time to both the upgrades and supporting the influx of calls. Now that I've upgraded a second unit and it didn't have the issues I'm trying to determine what to expect on the next 30 or so upgrades. Until now I thought that the upgrade necessitated a change in OpenVPN that would cause issues with remote users until a new cert was put in place but it appears not.

@michmoor Cool, thanks for clarifying that

@gertjan I agree, I have the same rules. I'll try to return the default settings and configure a different vpn server for each interface. thank you for your help.

If you changed nothing then perhaps the ISP changed something to allow IPv6 to work. The 'correct' settings here are very much dependent on what your ISP provides. Steve

Finally had a chance to look at this again after many days... I noticed my webConfigurator certificate was about to expire, even though I was pretty certain I had renewed everything. After renewing, I couldn't reach the server at all from my phone/client. Restarted the OpenVPN service on my Netgate, then phone/client connected but went back to "Authentication Error". In a fit of desperation, I tried resetting my user password once more and everything started working again. Even after I changed it back to something secure, it has continued working. Therefore, I guess I screwed up resetting my password before...Very embarrassing lol

@steveits /facepalm - Again, I am new to this and I see what I needed to do! I installed the patches package and applied all, did the reboot, and bingo! Back in business! Thank you so much!

I just upgraded to pfSense + (free version, this is for home use) and the local DNS started working.

@chiefsfan The remote side needs to have PIM enabled as well. You could have it point to your switch or maybe firewall as the RP (up to you). The main thing is that if the firewall is the RP, then all network points need to know who the RP is. That means your switch, firewalls, remote switches.

@viragomann Thank you, that is the response we were looking for. We will put the OpenVPN segment on a new vlan, it's a /24 subnet with lots of devices, so impractical to do a static route for them all. What you are saying makes complete sense. Thank you!

@travis-fleming No, pfSense also nat outbound traffic on WAN if there is a gateway stated in the interface settings. So go to Interface > LAN and check if there is a gateway stated in the IP configuration. If so and there is no reason to have it, remove it and pfSense will not nat outgoing traffic.