Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Iroute and multiple OpenVPN servers

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 4 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      seidler2547
      last edited by

      Hi,

      we're migrating to a new OpenVPN server instance on the same host because our certificates expire soon (10 years already, wow). I set up a second OpenVPN server with new certificates, everything looks good connection-wise.

      We are doing star topology routing with remote offices connecting to the central hub. The remote pfSenses have their client-specific overrides containing "iroute mysubnet" statements so that the IPs in these offices are reachable from everywhere.

      However, when a client connects to the new OpenVPN server instance, the routing is not adjusted, so netstat -nr on the central pfSense still shows those subnets routed trough the old server (which doesn't work because the client is not connected to this one anymore). I changed the route manually on the SSH shell and things work, but I don't know what will happen when I restart the OpenVPN server instance.

      Is the routing not updated when a client connects? When is it updated?

      I found someone with a similar problem (I think) but there doesn't seem to be a solution: https://forum.pfsense.org/index.php?topic=62728.

      Stefan

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        @seidler2547:

        we're migrating to a new OpenVPN server instance on the same host because our certificates expire soon (10 years already, wow). I set up a second OpenVPN server with new certificates, everything looks good connection-wise.

        Why haven't you issued new certificates from the old CA?

        @seidler2547:

        However, when a client connects to the new OpenVPN server instance, the routing is not adjusted, so netstat -nr on the central pfSense still shows those subnets routed trough the old server (which doesn't work because the client is not connected to this one anymore). I changed the route manually on the SSH shell and things work, but I don't know what will happen when I restart the OpenVPN server instance.

        Have you assigned a particular interface to each OpenVPN server?

        1 Reply Last reply Reply Quote 0
        • T
          trekkiebr
          last edited by

          Hi,
          I would try disabling the old instance and restarting the service to see what happens, maybe a conflict because you are using the same subnet in both instances ? I think it was not supposed to happen, but….

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            The OS routes in the routing table are not from iroutes, they are from the "remote network" definition or "route" statements in the OpenVPN server.

            If you want to move a site-to-site client from one VPN to another you have to change the override to the other server (if it was set to use just the old server anyhow) and you have to change the route/remote networks on the old and new server.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.