Best method to update pfSense OpenVPN Clients

mtstollen · Nov 18, 2020, 8:37 PM

With the release of Openvpn-client-export v2.5.0 and pfSense-pkg-openvpn-client-export v1.5_2 packages, do we need to use the OpenVPNClient Export Utility and recreate each users' account or is there a simple upgrade file we can send to all remote users?

Gertjan · Nov 19, 2020, 7:38 AM

@mtstollen said in Best method to update pfSense OpenVPN Clients:

pfSense-pkg-openvpn-client-export v1.5_2 packages

1.5_4 now ...

It is possible to set up a VPN server side and a client side without using the client-export utility.
With some thinking you could find the correct settings by hand. After all, the OpenVPN server and client is very well documented.
But it would be a real pain, and it's an error prone process.

If the client binaries didn't change, you export for each user the config file(s).
Keep a copy of them, and compare the old and new version : if nothing changed, no need to bother the end user.
If the config changed, send it over with details where and how to put the file(s) in place.

jimp · Nov 19, 2020, 6:17 PM

You could just send the new OpenVPN 2.5.0 community installer to them (not from the export package) and they can install that directly. The old configuration will still work, it's compatible.

The export package will happily export you a new config that uses directives preferred by OpenVPN 2.5.0, but it isn't a hard requirement as the OpenVPN client still knows and respects the old directives (for this version at least).

mtstollen · Nov 23, 2020, 4:57 PM

Very easy to update from OpenVPN Community Downloads.

Downloaded and installed Windows 64-bit MSI installer from: https://openvpn.net/community-downloads-2/
No reboot was necessary.

I have gone through the manual several times and I could not find anything about updating remote clients.
https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/index.html

Also, I can't easily tell what version the client has unless I export the Status/System Logs/OpenVPN log and do a filter. I thought Status/OpenVPN would display this info.

johnpoz · Nov 23, 2020, 5:55 PM

So you want to show say this info from the log..

IV_GUI_VER=net.openvpn.connect.ios_3.2.2-3507

here

jimp · Nov 23, 2020, 6:04 PM

It can't be shown on the status because that isn't something OpenVPN puts in its status output. The status is queried directly from OpenVPN through the management interface, logs are not (and will not) be scraped to build that data.

Managing client versions isn't a typical server role, that's up to the remote client system administrator, not the firewall.

johnpoz · Nov 23, 2020, 7:07 PM

@jimp said in Best method to update pfSense OpenVPN Clients:

that's up to the remote client system administrator, not the firewall.

Could not agree more! What software, and upgrades to said software of users systems would and should be managed by that system.. If your trying to pull that info from your firewall - your doing it wrong ;)

How are you making sure their antivirus is up to date? What about their os and patches? Software xyz they use to do their jobs, etc. Same system you use to manage that would also be used to manage their vpn client software.

If your a small shop, maybe your the only IT guy - I would look how to best monitor your remote devices software and settings, and then leverage that to manage the version of vpn software on the box. Are you a MS shop? If so this is very common

https://en.wikipedia.org/wiki/Microsoft_System_Center_Configuration_Manager