Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    change local networks for all openvpn servers

    Scheduled Pinned Locked Moved General pfSense Questions
    27 Posts 3 Posters 2.3k Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S Offline
      stephenw10 Netgate Administrator
      last edited by

      You have server at each location? You connect to them individually?

      Why are you changing the local subnets? There is a conflict?

      If each location was a client and connected to a central server you could potentially push new details to the clients. NAT to each location maybe.

      Steve

      M 1 Reply Last reply Reply Quote 0
      • M Offline
        mercy_angel @stephenw10
        last edited by

        @stephenw10 said in change local networks for all openvpn servers:

        You have server at each location? You connect to them individually?

        Why are you changing the local subnets? There is a conflict?

        If each location was a client and connected to a central server you could potentially push new details to the clients. NAT to each location maybe.

        Steve

        i am having routers on remote location and all those location are seperate openvpn instance.
        So one pfsense hold those instances, and all of them are seperate openvpn servers in pfsense.
        I have add new subnet and want to add to all of them to can reach it.

        1 Reply Last reply Reply Quote 0
        • stephenw10S Offline
          stephenw10 Netgate Administrator
          last edited by

          So pfSense is configured as a client for each of those remote servers?

          And you need to the remote servers to access a new subnet at the pfSense end?

          There is no way to do that remotely, you will need to add the new subnet as a remote network on each server if that's how they are configured.

          If they were SSL/TLS clients to pfSense as the server you could have just pushed out new values to them.

          Steve

          M 1 Reply Last reply Reply Quote 0
          • M Offline
            mercy_angel @stephenw10
            last edited by

            @stephenw10
            thanks, and just one questin though.
            Is there an option to restart openvpn services all at once, or also i must in status one by one?

            1 Reply Last reply Reply Quote 0
            • stephenw10S Offline
              stephenw10 Netgate Administrator
              last edited by

              There is no GUI button to do that directly.
              If they're all on the same WAN you could resave that interface and it will restart all the services on it.

              So they really are clients at the pfSense end?
              If so those will restart when you make changes to the server end anyway.

              Steve

              M 1 Reply Last reply Reply Quote 0
              • M Offline
                mercy_angel @stephenw10
                last edited by

                @stephenw10 said in change local networks for all openvpn servers:

                There is no GUI button to do that directly.
                If they're all on the same WAN you could resave that interface and it will restart all the services on it.

                So they really are clients at the pfSense end?
                If so those will restart when you make changes to the server end anyway.

                Steve

                I dont search for gui button, it can be from shell also. Yeah, they use all same WAN IP(VRRP interface).
                Screenshot_14.png
                There is a couple 100s more.
                And if i want to restart openvpn service..What you propose to do? I wait a half day forsome to check if router will realize that it is disconnect, bit it doesnt. Maybe some timer for that?

                1 Reply Last reply Reply Quote 0
                • stephenw10S Offline
                  stephenw10 Netgate Administrator
                  last edited by

                  If the remote routers are the server end they won't do anything if the client disconnects.

                  Is pfSense the client end of the tunnels?

                  M 1 Reply Last reply Reply Quote 0
                  • M Offline
                    mercy_angel @stephenw10
                    last edited by

                    @stephenw10 On the router end we put client cert, if thats your question?

                    1 Reply Last reply Reply Quote 0
                    • bingo600B Offline
                      bingo600
                      last edited by bingo600

                      EDIT: The below would only work if you are using SSL/TLS with /30 network topology

                      If the server(s) is on the "Central pfSense" , and the remote shops are "Clients". You might be able to do some "scripted" changes to the servers in the central end.

                      I suppose you have added a new subnet , that is available on/via the central end ?
                      And want to as another ipv4 remote network to the central server, for the specific shop:

                      75da93ec-cb9c-491a-b92d-0e81f34c3b8e-image.png

                      But messing with your pfsense config file , especially on the pfsense it self. Could be a "heartbeat raising event".

                      If i had several hundreds i might try to download the config as xml (make a work copy), and give a search/replace a go.

                      But you would need to upload it as a "new" config , and the pfSense would reboot (downtime).

                      If the change had to be done on anything but the central pfSense .. I'd say manual work.

                      /Bingo

                      If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                      pfSense+ 23.05.1 (ZFS)

                      QOTOM-Q355G4 Quad Lan.
                      CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                      LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                      M 1 Reply Last reply Reply Quote 0
                      • M Offline
                        mercy_angel @bingo600
                        last edited by

                        @bingo600 said in change local networks for all openvpn servers:

                        If the server(s) is on the "Central pfSense" , and the remote shops are "Clients". You might be able to do some "scripted" changes to the servers in the central end.

                        I suppose you have added a new subnet , that is available on/via the central end ?
                        And want to as another ipv4 remote network to the central server, for the specific shop:

                        75da93ec-cb9c-491a-b92d-0e81f34c3b8e-image.png

                        But messing with your pfsense config file , especially on the pfsense it self. Could be a "heartbeat raising event".

                        If i had several hundreds i might try to download the config as xml (make a work copy), and give a search/replace a go.

                        But you would need to upload it as a "new" config , and the pfSense would reboot (downtime).

                        If the change had to be done on anything but the central pfSense .. I'd say manual work.

                        /Bingo

                        I want to add into IPv4 Local network(s), Remote network is subnet of the shop (all shop has their subnet)

                        bingo600B 1 Reply Last reply Reply Quote 0
                        • stephenw10S Offline
                          stephenw10 Netgate Administrator
                          last edited by

                          Yes if pfSense is the server end of these tunnels you might be able to push new routes IF the tunnels are SSL/TLS. Which is sounds like they are if you used certs.

                          I would certainly not have used individual tunnels to each router though.

                          Steve

                          M 1 Reply Last reply Reply Quote 0
                          • M Offline
                            mercy_angel @stephenw10
                            last edited by

                            @stephenw10 I am not using ipsec. Router have openvpn with pfsense server from which i reach any subnet i want via routes from switch. So remote shop via openvpn instance have access to subnets.

                            stephenw10S 1 Reply Last reply Reply Quote 0
                            • bingo600B Offline
                              bingo600 @mercy_angel
                              last edited by bingo600

                              @mercy_angel said in change local networks for all openvpn servers:

                              I want to add into IPv4 Local network(s), Remote network is subnet of the shop (all shop has their subnet)

                              EDIT: The below would only work if you are using SSL/TLS with /30 network topology

                              What i showed was my Central Server OpenVPN definition.
                              And the "remote networks" announced to the Client OpenVPN.

                              This would often be the same announced networks to all clients.
                              As it is the ip nets of the Central/Main site.

                              If you had to do it manually , would you have to do the change on the openvpn defined on the pfsense in all the shops ?

                              Or would you have to do the changes on the same pfSense box , and change it in every instance of the OpenVPN servers defined for the shops ?

                              All changes on the same box , or changes on all remote boxes ?

                              This is the xml tag you would search for tn the config file.

                              <remote_network>192.168.1.0/24, 10.1.0.0/16</remote_network>
                              

                              But as mentioned earlier , it would only make sense if you have to change everything on the same box (config file)

                              If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                              pfSense+ 23.05.1 (ZFS)

                              QOTOM-Q355G4 Quad Lan.
                              CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                              LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                              M 1 Reply Last reply Reply Quote 0
                              • M Offline
                                mercy_angel @bingo600
                                last edited by

                                @bingo600 said in change local networks for all openvpn servers:

                                @mercy_angel said in change local networks for all openvpn servers:

                                I want to add into IPv4 Local network(s), Remote network is subnet of the shop (all shop has their subnet)

                                What i showed was my Central Server OpenVPN definition.
                                And the "remote networks" announced to the Client OpenVPN.

                                This would often be the same announced networks to all clients.
                                As it is the ip nets of the Central/Main site.

                                If you had to do it manually , would you have to do the change on the openvpn defined on the pfsense in all the shops ?

                                Or would you have to do the changes on the same pfSense box , and change it in every instance of the OpenVPN servers defined for the shops ?

                                All changes on the same box , or changes on all remote boxes ?

                                This is the xml tag you would search for tn the config file.

                                <remote_network>192.168.1.0/24, 10.1.0.0/16</remote_network>
                                

                                But as mentioned earlier , it would only make sense if you have to change everything on the same box (config file)

                                i will enter each server in OPENVPN and one by one add that subnet.

                                bingo600B 1 Reply Last reply Reply Quote 0
                                • bingo600B Offline
                                  bingo600 @mercy_angel
                                  last edited by

                                  @mercy_angel said in change local networks for all openvpn servers:

                                  i will enter each server in OPENVPN and one by one add that subnet.

                                  And where would you do that ?

                                  On the same pfSense box , or on each "shop box" ?

                                  If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                                  pfSense+ 23.05.1 (ZFS)

                                  QOTOM-Q355G4 Quad Lan.
                                  CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                                  LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                                  1 Reply Last reply Reply Quote 0
                                  • stephenw10S Offline
                                    stephenw10 Netgate Administrator @mercy_angel
                                    last edited by stephenw10

                                    @mercy_angel said in change local networks for all openvpn servers:

                                    I am not using ipsec.

                                    I never suggested you were.

                                    OpenVPN can operate using pre-shared key or SSL/TLS with certificates.

                                    If you are using SSL/TLS and you have a subnet style topology (>/30) then the client will pull the routing and tunnel details from the server each time it connects. That means you can add new values at the server end without having to make changes at the remote client end.

                                    You could have all your clients connecting to a single server, or a just a few servers, which would make this much easier.

                                    Steve

                                    bingo600B 1 Reply Last reply Reply Quote 1
                                    • bingo600B Offline
                                      bingo600 @stephenw10
                                      last edited by

                                      @stephenw10 said in change local networks for all openvpn servers:

                                      If you are using SSL/TLS and you have a subnet style topology (>/30) then the client will pull the routing and tunnel details from the server each time it connects.

                                      Whoopzz
                                      I'm using SSL/TLS w. Certs & /30

                                      I thought all the setups pulled routes from the server end šŸ¤•

                                      I could easily have lead the OP on a wild goose chase.
                                      Once again . Assumptions are the ..... all FSCK'ups

                                      Sorry

                                      If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                                      pfSense+ 23.05.1 (ZFS)

                                      QOTOM-Q355G4 Quad Lan.
                                      CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                                      LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                                      1 Reply Last reply Reply Quote 0
                                      • stephenw10S Offline
                                        stephenw10 Netgate Administrator
                                        last edited by stephenw10

                                        Yup I have fallen into that trap more than once! šŸ˜‰

                                        The OP here looks to be using /29 though so it should be pulling details. It might have been setup specifically to do this since using /29 is just a waste of IP space.

                                        Makes things more complex though as you need iroutes etc.

                                        https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/configure.html#ipv4-ipv6-tunnel-network

                                        Steve

                                        M 1 Reply Last reply Reply Quote 0
                                        • M Offline
                                          mercy_angel @stephenw10
                                          last edited by

                                          @stephenw10 Mikrotik have some issue with /30 mask, cant remember why.
                                          if someone know, this is how we connect when apply certificate

                                          /interface ovpn-client
                                          add add-default-route=no  auth=sha1 certificate=remoteSHOP_cert.crt_0 cipher=aes128 connect-to=PFSENSE_IP disabled=no  max-mtu=1500 mode=ip name=ovpn-out1 password="" port=1671 profile=default user=any
                                          

                                          So its client based on mikrotik, and one remote shop have their own pfsense ovpn server and client certification.

                                          1 Reply Last reply Reply Quote 0
                                          • stephenw10S Offline
                                            stephenw10 Netgate Administrator
                                            last edited by

                                            Ok, so that is an SSL/TLS connection and you can see there is no tunnel IP or routing info at the client, it is pulled from the server each time it connects.

                                            So if you need the remote clients to be able to access a new subnet at the server end you just need to add it to the 'IPv4 Local Networks' field in the server.

                                            As long as the firewall rules are the server end allow it they will be able to reach it the next time they reconnect. And they should reconnect automatically when you make that change since it will restart the server.

                                            Steve

                                            M 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.