Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    change local networks for all openvpn servers

    Scheduled Pinned Locked Moved General pfSense Questions
    27 Posts 3 Posters 2.3k Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S Offline
      stephenw10 Netgate Administrator @mercy_angel
      last edited by stephenw10

      @mercy_angel said in change local networks for all openvpn servers:

      I am not using ipsec.

      I never suggested you were.

      OpenVPN can operate using pre-shared key or SSL/TLS with certificates.

      If you are using SSL/TLS and you have a subnet style topology (>/30) then the client will pull the routing and tunnel details from the server each time it connects. That means you can add new values at the server end without having to make changes at the remote client end.

      You could have all your clients connecting to a single server, or a just a few servers, which would make this much easier.

      Steve

      bingo600B 1 Reply Last reply Reply Quote 1
      • bingo600B Offline
        bingo600 @stephenw10
        last edited by

        @stephenw10 said in change local networks for all openvpn servers:

        If you are using SSL/TLS and you have a subnet style topology (>/30) then the client will pull the routing and tunnel details from the server each time it connects.

        Whoopzz
        I'm using SSL/TLS w. Certs & /30

        I thought all the setups pulled routes from the server end šŸ¤•

        I could easily have lead the OP on a wild goose chase.
        Once again . Assumptions are the ..... all FSCK'ups

        Sorry

        If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

        pfSense+ 23.05.1 (ZFS)

        QOTOM-Q355G4 Quad Lan.
        CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
        LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

        1 Reply Last reply Reply Quote 0
        • stephenw10S Offline
          stephenw10 Netgate Administrator
          last edited by stephenw10

          Yup I have fallen into that trap more than once! šŸ˜‰

          The OP here looks to be using /29 though so it should be pulling details. It might have been setup specifically to do this since using /29 is just a waste of IP space.

          Makes things more complex though as you need iroutes etc.

          https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/configure.html#ipv4-ipv6-tunnel-network

          Steve

          M 1 Reply Last reply Reply Quote 0
          • M Offline
            mercy_angel @stephenw10
            last edited by

            @stephenw10 Mikrotik have some issue with /30 mask, cant remember why.
            if someone know, this is how we connect when apply certificate

            /interface ovpn-client
            add add-default-route=no  auth=sha1 certificate=remoteSHOP_cert.crt_0 cipher=aes128 connect-to=PFSENSE_IP disabled=no  max-mtu=1500 mode=ip name=ovpn-out1 password="" port=1671 profile=default user=any
            

            So its client based on mikrotik, and one remote shop have their own pfsense ovpn server and client certification.

            1 Reply Last reply Reply Quote 0
            • stephenw10S Offline
              stephenw10 Netgate Administrator
              last edited by

              Ok, so that is an SSL/TLS connection and you can see there is no tunnel IP or routing info at the client, it is pulled from the server each time it connects.

              So if you need the remote clients to be able to access a new subnet at the server end you just need to add it to the 'IPv4 Local Networks' field in the server.

              As long as the firewall rules are the server end allow it they will be able to reach it the next time they reconnect. And they should reconnect automatically when you make that change since it will restart the server.

              Steve

              M 1 Reply Last reply Reply Quote 0
              • M Offline
                mercy_angel @stephenw10
                last edited by

                @stephenw10 Yeah, i know that when i put new subnet it will affect immediately. So i have a two questions. First, there is no script or something to put new subnet or create new xml is the only way? Second, is there a timer for connection period? So when I restart pfsense, not all servers come online, I must some restart service mannualy. Is there a wait time for that? Some locations i leave all night and they not connect, so it past a couple of hours.

                1 Reply Last reply Reply Quote 0
                • stephenw10S Offline
                  stephenw10 Netgate Administrator
                  last edited by

                  No there is nothing like that included in pfSense. The expected setup with a large number of remote sites connecting via OpenVPN is to use a single server and CSOs for each site. Thus changes can be made to all remote sites by changing that one server.
                  If you actually have hundreds of remote sites you might want to use several server instances to spread the load at the server end since OpenVPN is single threaded.

                  By default OpenVPN clients will use a keep-alive ping to the server and will restart if the server stops responding after 60s.

                  Steve

                  M 1 Reply Last reply Reply Quote 0
                  • M Offline
                    mercy_angel @stephenw10
                    last edited by

                    @stephenw10 than how openvpn didn't connect until I manually restart service?

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S Offline
                      stephenw10 Netgate Administrator
                      last edited by

                      Impossible to say, you'd have to check the logs at the client end. What are the remote clients?

                      M 1 Reply Last reply Reply Quote 0
                      • M Offline
                        mercy_angel @stephenw10
                        last edited by

                        @stephenw10 I cant test it right now, because i must then restart all server, but next time when i must do it, i will test it, but from the last time, the routers didnt connect its self. Only restart router or service on status openvpn.
                        I cant figure out does it have some timer or what is default value for that.

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S Offline
                          stephenw10 Netgate Administrator
                          last edited by

                          The client side can choose to reject everything the server sends including the timeout values.

                          What are those remote routers? How are they configured?

                          You should think about moving to a more rational setup with multiple clients connecting to a single (or few) server. Changes like this would be far easier.

                          Steve

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.