change local networks for all openvpn servers

stephenw10

@mercy_angel said in change local networks for all openvpn servers:

I am not using ipsec.

I never suggested you were.

OpenVPN can operate using pre-shared key or SSL/TLS with certificates.

If you are using SSL/TLS and you have a subnet style topology (>/30) then the client will pull the routing and tunnel details from the server each time it connects. That means you can add new values at the server end without having to make changes at the remote client end.

You could have all your clients connecting to a single server, or a just a few servers, which would make this much easier.

Steve

bingo600

@stephenw10 said in change local networks for all openvpn servers:

If you are using SSL/TLS and you have a subnet style topology (>/30) then the client will pull the routing and tunnel details from the server each time it connects.

Whoopzz
I'm using SSL/TLS w. Certs & /30

I thought all the setups pulled routes from the server end

I could easily have lead the OP on a wild goose chase.
Once again . Assumptions are the ..... all FSCK'ups

Sorry

stephenw10

Yup I have fallen into that trap more than once!

The OP here looks to be using /29 though so it should be pulling details. It might have been setup specifically to do this since using /29 is just a waste of IP space.

Makes things more complex though as you need iroutes etc.

https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/configure.html#ipv4-ipv6-tunnel-network

Steve

mercy_angel

@stephenw10 Mikrotik have some issue with /30 mask, cant remember why.
if someone know, this is how we connect when apply certificate

/interface ovpn-client
add add-default-route=no  auth=sha1 certificate=remoteSHOP_cert.crt_0 cipher=aes128 connect-to=PFSENSE_IP disabled=no  max-mtu=1500 mode=ip name=ovpn-out1 password="" port=1671 profile=default user=any

So its client based on mikrotik, and one remote shop have their own pfsense ovpn server and client certification.

stephenw10

Ok, so that is an SSL/TLS connection and you can see there is no tunnel IP or routing info at the client, it is pulled from the server each time it connects.

So if you need the remote clients to be able to access a new subnet at the server end you just need to add it to the 'IPv4 Local Networks' field in the server.

As long as the firewall rules are the server end allow it they will be able to reach it the next time they reconnect. And they should reconnect automatically when you make that change since it will restart the server.

Steve

mercy_angel

@stephenw10 Yeah, i know that when i put new subnet it will affect immediately. So i have a two questions. First, there is no script or something to put new subnet or create new xml is the only way? Second, is there a timer for connection period? So when I restart pfsense, not all servers come online, I must some restart service mannualy. Is there a wait time for that? Some locations i leave all night and they not connect, so it past a couple of hours.

stephenw10

No there is nothing like that included in pfSense. The expected setup with a large number of remote sites connecting via OpenVPN is to use a single server and CSOs for each site. Thus changes can be made to all remote sites by changing that one server.
If you actually have hundreds of remote sites you might want to use several server instances to spread the load at the server end since OpenVPN is single threaded.

By default OpenVPN clients will use a keep-alive ping to the server and will restart if the server stops responding after 60s.

Steve

mercy_angel

@stephenw10 than how openvpn didn't connect until I manually restart service?

stephenw10

Impossible to say, you'd have to check the logs at the client end. What are the remote clients?

mercy_angel

@stephenw10 I cant test it right now, because i must then restart all server, but next time when i must do it, i will test it, but from the last time, the routers didnt connect its self. Only restart router or service on status openvpn.
I cant figure out does it have some timer or what is default value for that.

stephenw10

The client side can choose to reject everything the server sends including the timeout values.

What are those remote routers? How are they configured?

You should think about moving to a more rational setup with multiple clients connecting to a single (or few) server. Changes like this would be far easier.

Steve