Iroute and multiple OpenVPN servers



  • Hi,

    we're migrating to a new OpenVPN server instance on the same host because our certificates expire soon (10 years already, wow). I set up a second OpenVPN server with new certificates, everything looks good connection-wise.

    We are doing star topology routing with remote offices connecting to the central hub. The remote pfSenses have their client-specific overrides containing "iroute mysubnet" statements so that the IPs in these offices are reachable from everywhere.

    However, when a client connects to the new OpenVPN server instance, the routing is not adjusted, so netstat -nr on the central pfSense still shows those subnets routed trough the old server (which doesn't work because the client is not connected to this one anymore). I changed the route manually on the SSH shell and things work, but I don't know what will happen when I restart the OpenVPN server instance.

    Is the routing not updated when a client connects? When is it updated?

    I found someone with a similar problem (I think) but there doesn't seem to be a solution: https://forum.pfsense.org/index.php?topic=62728.

    Stefan



  • @seidler2547:

    we're migrating to a new OpenVPN server instance on the same host because our certificates expire soon (10 years already, wow). I set up a second OpenVPN server with new certificates, everything looks good connection-wise.

    Why haven't you issued new certificates from the old CA?

    @seidler2547:

    However, when a client connects to the new OpenVPN server instance, the routing is not adjusted, so netstat -nr on the central pfSense still shows those subnets routed trough the old server (which doesn't work because the client is not connected to this one anymore). I changed the route manually on the SSH shell and things work, but I don't know what will happen when I restart the OpenVPN server instance.

    Have you assigned a particular interface to each OpenVPN server?



  • Hi,
    I would try disabling the old instance and restarting the service to see what happens, maybe a conflict because you are using the same subnet in both instances ? I think it was not supposed to happen, but….


  • Rebel Alliance Developer Netgate

    The OS routes in the routing table are not from iroutes, they are from the "remote network" definition or "route" statements in the OpenVPN server.

    If you want to move a site-to-site client from one VPN to another you have to change the override to the other server (if it was set to use just the old server anyhow) and you have to change the route/remote networks on the old and new server.