-
So I have job to upgrade from current 2.0 version to latest.
I've exported config and imported without errors. Almost everything works, but the IP routing of our openvpn clients.
Clients are able to connect and have traffic, I can also connect to them via the Virtual IPs. But we also have internal IPs needed which do not work.
Strange thing is that clients always get a different virtual IP despide the "client specific overrides".
Example of one "old" client; tunnel network is set to: 192.168.200.9/30 and then in advanced: iroute 192.168.4.0 255.255.255.0
Also what I noticed that there is extra GW set on the openvpn interface and there is no way I can remove it. Is this normal? Should there be just this one and I remove the "old" one?
Please bear with me and thanks for all the help.
-
Trying to work on this, but due to its production state I only have a limited window of time.
found this topic: https://forum.netgate.com/topic/98069/after-upgrade-to-2-3-client-specific-overrides-wont-work/21
And followed this steps:
*Check the server, make sure it's on net30, check the client, make sure it's on net30 (if it's on 2.3, if it's on 2.2 there was no client option for that).
Check a CSO/CSC, make sure it's only got a value in the tunnel network, not ifconfig in the advanced options. Save on there to be certain it's fresh.
Check /var/openvpn-csc/server<id>/ <name>and make sure the ifconfig looks OK there
Edit and save the client to ensure it's interface is rebuilt, maybe even try rebooting the client.</name></id>*
I found a difference in my new and old csc even thou the GUI config looks the same.
old:
ifconfig-push 192.168.201.165 192.168.201.166
iroute 192.168.119.0 255.255.255.0
push "route 192.168.100.0 255.255.255.0"new:
iroute 192.168.119.0 255.255.255.0
push "route 192.168.100.0 255.255.255.0"
ifconfig-push 192.168.201.166 192.168.201.165The local and remote IPs are swapped.
Is this normal due to the new version? Was unable to test old csc on the new version as I had to revert to old version soon after discovering this.So again, clients connect via VPN and traffic works, but the client override does not, so I think its a good idea to start here, or shall I work on something else?
-
True, OpenVPN syntax also changed over time.
Upgrading pfSense upgrades also OpenVPN, and everything that is related to it, like the client VPN.But the pair OpenVPN server and client - use the new that one pfSense delivers -> use the client export package, works.
Well tested since March 2020 ;) -
@Gertjan Thank you!
But I have ~100 clients to upgrade which will be a little bit o PIA.
Do you know up to what version of pfsense is the current configuration suppose to work?
-
@dare_v said in This gonna hurt, 2.0 to latest.:
Do you know up to what version of pfsense is the current configuration suppose to work?
Your question doesn't exist ;)
You can only download the latest - pfSense 2.4.5-p1 - version. And that includes OpenVPN 2.4.9.
Making some mixture will create a (PIA)^2 situation - more knows as mission impossible.Keep in mind that de real situation is (or was) : not upgrading, as that staedily includes issues, not to name security issues.
The users that uses the OpenVPN access probably use older versions as well. One reason more to upgrade.
-
I get you, but 60% of those clients are linksys routers with dd-wrt firmware. Most likely I'd have to upgrade them too and on top of that all of them are in remote locations (some even 500 miles away). Can you feel my pain? :)
-
Hard to tell how this should end in a smooth transition...here is a very short list of how I'd deal with it:
- Install a new Box with 2.4.5-p1 side by side to your old 2.0.
- Fire up a new OpenVPN Instance with current options, like switch from the old net30 topology to subnet style, GCM Algorithm and so on.
- Pick a close location and try to match your OpenVPN settings for the new Instance. Maybe you need to open SSH temporary as parachute.
- Take care about the routing, you'll have to deal with static routes temporary as long as you run the two pfSense Instances side by side
That is really generic because we don't know anything about your network...only you run really old stuff there. ;-)
-Rico
-
Thanks Rico.
Even thou you and Gertjan adviced me in not doing so I installed 2.3.4 version and everything works fine there.
So I am gonna take current config and import it into 2.4.5 and hopefully that will do the job.
-
FYI, it works.
I had to change to the GW which is made "automatically" so I guess there is no need to manually create it for openvpn local routing?
There was also an issue with older cname client names, which had to be addressed.Now back to the original task, connect openvpn to ipsec network :)
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.