Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    This gonna hurt, 2.0 to latest.

    Scheduled Pinned Locked Moved OpenVPN
    9 Posts 3 Posters 860 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dare_v
      last edited by

      So I have job to upgrade from current 2.0 version to latest.

      I've exported config and imported without errors. Almost everything works, but the IP routing of our openvpn clients.

      Clients are able to connect and have traffic, I can also connect to them via the Virtual IPs. But we also have internal IPs needed which do not work.

      Strange thing is that clients always get a different virtual IP despide the "client specific overrides".

      Example of one "old" client; tunnel network is set to: 192.168.200.9/30 and then in advanced: iroute 192.168.4.0 255.255.255.0

      Also what I noticed that there is extra GW set on the openvpn interface and there is no way I can remove it. Is this normal? Should there be just this one and I remove the "old" one?

      Please bear with me and thanks for all the help.

      1 Reply Last reply Reply Quote 0
      • D
        dare_v
        last edited by

        Trying to work on this, but due to its production state I only have a limited window of time.

        found this topic: https://forum.netgate.com/topic/98069/after-upgrade-to-2-3-client-specific-overrides-wont-work/21

        And followed this steps:

        *Check the server, make sure it's on net30, check the client, make sure it's on net30 (if it's on 2.3, if it's on 2.2 there was no client option for that).

        Check a CSO/CSC, make sure it's only got a value in the tunnel network, not ifconfig in the advanced options. Save on there to be certain it's fresh.

        Check /var/openvpn-csc/server<id>/ <name>and make sure the ifconfig looks OK there

        Edit and save the client to ensure it's interface is rebuilt, maybe even try rebooting the client.</name></id>*

        I found a difference in my new and old csc even thou the GUI config looks the same.

        old:
        ifconfig-push 192.168.201.165 192.168.201.166
        iroute 192.168.119.0 255.255.255.0
        push "route 192.168.100.0 255.255.255.0"

        new:
        iroute 192.168.119.0 255.255.255.0
        push "route 192.168.100.0 255.255.255.0"
        ifconfig-push 192.168.201.166 192.168.201.165

        The local and remote IPs are swapped.
        Is this normal due to the new version? Was unable to test old csc on the new version as I had to revert to old version soon after discovering this.

        So again, clients connect via VPN and traffic works, but the client override does not, so I think its a good idea to start here, or shall I work on something else?

        1 Reply Last reply Reply Quote 0
        • GertjanG
          Gertjan
          last edited by

          True, OpenVPN syntax also changed over time.
          Upgrading pfSense upgrades also OpenVPN, and everything that is related to it, like the client VPN.

          But the pair OpenVPN server and client - use the new that one pfSense delivers -> use the client export package, works.
          Well tested since March 2020 ;)

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          D 1 Reply Last reply Reply Quote 0
          • D
            dare_v @Gertjan
            last edited by

            @Gertjan Thank you!

            But I have ~100 clients to upgrade which will be a little bit o PIA.

            Do you know up to what version of pfsense is the current configuration suppose to work?

            GertjanG 1 Reply Last reply Reply Quote 0
            • GertjanG
              Gertjan @dare_v
              last edited by

              @dare_v said in This gonna hurt, 2.0 to latest.:

              Do you know up to what version of pfsense is the current configuration suppose to work?

              Your question doesn't exist ;)
              You can only download the latest - pfSense 2.4.5-p1 - version. And that includes OpenVPN 2.4.9.
              Making some mixture will create a (PIA)^2 situation - more knows as mission impossible.

              Keep in mind that de real situation is (or was) : not upgrading, as that staedily includes issues, not to name security issues.

              The users that uses the OpenVPN access probably use older versions as well. One reason more to upgrade.

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              1 Reply Last reply Reply Quote 0
              • D
                dare_v
                last edited by

                I get you, but 60% of those clients are linksys routers with dd-wrt firmware. Most likely I'd have to upgrade them too and on top of that all of them are in remote locations (some even 500 miles away). Can you feel my pain? :)

                1 Reply Last reply Reply Quote 0
                • RicoR
                  Rico LAYER 8 Rebel Alliance
                  last edited by

                  Hard to tell how this should end in a smooth transition...here is a very short list of how I'd deal with it:

                  • Install a new Box with 2.4.5-p1 side by side to your old 2.0.
                  • Fire up a new OpenVPN Instance with current options, like switch from the old net30 topology to subnet style, GCM Algorithm and so on.
                  • Pick a close location and try to match your OpenVPN settings for the new Instance. Maybe you need to open SSH temporary as parachute.
                  • Take care about the routing, you'll have to deal with static routes temporary as long as you run the two pfSense Instances side by side

                  That is really generic because we don't know anything about your network...only you run really old stuff there. ;-)

                  -Rico

                  1 Reply Last reply Reply Quote 1
                  • D
                    dare_v
                    last edited by

                    Thanks Rico.

                    Even thou you and Gertjan adviced me in not doing so I installed 2.3.4 version and everything works fine there.

                    So I am gonna take current config and import it into 2.4.5 and hopefully that will do the job.

                    1 Reply Last reply Reply Quote 0
                    • D
                      dare_v
                      last edited by

                      FYI, it works.

                      I had to change to the GW which is made "automatically" so I guess there is no need to manually create it for openvpn local routing?
                      There was also an issue with older cname client names, which had to be addressed.

                      Now back to the original task, connect openvpn to ipsec network :)

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.