Multiple clients to pfSense 2.0 OpenVPN

  • Hi,

    Ive setup OpenVPN with two PCs (Windows Vista), apparently successfully.  My problem is that I don't quite understand how I should be managing the certificates.

    Both of those clients are using different certificates, both created on the pfSense box with a common CA (internal).  I see both of them connected on the OpenVPN status.

    Let's say I fire one employee, and I now need to keep him out my network. Where do I do that? I've tried removing the certificate I created for him on the System -Cert Manager - Certificates tab, but the OpenVPN client still connects to pfSense.  I tried restarting pfSense, no go either.

    The OpenVPN settings allow me to choose only one server certificate, how could both connect to start with?

    What exactly am I not getting here?  I simply need to easily be able to add new OpenVPN clients and remove them, but it seems an all-or-nothing proposition right now.

  • For other people's sake, I succeeded in explicitly blocking a client by adding him to the Client override tab of OpenVPN and checking "block this user".

    Is that the only way?  It feels like the bad way, because this means if I remove a user he still can connect until I realize there is some unknown OpenVPN client still connecting and I explicitly block it.

    Shouldn't removing the user from the pfSense UI disable his common name's certificate from connecting? Or am I just a clueless OpenVPN newbie?

    I was sort of hoping that any undefined cert in pfSense would be rejected.


  • Certificate revocation isn't in place yet. If you're using user auth, disabling the account will disable their ability to log in. If you're strictly using keys, you can't revoke that other than manually (though that will be fixed before too long).

Log in to reply