Have multiple clients without CA issues in PF Sense?

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
EdgeSync
OpenVpn Newbie
Posts: 1
Joined: Thu May 11, 2023 7:40 am

Have multiple clients without CA issues in PF Sense?

Post by EdgeSync » Thu May 11, 2023 7:46 am

Hi all,

I have 4 Linux VPS's each with Openvpn-as installed.

I have a single PFSense instance. I would like to add each VPS to pfsense, so that I could change the tunnel if needed.

The problem is, when I go to add an OpenVPN client on PFSense, I need to add the CA and Cert for my OpenVPN user account, but adding the different CA's seems to break existing clients.

So for example:
No clients set up
Get OpenVPN config file for VPS 1
Set up VPS 1 CA and Cert in PFSense
Set up VPS 1 as a client
Everything works fine

Get OpenVPN Config File for VPS 2
Add VPS2 CA and Cert to PFsense
VPS 1 Cert now shows that VPS2 CA is it's CA
TLS Errors as invalid cert chain.

Not really sure - but is there a way set all 4 VPS's to use the same CA?

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Have multiple clients without CA issues in PF Sense?

Post by openvpn_inc » Tue May 16, 2023 10:54 am

Hello EdgeSync,

If what you say is true, it seems the OpenVPN client functionality is not very well implemented on pfsense, which quite honestly is surprising to hear. Each VPN client connection should be able to have its own CA and client key and certificate and not interfere with other VPN client connections.

It is technically possible to copy configuration from one Access Server to another so they have the same CA. But it is messy because it doesn't just stay that one CA. To ensure lifetime of the certificate remains viable for a longer period the CAs renew automatically once a year. So it is going to be a bit of a mess over time.

You may be better off to contact pfsense support to ask them how to configure multiple OpenVPN client connections simultaneously correctly. That is a use case that I believe should definitely be supported. And if pfsense can't do it in the GUI, perhaps you can get access to the command line and run the client connections there, for example by loading the 4 client connection profiles onto the filesystem of the pfsense device and running openvpn on the command line like; openvpn --config client1.ovpn

Alternatively you could consider running a linux VM that handles the VPN connections, that definitely supports multiple connections simultaneously.

You should in any case take care that the subnets and routes used on the 4 VPSes running Access Server are unique and don't collide with one another.

There are also other options. You can for example connect the pfsense device to 1 access server, and have that access server establish 3 connections to the other 3 access servers. You can also for example use cloudconnexa and deploy connectors on the 4 access servers, so they connect to cloudconnexa, and you connect your pfsense device there too, so they can all communicate with one another. Just see whichever works best for your case.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply