OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

Have multiple clients without CA issues in PF Sense?

https://forums.openvpn.net/viewtopic.php?t=35723

Page 1 of 1

Have multiple clients without CA issues in PF Sense?

Posted: Thu May 11, 2023 7:46 am
by EdgeSync
Hi all,

I have 4 Linux VPS's each with Openvpn-as installed.

I have a single PFSense instance. I would like to add each VPS to pfsense, so that I could change the tunnel if needed.

The problem is, when I go to add an OpenVPN client on PFSense, I need to add the CA and Cert for my OpenVPN user account, but adding the different CA's seems to break existing clients.

So for example:
No clients set up
Get OpenVPN config file for VPS 1
Set up VPS 1 CA and Cert in PFSense
Set up VPS 1 as a client
Everything works fine

Get OpenVPN Config File for VPS 2
Add VPS2 CA and Cert to PFsense
VPS 1 Cert now shows that VPS2 CA is it's CA
TLS Errors as invalid cert chain.

Not really sure - but is there a way set all 4 VPS's to use the same CA?

Re: Have multiple clients without CA issues in PF Sense?

Posted: Tue May 16, 2023 10:54 am
by openvpn_inc
Hello EdgeSync,

If what you say is true, it seems the OpenVPN client functionality is not very well implemented on pfsense, which quite honestly is surprising to hear. Each VPN client connection should be able to have its own CA and client key and certificate and not interfere with other VPN client connections.

It is technically possible to copy configuration from one Access Server to another so they have the same CA. But it is messy because it doesn't just stay that one CA. To ensure lifetime of the certificate remains viable for a longer period the CAs renew automatically once a year. So it is going to be a bit of a mess over time.

You may be better off to contact pfsense support to ask them how to configure multiple OpenVPN client connections simultaneously correctly. That is a use case that I believe should definitely be supported. And if pfsense can't do it in the GUI, perhaps you can get access to the command line and run the client connections there, for example by loading the 4 client connection profiles onto the filesystem of the pfsense device and running openvpn on the command line like; openvpn --config client1.ovpn

Alternatively you could consider running a linux VM that handles the VPN connections, that definitely supports multiple connections simultaneously.

You should in any case take care that the subnets and routes used on the 4 VPSes running Access Server are unique and don't collide with one another.

There are also other options. You can for example connect the pfsense device to 1 access server, and have that access server establish 3 connections to the other 3 access servers. You can also for example use cloudconnexa and deploy connectors on the 4 access servers, so they connect to cloudconnexa, and you connect your pfsense device there too, so they can all communicate with one another. Just see whichever works best for your case.

Kind regards,
Johan
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/