[25.7] Legacy OpenVPN clent to new OpenVPN transition

Started by dracocephalum, July 26, 2025, 06:33:28 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 26, 2025, 06:33:28 AM
Hi team, since the legacy OpenVPN module is being retired, I am in the process to convert my 2 OpenVPN clients to the new OpenVPN client "instances".

However, it seems the new OpenVPN client "instances" are not feature-comptible with the legacy OpenVPN.

The issues I have encountered so far:
1. It seems we cannot specify an "interface" for the VPN connection (I specified "WAN" as the interface for my legacy OpenVPN connection)
2. There is no "Don't add/remove routes" option - I believe this is the default behavior for the new OpenVPN client?
3. The "Compression" dropdown box is gone, and this is where I got stuck - I need to set it to "Partial" (e.g. --compress) for the connection to my VPN provider to work
4. I was also setting extra options like: `remote-cert-tls server`, `fast-io`, `sndbuf 524288`, `rcvbuf 524288` etc. but doesn't seem like the new OpenVPN module allows me to do that

Any ideas how I can get the new OpenVPN clients up and running?

Thanks!
July 27, 2025, 12:18:53 AM #1
I asked similar questions in the VPN sub-forum. I never got a reply. But what I can see is that several options are missing and it's not possible to set them. Maybe there is a way in a config file, but I haven't found that yet.

But to answer point 2 of your list: under Miscellaneous -> Options -> set route-noexec
September 01, 2025, 03:36:39 AM #2
So I've been beating my head on a wall for days struggling to get this thing setup without completely taking out my network.


I just noticed that there is a plugin you can install for the legacy openvpn, so that may be the option.


Sadly, it doesnt look like anyone who has written any how-to's or anything like that has updated them since this new configuration page, so its been a total guessing game.


Hopefully the plugin fixes it for both of us :)
September 01, 2025, 03:48:41 AM #3
A quick follow up, I installed that plugin and it does put the two legacy pages back for client and server.

Unfortunately it looks like the plugin will his EOL as of 26.1, so hopefully they get this either MUCH better documented, or add in better wording for the sections of the current instance page.
September 01, 2025, 08:42:33 AM #4
EoL, yes, but won't be removed in 2026 for sure.


Cheers,
Franco
September 02, 2025, 01:59:33 AM #5
Quote from: p0s1tr0n on September 01, 2025, 03:36:39 AMHopefully the plugin fixes it for both of us :)

Well, I tried to use the new page to create an OpenVPN connection and it worked. I am just a bit concerned that I can't set certain options in the new interface. Will those missing options have a performance or security impact? I don't really know.

Thus I hope that the new interface will allow these options to be set in the future or that the documentations explains why they are not necessary anymore. Reading the OpenVPN documentation does not state that these options are deprecated or why they are irrelevant all of a sudden.
September 02, 2025, 12:06:10 PM #6
It depends on the options in question.

Some are missing because they have not been requested, locked away in users custom configuration, some are deprecated or irrelevant in modern deployments, some don't make a difference on BSD.


Cheers,
Franco
September 02, 2025, 01:34:43 PM #7 Last Edit: September 02, 2025, 01:37:25 PM by xjan
Quote from: dracocephalum on July 26, 2025, 06:33:28 AM3. The "Compression" dropdown box is gone, and this is where I got stuck - I need to set it to "Partial" (e.g. --compress) for the connection to my VPN provider to work
The general recommendation is to move away from using compression because it introduces unnecessary vulnerabilities. However, if you need to support OpenVPN clients that are requesting compression, then you can configure the OpenVPN server option "compress migrate". This option is also exposed in the new OPNsense OpenVPN instance configuration page if you select "advanced mode".

## Ha, on second read I realised you're looking to configure the OpenVPN client, not the server. Feel free to ignore this. : o)
September 02, 2025, 11:28:11 PM #8
Quote from: franco on September 02, 2025, 12:06:10 PMlocked away in users custom configuration

What does this mean exactly? I can still set them via creating a config file on the opnsense box? If so, how? I couldn't find any documentation on that.

Quote from: franco on September 02, 2025, 12:06:10 PMsome are deprecated or irrelevant in modern deployments

I think it is important to differentiate between client and server. If I create a server I am in control. All is good. But if I need to create a connection to an OpenVPN server, I have to follow their setup and connection properties. I don't have a choice but to set them or the connection will not succeed. (eg. I only use the client setup, since I need parts of my network to use the VPN gateway.)

Quote from: franco on September 02, 2025, 12:06:10 PMsome don't make a difference on BSD.

Once again, I believe this is more geared towards the server component. But either way, is there a list of options that are irrelevant on BSD? Also what does that mean for connections (opnsense as a client)? If the VPN provider requires option X, but option X is irrelevant on BSD, what then?
Print
Go Up Pages1
User actions