Glad it helped

Great to hear!

Glad it was helpful!

Glad it helped!

Great to hear!

Glad it helped!

Yes, exactly

Thanks for the visit

Please, can you do site-to-multisites OpenVPN connection using SSL/TLS and how all the sites communicate with each other? Thanks 🙏

check Client Specific Overrides on Head Office side, check the OpenVPN rules etc.

This video is a continuation of “Part-1” of this video series, I would advise you to watch “Part 1” first closely. This Seems you have almost done it, make sure you don't miss and create an OpenVPN rule in > Firewall / Rules / OpenVPN.

Glad to hear this

You're welcome!

The procedure for renewing the certificates is the same as renewing public SSL certificates from the Certificate Authority (CA). In the same premises where CA is present, the certificate renewal is enough for the focal pfSense firewall. For branches where you have exported earlier, you have to renew it first from the same CA and follow the same procedure for export & then import it to the branch office.

@@itkb Please advise, how do you do it practically? For ex. you have 20 remote branches. You have to maintain list with certificates and their expire dates. So you have to setup some service which reminds you about date expiry (i know pfsense can send this notification by email for ex.). After that you have to get spare channel for update? Because if certificate update will fail at remote branch you will loose connection. When you have simple static key there is no any issue with expire. So what is the solution of update peer-to-peer SSL-TLS certificates in enterprise environment?

“Concerns about technology often find a resolution.” I would share my best-practice advice with you. I have numerous branches around the world. Just for a portrayal, Principally every certificate has an expiry date set and possibly we could extend its expiry for more than a year, some CAs are still required to renew their certificates with new private keys. However, it is deemed needed to renew all the certificates every 1 year this is because the CA/Browser Forum has made it compulsory for all CAs not to issue any SSL for a period of more than 1 year. In all the sites, I would recommend using “Self-Signed - CA and Certificates” generated in the “pfSense firewall” with maximum expiration for all the offices/sites (must be using strong key length), at least this gives you much longer leverage in certificate renewal, unlike public certificate compulsory renewal phase.

@@itkb So you every year manually login to every remote branch and manually update certificates?

Why should I wait for the end of the year 😊, comprehend the different approaches. To avoid managing certificates manually you could install the “acme” package and configure the API with your domain registrar to automate the renewal process. Watch this video for your assistance. kzbin.info/www/bejne/pnvWf3uGf6monas

sure, watch my pfSense OpenVPNs/IPSec related videos and you should be able to find the accurate answer.

I've tired. but for site-to-site VPN connection I can't use "Client Export" function. Thus, I'm not able to connect.@@itkb

Sorry to hear that, but if you follow along with the video step by step, all you need is to create a CA, Cert for your branches pfsense to add it there, sure S2S connection is established, and then check your firewall rules.

same for me, its says client and server is connected but i cannot access target remote subnet

@@itpugil After a few days of confusion another video sparked a thought. Change your Tunnel Network from /24 to /30. You will be able to pass traffic that way. If I work out how to pass traffic with it above /30, I will try and remember to update that here, since obviously /30 limits it somewhat.

@@calhta thank you. Will test it out tomorrow. I'll let you know what comes up. This is for those out there experiencing the same issues.

@@calhta tested it and set tunnel network to /30 still didn't work for me. I probably have something specific to my setup that is unlike yours. Thanks for the help! Edit: I am however able to ping at both pfsense servers, so a step up from the problem I had yesterday!