This is a guide on smoothly transitioning away from your OPNsense OpenVPN server legacy setup without forcing clients to change or update their configuration. This is not a guide on how to set up OpenVPN on OPNsense.
OPNsense is sunsetting the original OpenVPN configuration. If, like me, you are running OpenVPN on OPNSense to provide a tunnel for remote clients, this guide is for you.
- You are running OPNSense 24.7.9 or higher.
- Old OpenVPN server settings are under VPN → OpenVPN → Servers [legacy].
- You were running a tunnel configured using the
IPv4 Tunnel Network
setting. - You had the
Redirect Gateway
option set: this forces all traffic on the client to go through the VPN.
I suggest you do not delete the legacy server setup but disable it until your new setup is working.
- Go to VPN → OpenVPN → Servers [legacy].
- Press the green
▶️ button to disable the server; the button turns grey.
You can skip this phase if you do not have TLS Authentication
enabled in your legacy OpenVPN server.
- Go to VPN → OpenVPN → Servers [legacy].
- Copy the
TLS Shared Key
to the clipboard. - Go to VPN → OpenVPN → Instances and select the
Static Keys
tab at the top of the page. - Press the orange
+
icon near the right of the page to add a key. - Set a
Description
, leaveMode
tocrypt
. - Paste the value you copied to the clipboard to the
Static Key
field.
- Go to VPN → OpenVPN → Instance and select the
Instances
tab at the top of the page. - Press the orange
+
icon near the right of the page to add an OpenVPN instance. - Enable
advanced mode
using the toggle near the top left of the page. - Accept all defaults unless otherwise mentioned below.
- Set
Description
to whatever you like, but I initially set it toOpenVPN - New
. - Set
Server (IPv4)
to192.168.2.0/24
or some other IP range that does not overlap with local OPNsense clients. - Set
Certificate
to the same value as the oldServer Certificate
value (under VPN → OpenVPN → Servers [legacy]). - Only relevant if you had it set in your legacy server: Under
TLS static key
, choose the key you added inPhase 1
above when you copy/pasted the TLS Static Key. - Under
Options
, setduplicate-cn
to allow multiple clients with the same certificate to connect simultaneously. You should not set this if you want to force a previously connected client to disconnect if the same client connects again. This would force an at-most-one connection for a user. - Under
Push Options
, select bothpush block-outside-dns
andpush register-dns
. - Under
Redirect Gateway
, selectdefault
. - Press the
Save
button. - Press the
Apply
button.
- Go to Firewall → Rules → OpenVPN.
- If you already had a rule for
10.0.8.0/24
(or something along those lines), duplicate it, edit it, and ensure it matches192.168.2.0/24
or whatever IP range you configured above. Otherwise, add it. (The rule needs to allowin
traffic for192.168.2.0/24
)
Once you have confirmed all works...
- Remove the legacy server under VPN → OpenVPN → Servers [legacy].
- Remove the stale firewall rule under Firewall → Rules → OpenVPN.