My example of this "feature" is at http://forum.pfsense.org/index.php/topic,59464.0.html I have noticed it with both Peer-to-peer shared key and SSL/TLS links every now and then. I saw it just now and managed to gather some data.

figured it out by myself, NAT rules doesn't seem to be created by default, so i added the outbound NAT rules myself …  8)

For info heres my .ovpn config file persist-tun persist-key cipher BF-CBC tls-client client remote 88.77.66.55 443 tcp http-proxy 10.11.13.30 80 auth-user-pass Here's the iOS openvpn log: 2013-02-27 12:40:26 –--- OpenVPN Start ----- 2013-02-27 12:40:26 EVENT: RESOLVE 2013-02-27 12:40:26 EVENT: WAIT 2013-02-27 12:40:27 Transport Error: TCP connect error on '88.77.66.55' for TCP session: Connection refused 2013-02-27 12:40:27 Client terminated, restarting in 2...

haha… I cannot believe this. I feel like a right noob now  ;D Thanks a lot! it works in a real browser.

@phil.davis: NAT the incoming OpenVPN road warrior links/clients onto your LAN That's one of the solutions I have looked for but couldn't find how to do so. Another point is I wouldn't know which client connected because of the NAT but that would be acceptable if I would get it working

Thanks, but where did you put the command? Do you mean in the box "Additional configuration options" in the export client tab? Or should i download the files and edit the config?

If you use user auth on the server side, and you don't save the password on the client side, yes. If you are only doing certificate auth, probably not.

pfSense version? OS client version? OpenVPN client version? Do you have a LAN rule permitting all traffic to the whole tunneling network (policy routing)? Are you sure that clients aren't using your subnets for their local network? Have the affected clients more than a NIC? Are allways the same clients? Do you see any message at OpenVPN logs (server & affected clients)? Are you using tun or tap? Are you using tcp or udp? Do you see anything at your pfSense firewall log?

So the issue is this ##@(# DSL modem. Because in pfSense 1.2.3 only "WAN" interface could be PPPoE, the modem was configured for PPPoE. But in this mode the DSL modem assigns the IP as a /8 to pfSense! So since both IP address (everything is dynamic) happen to start with 198. there was a conflict. After configuring the PPPoE on pfSense the subnet mask is 255.255.255.255 and there's no more conflict. :'(

Finally it works! I had two errors: Incorrect manual NAT Outbound Incorrect policy routing at LAN, as you said. $ pfctl -s rules | grep VPNs pass in quick on em0 inet from <adm_pcs> to 192.168.XXX.0/22 flags S/SA keep state label "USER_RULE: Access from LAN to VPNs"</adm_pcs> em0 is my LAN adm_pcs is my alias for administrator's computers at the LAN side. 192.168.XXX.0/22 covers all my OpenVPN networks (I have many OpenVPN servers running). Version 2.0.1-RELEASE (i386) built on Mon Dec 12 19:00:03 EST 2011 FreeBSD 8.1-RELEASE-p6 Many thanks!

remote are incorrectly set to the same HQ subnet (192.168.1.x) I would be more convenient to change the remote, I try,.. thanks!

Thanks, that's clearer. I'll do the redirecting bit, so if I decide to change to UDP later (unlikely, but you never know) it won't bite me.

Problem solved: reinstalled both ESXi machines (promisc mode on) reinstalled both VM pfSense (2.1beta i386) configured OVPN bridge (tap) first > works ok configured OVPN tunnel (tun) all working smoothly I should've done this from the begging, not trying to fix anything was broke. This topic can be closed. Thanks again

I'm looking to do this same thing.  I want all traffic in the new VLAN to go over the OpenVPN connection.  Jimp:  You mentioned setting DNS servers so they go over the VPN.  How would you do that?  Setup a rule that any connection to a certain DNS IP address uses the OpenVPN gateway? What if I also wanted any queries to certain websites to go over the OpenVPN connection, regardless of VLAN membership?  Thanks! EDIT:  What if I also wanted to set pfSense as an OpenVPN server for a separate connection?  Would this pose serious issues?

OpenVPN on client: Feb 18 16:34:31 openvpn[13124]: TCPv4_CLIENT link local (bound): [AF_INET]xx.xx.xx.xx Feb 18 16:34:31 openvpn[13124]: TCPv4_CLIENT link remote: [AF_INET]xx.xx.xx.xx:1197 Feb 18 16:34:31 openvpn[13124]: Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:1197 Feb 18 16:34:32 openvpn[13124]: Initialization Sequence Completed Ping results: Packets: Sent = 101, Received = 69, Lost = 32 (31% loss), Approximate round trip times in milli-seconds: Minimum = 22ms, Maximum = 126ms, Average = 37ms OpenVPN on server: Feb 18 16:34:28 openvpn[11737]: Inactivity timeout (–ping-restart), restarting Feb 18 16:34:28 openvpn[11737]: SIGUSR1[soft,ping-restart] received, process restarting Feb 18 16:34:29 openvpn[11737]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts Feb 18 16:34:29 openvpn[11737]: Re-using pre-shared static key Feb 18 16:34:29 openvpn[11737]: Preserving previous TUN/TAP instance: ovpns1 Feb 18 16:34:29 openvpn[11737]: Listening for incoming TCP connection on [AF_INET]xx.xx.xx.xx:1197 Feb 18 16:34:31 openvpn[11737]: TCP connection established with [AF_INET]xx.xx.xx.xx:1765 Feb 18 16:34:31 openvpn[11737]: TCPv4_SERVER link local (bound): [AF_INET]xx.xx.xx.xx:1197 Feb 18 16:34:31 openvpn[11737]: TCPv4_SERVER link remote: [AF_INET]xx.xx.xx.xx:1765 Feb 18 16:34:31 openvpn[11737]: Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:1765 Feb 18 16:34:32 openvpn[11737]: Initialization Sequence Completed As you can see, these logs show the initial connection but there is nothing after that.

solved my problem, many thanks  ;) .

UPDATE: After re-watching the video, I decided to delete the user I had before and re-created it. Everything worked like a charm after that! Any admins may mark this as solved.