Eh. After having gone through a few working examples, the VPN is set up properly, the rulse are set up properly, the problem is just "somewhere else." So I'm just going to set up a couple of Linux VMs on either side and do OpenVPN that way until reinstall time rolls around for the pfSense boxen.

Nothing stopping you from having two servers running with the same certs+auth setup just one tcp and one udp
Using the port forward method you can forward in as many ports as you want to one server, too, so you can cover tcp, udp, and many ports without issue…

Hi ScOrian, did you find your problem, because I encounter almost exactly the same and I find no solution !

For me, like you, from pf all is ok but pcA cannot ping pcB and vice-versa !

Just wanted to add to this, in the latest snapshots when you set a gateway group and one of the gateways go down, it seems this bug appears

http://redmine.pfsense.org/issues/2582

The ovpn session is unable to assign the new address and the service exits. This completely destroys failover, as even when the original gateway comes back up the ovpn service is stopped.

Thanks.
Will configure  routing setup instead.

Hi All,

Just want to share how I configure my Samsung Galaxy Y to connect to my PFsense 2.0.1 Firewall

========================
OpenVPN Installer By: Fredricj Shauffelhut
OpenVPN Settings
Busy Box

I don't to install tun.ko since galaxy y has already built-in

Note: Tested using Galaxy Y (rooted)
Model: GT-S5360
Kernel: 2.6.35.7
Build number: Gingerbread.dxkl2

just create folder for config on sdcard/openvpn

1. First Install busybox if encounter error saying not compatible just select lower version from the list
2. install Openvpn Installer
when you see Binary not installed (make sure you busybox is installed succcessfully)

Click install

You will see "Binary Installed"

Just tap on exit

2. Install OpenVPn Settings App from google play same author
3. Create folder for config on sdcard/openvpn and copy your openvn config files in there.
4. now you will see the config you just save on the list.
5. Just put a check mark on the list of vpn connection you would like to connect wait for it to connect. it won't prompt for password I just have to click on the notifications area to display the user/password prompt.

That's it….

Regards,
Rocel

I don't really know why you had problems. I never really needed up/down scripts on a pfSense yet.
On linux i once had similar problems but they were actual bugs in OpenVPN itself which i solved by using a different version of OpenVPN.

My setup is similar to yours (TAP, etc) except I  needed to rely on pfsense's DHCP server running on the LAN to provide the ip whether the box was using openvpn to connect remotely or was plugged in locally.  As I needed all the traffic other than Openvpn related to pass through the tunnel (no security holes on the client going to the general lan) this was okay.

In either case the issue I had (and finally solved) was that the arp table on the client side was geting 00 00 00 00 00 (invalid) mac address for the gateway.  I had to manually put an 'up' script in the client to forcibly add the lan's MAC address to the client's arp table – and then it all worked.  Anyhow maybe you can get some hints from a known working setup TAP described here:

http://forum.pfsense.org/index.php/topic,54701.msg292497.html#msg292497

With openvpn server and client configs listed here:

http://community.openvpn.net/openvpn/ticket/233

End of the day, your gateway was "wrong"

Hi all,

Although this thread is slightly old, I still thought it would be worthwhile to post my solution. In summary, pfSense 2.x on ALIX hardware using OpenVPN with DuoSecurity PUSH authentication is working (for me) and hopefully the following notes will help :D

The following setup works for the three forms of authentication from DuoSecurity - PUSH, Call and SMS.

I used a server, separate from pfSense, to run the DuoSecurity RADIUS proxy, FreeRADIUS and authentication database (UNIX). Once you have identified the server, follow these instructions on DuoSecurity's website: http://www.duosecurity.com/docs/radius

During the DuoSecurity Generic RADIUS configuration, follow the instructions for RADIUS (not Active Directory) and add the IP address of pfSense (not hostname) as a RADIUS client

Test the RADIUS installation locally as suggested by DuoSecurity and be certain it is working before continuing

Add the RADIUS details in pfSense:

Go to System -> User Manager -> Servers

Add the RADIUS client with the RADIUS secret you set during DuoSecurity proxy configuration. Set Services offered: to Authentication.

Save

Test authentication via DuoSecurity SMS only (PUSH won't work yet) by going to Diagnostics -> Authentication. Password is in the format <password>,sms</password> and if you already have the SMS OTPs, the format is e.g. <password>,A123456</password>. Once this is working, you can continue with the final steps.

To set the RADIUS client timeout and retry limit to the values recommended by DuoSecurity, do the following:

In pfSense, select Diagnostics -> Edit File

Press Browse and select /etc/inc/radius.inc

|     | NOTE: If the editing window is grey and you can't edit the file, you will have to amend the file via SSH and making the file system writeable by typing |
|     | mount -u -w /dev/ufs/<pfsense_partition></pfsense_partition> |
|     | To make it read-only after the change type |
|     | mount -u -r /dev/ufs/<pfsense_partition></pfsense_partition> |

In the editor, find the lines: function addServer($servername = 'localhost', $port = 0, $sharedSecret = 'testing123', $timeout = 3, $maxtries = 3) function putServer($servername, $port = 0, $sharedsecret = 'testing123', $timeout = 3, $maxtries = 3) Change the timeout and maxtries values to the DuoSecurity recommended values e.g.: function addServer($servername = 'localhost', $port = 0, $sharedSecret = 'testing123', $timeout = 10, $maxtries = 10) function putServer($servername, $port = 0, $sharedsecret = 'testing123', $timeout = 10, $maxtries = 10)

Save the changes

Test authentication via DuoSecurity PUSH by going to Diagnostics -> Authentication. Password is in the format <password>,push</password>

Hopefully it works.

Phil, I just wanted to say thank you.  It was as simple as you suggested.  I've just now had the time/focus to configure and test this properly.  I just wish there was a way to get these darn iDevices to automatically reconnect to the IPsec VPN when turning back on.  I think that's out of the option because I'm using xauth with a pre-shared key, due to my inability to produce a certificate the iPad will accept.  Too bad Apple won't open the API for tunnel management so the OpenVPN project can use it.

Anyway, thank you Phil - you helped me implement something that makes my life a little easier :)

–
Dennis

Ok :)

The E-Mail notification does not report many events until now but If one of my WAN is going down I get an email notification. If the Gateway is up again I will get a notification again.
Of course it must be possible for pfsense to send the email to the email server you added on pfsense. (SYSTEM -> advanced -> notifications)

Jim:

Indeed you're correct about the docs, the guide here http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_%28CARP%29#Setting_up_advanced_outbound_NAT

is clear about the step about choosing "advanced outbound NAT"  and changing to the carp translation address, which I haven't done.

Kindly notice the screen dedicated to configuring virtual IP's on PFSense does not do as you've noted: refer the reader to PF's FAQ on the matter, but instead openbsd's carp docs– where the term NAT appears not at all.  That's what I was referring to upstream as not catching that I ought to have been using AON as PF's automatic outbound nat settings don't pick up on the carp vip outbound automatically.

I suggest two cosmetic changes:

1:  Might PF consider removing the subtitle (AON - Advanced Outbound NAT) on the outbound NAT screen?  Generally 'automatic' is held to be more 'advanced' than something with a 'manual' (aka less advanced than automatic) component.   I wonder if others weren't foxed into thinking the reference AON meant 'automatic outbound nat' over against the 'advanced outbound nat with manually edited entries'.   Unfortunate that 'Advanced' and 'Automatic' both begin with 'A.'

2:  A link on the VIP screen to PF's own CARP faq, and moving the Openbsd link to PF's faq?

Also:  The outbound nat rule you suggested worked splendidly to provide openVPN client running on the master access to the backup pf box also running the openvpn server.

Is the proper approach to create an outbound nat destination network a one box '/32' specific link to the backup if on the master, and another like rule on the backup pointing to the master (while checking the box on each to not replicate the rule?)

@Nachtfalke:

Check the firewall on the systems behin pfsense if they allow traffic on UDP ports from the OpenVPN subnet - or disable it for testing

Pfsense is the only firewall and gateway on our local network involved.  The device serving both http (TCP) over port 80 and proprietary UDP over port 1876 has no firewall.  Also, as I mentioned, that computer when on the local network can access both resources just fine.  It's only when remote and connecting via OpenVPN that UDP/1876 traffic doesn't seem to get through.

Hi
thanks for the help
i have to say that now the client is getting the routes that i have added this morning
without any changes
just added this line
push "route 172.16.10.0 255.255.255.0";push "route 172.16.11.0 255.255.255.0"
up until know the route wont work for some reason
thanks for the help  Daniel :)

I am using Quagga and the dual vpn connection works fine initally. Its only when one of the connection drops, that error appears.
Its looks like a potential bug when the loopback interface is trying to use a route already in use by the other VPN instance?

Hi! It works, thank you.

What happened? I know that the server and client didn't match. Do you know by why?