Hi,
I just reboot my pfsense and my VPN works now….

Thanks for the help.

can be done on 1 appliance. in fact it would be more of a hassle to do the same on multiple appliances

I am trying this from at home behind my home router.

When I connect to the VPN server the connection will be established - the systray icon turns into green. But "netstat -rn" does not show me additional routes - just the route for the tunnel network.

When I run the OpenVPN client with admin rights the routes will be added.

But when I run it with admin rights I got a similar error message:

Wed Oct 03 21:17:58 2012 Successful ARP Flush on interface [50] {FBDB3111-D2E3-4899-A765-87EAFB843546} Wed Oct 03 21:18:03 2012 ROUTE: route addition failed using CreateIpForwardEntry: The object still exists.  [status=5010 if_index=50] Wed Oct 03 21:18:03 2012 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem Wed Oct 03 21:18:03 2012 Initialization Sequence Completed

But then I can connect to the pfsense server and to the LAN clients behind pfsense.

No need to create three OpenVPN server instances. Just connect all sites to one server.
The most difficult to do ist setup the correct routes on OpenVPN server and OpenVPN Client to connect to the LANs behind each pfsense.

I think this forum post will explain it:
http://forum.pfsense.org/index.php/topic,12888.0.html

You probably need these 3 commands as custom OpenVPN options:

push "route IP.IP.IP.IP SM.SM.SM.SM"; route IP.IP.IP.IP SM.SM.SM.SM; iroute IP.IP.IP.IP SM.SM.SM.SM;

Here's one issue:

Tunnel Settings_________________
tunnel 10.0.8.0/24
Bridge(none)
local 10.0.0.0/8
Compress tunnel packets using the LZO algorithm.

Your tunnel needs to be outside of your LAN.

Not by domain name, no. You'd have to somehow identify them base on IP address (or block of IP addresses)

Following cmb's remark: we put the vpn on the primary pfsense box (and upgrading its hardware a bit)

I know next to nothing about pfSense specifically, so don't take this as gospel: I think you need to set a floating rule at both b and c to use A as the gateway for matched traffic (either by port, classification, subnet or something else). Have you solved your issue yet?

–
Dennis

Windows won't do OSPF so that's not an option. You need a proper router to do failover, you'll really have to move the OpenVPN off the Windows server to do that properly.

@cmb:

You need manual outbound NAT and to NAT traffic leaving your OpenVPN connection. The StrongVPN guide here has that documented if I recall, it's the same process regardless of VPN provider.

Many thanks for your help. I tried that guide, several times actually, but it didn't work for me (same no web browsing after connecting). So I'm guessing maybe my pfSense version is different. (I have the latest x86 version).

@nadaron:

I looked around and found a strange thing in the ifconfig output (server and client):

Not strange, that's just how it works when using certificates. My guess is you're missing either a route or an iroute.
http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_(SSL)

Hello,

If I recreate the bridge or change the STP proto (stp/rstp) stp will be enabled on the openVPN interface. However, after a reboot stp is only enabled on the physical nic. For now this isn't a game changer for me as my network is working ok with each connected stack electing it self at the root when stp is disabled. When I have STP on the nic in pfSense the switches elect the pfSense nic as the root (I can change this by adjusting the priority though).

Thanks for your time,

Fred

Check the logs on the other side.

The 60 second timeout just means it failed to contact the server, so no connectivity. The other side would be more helpful.

Hello, I just set up the same config and had it working. The issue I ran into is that I needed some layer2 stuff to cross the network and pf was placing in layer 3, thus breaking my config.

Anyhow, I have Cisco switches that were connecting to my pf setup.

I have three Nics in my pf boxes (1 for LAN, 1 for WLAN and 1 for Internet)

I created openvpn tun sharedkey tunnels between my pf boxes, and assigned the openvpn clients to interfaces. In QuagaOSPF add the three interfaces to area 0.0.0.0.

On the switch side I added the pf LAN network to area 0 and my failover was good to go. Just play with the interface cost in quagga to determine when a failover should occur. I think my fail over was sub 2 minutes.

In pfsense you will want to set up some rules to handle traffic that ospf doesn't know about. I used the gateway groups to handle this so that in a failover my internet traffic would still go out. However, I route all my outgoing internet traffic through my data center so YMMV.

BTW if you need to trunk (802.1q) between your switches and they support ospf you can connect the wlan to the switch use pfsense to create a vpn backup there. At least that's what I am trying now….

Fred

That blog post is correct as well. No, not everyone who's ever written a site to site OpenVPN guide is conspiring against you. They really do work as illustrated.

My guess at this point is you have a general connectivity problem between client and server for some reason. Packet capture, check firewall states, for the outer 1194 or whatever port you picked.

The server's raw config would be in /var/etc/openvpn/

If the clients have routes, try doing a traceroute and see how far it gets.

See if you can ping/reach the pfSense firewall's LAN IP. If you can reach the LAN IP and no farther, it could be something on the target machine (local firewall/filter), or it may not be using pfSense as its default gateway.

If you can't reach the pfSense firewall's LAN IP, then I'd double check the routing, make sure the client is being run as Administrator on Vista/w7/w8/etc.

Oh my god, I feel like an idiot.

You guys were correct about the routes.  Unfortunately, I made an error while adding the route, to the VPN settings.

While I added the route under the Server settings, I forgot to add the 10.10.20.0/24 route under the Client Specific Overrides.  As soon as the route information was added there, communication worked bi-directionally.

Thanks so much for your help!  This was a great learning experience.

When you enter Tunnel Network, Local Network and Remote Network it uses these to make a route to Remote Network across Tunnel Network for you. So when there is just 1 LAN subnet at each end, the routing happens "automatically".
The extra things you have to do are;

open the port you are using at the server end, so the client incoming connect can get through. Add firewall rule/s on OpenVPN at each end to allow the traffic you want that comes from the other end of the tunnel.
Then it all just works in a simple site-to-site config.

Actually for a site-to-site openvpn just between two nodes, a shared key setup is much, much easier. No need to make or export certificates. Also that guide seems to have been written a long time ago against 2.0-RC1. The Guide for a multi-site PKI setup on our doc wiki may be more accurate: http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_%28SSL%29

Actually one thing that guide doesn't mention is if you do SSL/TLS and it's still just between two sites, if you just use a /30 for the tunnel network, it does not require that you add the client-specific overrides or anything like that. You can't push settings to the client, so you do need to fill in the tunnel network on both sides, and you need to fill in the 'remote network' fields on both sides.

It's much simpler to do shared key though, as described here: http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_%28Shared_Key,_2.0%29

Though even that is a lot of detail, it really boils down to:

On the server:

Add the server entry, set to Peer to Peer (Shared Key) Set a tunnel network In remote network put the client side LAN network Add a wan rule to allow traffic to the wan address on the port (probably 1194) Add openvpn firewall rules to pass traffic inside the tunnel

On the client:

Add a client entry, Peer to Peer (Shared Key) Enter the server IP and port Uncheck "automatically generate" and copy the shared key from the server screen to here Set the same tunnel network as on the server Set the remote network to be the server's LAN network Add openvpn firewall rules to pass traffic inside the tunnel

The guide goes into much more detail than that, but I probably set up 6-10 of these things a week for people and it works every time…