Look at the server configuration

Im still new to most network related issues, so maybe I'm using the wrong terminology when I search for how to set this up. But I have read every tutorial I could find with Google, I have read every tutorial I could find here on the forums, and I cannot find how to set-up this VPN connection. Can anybody at least point me in the right direction?

I use a P2P Shared Key tunnel… Not sure if this will help you but here is an example of my DD-WRT config.. And nothing is NAT from what I can tell. Straight routing..  pfsense site is 192.168.0.x, the other site is 192.168.50.x... 172.16.50.x is the tunnel.

Startup commands

# Config for Site-to-Site SiteA-SiteB echo " remote pfsense IP/Host proto udp          port 1195 dev tun0 persist-tun persist-key resolv-retry infinite secret /tmp/static.key nobind mute-replay-warnings verb 3 comp-lzo keepalive 15 60 daemon " > SiteA-SiteB.conf # Config for Static Key echo " -----BEGIN OpenVPN Static key V1----- -----END OpenVPN Static key V1----- " > static.key # Create interfaces /tmp/myvpn --mktun --dev tun0 ifconfig tun0 172.16.50.2 netmask 255.255.255.0 promisc up # Create routes route add -net 192.168.0.0 netmask 255.255.255.0 gw 172.16.50.1 route add -net 192.168.1.0 netmask 255.255.255.0 gw 172.16.50.1 route add -net 192.168.60.0 netmask 255.255.255.0 gw 172.16.50.1 route add -net 192.168.100.0 netmask 255.255.255.0 gw 172.16.50.1 route add -net 192.168.200.0 netmask 255.255.255.0 gw 172.16.50.1 # Initiate the tunnel sleep 5 /tmp/myvpn --config SiteA-SiteB.conf

firewall commands, I need to tweaks these but they work… just can't ping the dd-wrt router but i can telnet/web into it

# private subnets (anything FROM these subnets) iptables -A ALL_ACCEPT -s 192.168.0.0/16 -j ACCEPT iptables -A ALL_ACCEPT -s 172.16.50.0/24 -j ACCEPT iptables -A ALL_ACCEPT -s 172.16.60.0/24 -j ACCEPT # Open firewall holes iptables -I INPUT 2 -p udp --dport 1195 -j ACCEPT iptables -I FORWARD -i br0 -o tun0 -j ACCEPT iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

I ended up reinstalling pfSense on the client side and testing with all packet filtering disabled, everything then started working as expected.

The server log would probably be more telling than the client's log. That sounds like what happens when multiple clients are sharing a cert, one connects and knocks off another, then that one reconnects and knocks off the previous, over and over.

The latter requires a specific certificate for each user, and the former doesn't.

can you ping the tunnel endpoints (most likely 10.0.8.1 - 10.0.8.2) from the pfsense webinterface ? If not and your firewall rules are good then the tunnel is probably not working correctly.
If yes, try checking if the openvpn routes for the local lan and client lan are ok. (see remote network / local network in openvpn configuration page)

If it then still doesn't work you should provide some more details like screenshots of configuration/routing tables/traceroutes/…

kind regards

And:

Jun 19 13:12:50 openvpn[41217]: TUN/TAP device /dev/tun2 opened Jun 19 13:12:50 openvpn[41217]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Jun 19 13:12:50 openvpn[41217]: /sbin/ifconfig ovpnc2 10.17.0.47 netmask 255.255.0.0 mtu 1500 up Jun 19 13:12:50 openvpn[41217]: /sbin/route add -net 10.17.0.0 10.17.0.47 255.255.0.0 Jun 19 13:12:50 openvpn[41217]: ERROR: FreeBSD route add command failed: external program exited with error status: 1 Jun 19 13:12:50 openvpn[41217]: /usr/local/sbin/ovpn-linkup ovpnc2 1500 1542 10.17.0.47 255.255.0.0 init Jun 19 13:12:50 openvpn[41217]: /sbin/route add -net 138.199.67.149 86.28.104.1 255.255.255.255 Jun 19 13:12:50 openvpn[41217]: /sbin/route add -net 0.0.0.0 10.17.0.1 128.0.0.0 Jun 19 13:12:50 openvpn[41217]: /sbin/route add -net 128.0.0.0 10.17.0.1 128.0.0.0 Jun 19 13:12:50 openvpn[41217]: Initialization Sequence Completed Jun 19 13:13:57 openvpn[41217]: MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock Jun 19 13:13:57 openvpn[41217]: MANAGEMENT: CMD 'state 1' Jun 19 13:13:57 openvpn[41217]: MANAGEMENT: CMD 'status 2' Jun 19 13:13:57 openvpn[41217]: MANAGEMENT: Client disconnected Jun 19 13:13:58 openvpn[41217]: MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock Jun 19 13:13:58 openvpn[41217]: MANAGEMENT: CMD 'state 1' Jun 19 13:13:58 openvpn[41217]: MANAGEMENT: CMD 'status 2' Jun 19 13:13:58 openvpn[41217]: MANAGEMENT: Client disconnected Jun 19 13:13:59 openvpn[41217]: MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock Jun 19 13:13:59 openvpn[41217]: MANAGEMENT: CMD 'state 1' Jun 19 13:13:59 openvpn[41217]: MANAGEMENT: CMD 'status 2' Jun 19 13:13:59 openvpn[41217]: MANAGEMENT: Client disconnected Jun 19 13:14:00 openvpn[41217]: MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock Jun 19 13:14:00 openvpn[41217]: MANAGEMENT: CMD 'state 1' Jun 19 13:14:00 openvpn[41217]: MANAGEMENT: CMD 'status 2' Jun 19 13:14:00 openvpn[41217]: MANAGEMENT: Client disconnected Jun 19 13:14:01 openvpn[41217]: MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock Jun 19 13:14:01 openvpn[41217]: MANAGEMENT: CMD 'state 1' Jun 19 13:14:01 openvpn[41217]: MANAGEMENT: CMD 'status 2' Jun 19 13:14:01 openvpn[41217]: MANAGEMENT: Client disconnected Jun 19 13:14:01 openvpn[41217]: MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock Jun 19 13:14:01 openvpn[41217]: MANAGEMENT: CMD 'state 1' Jun 19 13:14:01 openvpn[41217]: MANAGEMENT: CMD 'status 2' Jun 19 13:14:01 openvpn[41217]: MANAGEMENT: Client disconnected Jun 19 13:14:14 openvpn[41217]: MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock Jun 19 13:14:14 openvpn[41217]: MANAGEMENT: CMD 'state 1' Jun 19 13:14:14 openvpn[41217]: MANAGEMENT: CMD 'status 2' Jun 19 13:14:14 openvpn[41217]: MANAGEMENT: Client disconnected Jun 19 13:14:15 openvpn[41217]: MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock Jun 19 13:14:15 openvpn[41217]: MANAGEMENT: CMD 'state 1' Jun 19 13:14:15 openvpn[41217]: MANAGEMENT: CMD 'status 2' Jun 19 13:14:15 openvpn[41217]: MANAGEMENT: Client disconnected Jun 19 13:14:16 openvpn[41217]: MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock Jun 19 13:14:16 openvpn[41217]: MANAGEMENT: CMD 'state 1' Jun 19 13:14:16 openvpn[41217]: MANAGEMENT: CMD 'status 2' Jun 19 13:14:16 openvpn[41217]: MANAGEMENT: Client disconnected Jun 19 13:19:41 openvpn[41217]: MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock Jun 19 13:19:41 openvpn[41217]: MANAGEMENT: CMD 'state 1' Jun 19 13:19:41 openvpn[41217]: MANAGEMENT: CMD 'status 2' Jun 19 13:19:41 openvpn[41217]: MANAGEMENT: Client disconnected

I might just run OpenVPN on this specific server for the mean time

Hello CMB,

Thank you for your response. Can you give me a little more detail on how to set this up? Basically, I want to come in from the internet thru my vpn. My source would be, 172.10.10.6. When I connect to a machine on my network, I would like the 172 ip to appear to be a 192.x ip.

Thank you in advance!

afaik you shouldn't use static routes for openvpn!
use the local/remote network fields and route/iroute/push route features of the openvpn server/client to get routing working over the vpn.

Thanks both of your answer. The trick was to allow traffic in the firewall section. In quagga I added only
the openvpn interfaces. But in firewall rules I refer for opt interfaces and there I saw denied traffic and this
is what I allowed. So it works fine now. Thanks. I am about to extend this config to other links.

What mode is your server set to? And what auth source (if any)?

If it's SSL/TLS+User Auth and it's set for Local, then the certificates have to be assigned to Users that exist as well.

It's working fully now.

For some odd reason, I am unable to ping devices behind a ZyXEL HD Powerline networking device from the 192.168.1.0/24 subnet, but I can ping everything else on 192.168.2.0/24 from 192.168.1.0/24. I can ping all devices behind the ZyXEL device on the same subnet just fine.

I think I was trying to ping devices behind that ZyXEL and getting confused because it wouldn't ping.

Thanks for your efforts!

Thanks. That's what I figured. I was able to get all my sites VPN up using Shared Key. I just upgraded to 2.0.1 from 1.2.3 at my main site in dramatic fashion (I made some really dumb routes trying to captive portal on OPT1, made webGUI inaccessible, panicked, reinstalled pfsense 2.0.1 and rebuilt). I had SSL/TLS set up previously with 1.2.3 and it worked great. I've got to relearn and translate to the new version.

thanks again.