I have been dealing with a similar problem.. and ip fast forwarding did not help much.

Essentially, I have BGP setup, 6 pfSense boxes connected in a full mesh with some backend MPLS as the primary connectivity, but OpenVPN tunnels from everything to everything as a backup. 6 OpenVPN tunnels all TCP (BGP doesn't seem to want to play nice with UDP tunnels) and one of them, but only one, exhibits this problem. It is in fact a general problem with that pfSense box, as all OpenVPN tunnels out/in are slow, even though it is very new hardware. I have pored over it extensively, and I can't see anything that would alter its network behavior.

I am on 2.0.1-release, and I am really not sure where to go from where I am now…

I have done everything except look at frame sizes and packet traces. If anyone can give me a pointer in the right direction it would be sincerely appreciated!

EDIT- This has included taking all encryption off the tunnel, so it is definitely not to do with encryption load. I am getting 140ms transit times and low bandwidth (4 +/- .5 MBps) when I am getting 94ms WAN to WAN

Thanks for the replies. I'll try some of the suggestions out and let you know. For now…

1.  Is the software firewall disabled on any hosts you're trying to ping?
Yes
2.  Are clients running openvpn as admin? (win 7 / vista)
Is this an issue? They haven't been but they can
3.  Can we see screen shots of your LAN and OPENVPN tabs?
They're set to wildcard any, allow all from all
4.  What is the IP of your AD server?
192.168.6.2, LDAP auth is working fine
5.  When you are pinging around, are you pinging by IP or hostname?
IP
6.

Edit: After disabling windows FW (for the second time, likes to re-enable itself) and setting the gateway to the pfsense box I can pass traffic back and forth between pfSense and the OpenVPN client. Thanks a ton guys!

don't post duplicate topics. Locking this, other is here:
http://forum.pfsense.org/index.php/topic,49632.0.html

check this post for info on ospf

http://forum.pfsense.org/index.php/topic,37084.0.html

If you have two different CA, one for site-to-site VPN and another CA for Road-Warrior VPN then the site-to-site clients can not connect to RoadWarrior VPN but only to site-to-site VPN. The Road-Warrior clients can only connect to Road-Warrior VPN but not to site-to-site VPN.

Thank u Nachtfalke

I have confused about this. Because I have tested with OpenVPN site to site and road warrior VPN with separate CA. Road warrior-clients can connect to site to site clients and clients site to site can also connect to road warrior-client with I used advance configuration option in tunnel and working.

Example: OpenVPN server + road warrior site A, OpenVPN client site B and OpenVPN client site C

"Road Warrior" on server site at Advance configuration tunnel I use:                   push "route 10.66.76.0 255.255.255.0"; (OpenVPN Client site B LAN subnet )

"OpenVPN Client site B" at Advance configuration tunnel I use:                          route 172.31.23.0 255.255.255.0; (Road Warrior tunnel network on server site)

@wm408:

Try leaving concurrent connections blank.
Remove your redirect gateway def1 entry in advanced options if its still there, the checkbox in the GUI will suffice.

Tried that, didn't fix it.

@wm408:

Are you sure all of the subnets in your firewall/NAT rules are correct to the client pool subnet for the warrior vpn?

No, most of those NAT were made automatically.

Come to think of it I will have to play with the WAN gateways, as one day (after setting up failover) some subnets stopped having internet. I had to change from gateway = * to gateway = WAN for them to get online. I will try the same for OpenVPN

EDIT - SUCCESS :)

I had to change the OpenVPN firewall rules to use the WAN2 gateway:

10.0.8.0/24 * * * WAN2_312403 none

Thanks for all the help!

If you have a new key and an new cert then import these in SYSTEM -> Cert Manager
After that modify your OpenVPN server to use the new certs. That's all. No reboot needed.

ADVICE: Please update your old pfsense version to pfsense 2.0.1. It does not make sense to discuss about problems with old versions.

Thanks for the suggestion.

Just tried adding in the iroute command…
The status under Status->OpenVPN changed to down and I could no longer ping from site B.
I already have "route [site B subnet] [subnet mask]" command in server under the advanced options.

Thanks for your quick response!

I figured as much.

Cheers!

Yes, this can be done.

You can realize that with the "Client Specific override". Enter the Certificate's Common Name of the RoadWarrior and setup a /30 subent within the OpenVPN-Server tunnel network for that client. This will assign the client always the same IP address.

Every OpenVPN connection has its own /30 subnet.
10.10.10.8/30 has these IPs:
10.10.10.4: Netaddress
10.10.10.5: OpenVPN Server
10.10.10.6: OpenVPN Client/RoadWarrior
10.10.10.7: Broadcast address

Okay, thanks. This is fine, but how do I do this? –Nevermind.

Wow. This is humbling. There's a tab for that?! Never even saw it until you mentioned it.

Ok, I'm going to try it out now, but I suspect I should delete the client config sub-directory I created and restart openvpn.

Much Thanks for enlightening me, Jits.

I work in Call Center so I must wait until agent stop with work.
After chaange on 172.20.100.0/24 i can connect only one time and client doest get any gateway adress.
I can't access servers on 172.20.x.x, and my external adress is not like from OpenVPN server, but my client keeps adress of internet provider.

Very strange?!?!

you don't want tap either, that's only very, very rarely desirable, and pretty much never for site to site.

Take out the hard coded tunnel network, add iroute as needed, and you're set.

Thank you, i'll try that:)

It works! thank you!:)

If I read this correct then you must configure this parameter on both sites. If you do not so the lowest value takes effect.
But you can disable it on one site so that you can configure it individualle on the other site (different clients with different times i8f disabled on server site).

http://openvpn.net/archive/openvpn-users/2006-12/msg00189.html

PS: Do you use freeradius2 package with mOTP ?

from office 2 I can ping the lan port on office 1 pfsense lan  card that has a ip of 10.1.2.43

C:\Users\Administrator>ping 10.1.2.43

Pinging 10.1.2.43 with 32 bytes of data:
Reply from 10.1.2.43: bytes=32 time<1ms TTL=63
Reply from 10.1.2.43: bytes=32 time<1ms TTL=63
Reply from 10.1.2.43: bytes=32 time<1ms TTL=63
Reply from 10.1.2.43: bytes=32 time<1ms TTL=63

Ping statistics for 10.1.2.43:
   Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
   Minimum = 0ms, Maximum = 0ms, Average = 0ms

Ugh  so I can not reach anyone on that network.

note that network on the lan is connected to a whole office using an diffrent router . the Wan is on its own ip static seperate net connection so what I want to know how to do is route traffic from the office 2 through the openvpn to the 10.1.2.0 network. I don't even know where to start or what to read up on.

Though I must ask - if it's a point to point interface, why use openvpn? Just add some static routes for the networks reachable via the opposing router.

Unless you don't trust the carrier of the p2p circuit, then encrypt all you want.