That option only adds an additional layer of protection on a .p12 certificate store file. I'm not sure that the Viscosity bundle even uses .p12 files, but the Windows Installer does. If you put in a password there, it requires a password to access the certificate inside the .p12 file.

It would not include a username or password in plain text in there anywhere regardless of whether or not you chose that option.

You can do that either way. There is documentation for setting it up on the doc wiki (check my sig).

@jimp:

or that the system you are trying to reach does not use the pfSense firewall as its default gateway

Thank you so much. Sometimes things are so simple that it is almost impossible to spot them. I was trying to connect to the LAN over my OpenVPN connection for hours and couldn't figure out what I did wrong as all routing tables where correct.
I am currently in the process of changing my firewalls to pfsense and also configure an new broadband connection. I completely forget that all my servers were still configured with the old gateway ip.

Thanks again.

Thanks to cmb this is now working. The trick was to change the mode from Automatic to Custom in VPN Tunneling->Client->Firewall, and add the following iptables rules under Administration->Scripts->Firewall:

# apply forwarding for OpenVPN Tunneling iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 10.8.5.0/24 -j ACCEPT iptables -A FORWARD -s 10.0.0.0/16 -j ACCEPT iptables -A FORWARD -j REJECT # enable forwarding echo 1 > /proc/sys/net/ipv4/ip_forward

Thanks again.

Now I just have to figure out how to mark this thread as solved.

@broncoBrad:

There appears to be a 2048-bit OpenVPN static key in the server setup, which I assume is the shared key which leads me to believe this is pre-shared key authentication.

So why is this static key here if this is PKI?

Currently I create users for the VPN through the user manager. How is this different than using RADIUS? Which is more secure?

http://openvpn.net/index.php/open-source/documentation/howto.html#security

YES!
I've disabled gateway monitoring and the connection doesn't get cut anymore. I haven't taken care of setting up gateway monitoring because I thought it's simple monitoring (i.e. 'nice to know' information).

Thank you for your help!

@broncoBrad:

So just to double check. When I've established a VPN connection all initiations by my computer would be checked against rules on the VPN tab, yes?
Yes, if you checked "redirect all traffic through VPN" on OpenVPN server.

Now as far as communicating between my computer and other computers on the OPT network that the VPN is tunneled to do I have to create rules that allow for communication between the VPN interface and the OPT network Yes or does the pfSense treat the VPN'd computer as being on the OPT network? No

Does that make sense?

Thanks in advance!

You need a client specific override for each site, which is generally required for the iroutes anyway.

Well,
When proxy drops my connection I need to set openvpn client to disabile and then re-enable the openvpn client in pfsense.
Is it possible to automatize this task whenever the openvpn connection is lost?

No Snort, no blocking of any kind and I can't download from those urls. I believe you when you say the files are there but on the other hand we're not making this up either :D

Anyway, the problem seems to have solved itself because it's now downloading and installing properly. Thanks for lending us your brain :)

I was using OpenDNS by the way, perhaps it had a problem of some sort.

That commit didn't disable any checks, it just stops that line from logging

Thanks for your help.

And an an added bonus, I found that when compression was off on 1.2.3, it ended up turned on in 2.0, so I fixed that as well.

This one (for DNS) also affected NTP and WINS servers. I committed a fix to the upgrade code to split them out properly.

1.2.3 had no interface selection for OpenVPN, so it was equivalent to setting the interface to 'any' in the GUI.

I changed the upgrade code to assume 'any' for the interface on upgrade rather than 'wan' so it should be a non-issue on future upgrades of this type.

The installer thing is pretty cool.  I'll update the guide sometime today.

Thanks!

I think the best way is using ipsec or openvpn.

Both has specific source network/host and destination network/hosts