After some additional fiddling with outbound NAT it finally seems to work, in combination with the "just use the openvpn tab".
Thanks.

Had to reboot the machine before the messages went away though.

did you tried reading other topics or forum search?

like this one?
http://forum.pfsense.org/index.php/topic,7840.0.html

I did some research and it seems that the hotel's ISP (or their ISP's ISP) is Covad and that Covad has been known to block the UDP protocol in some markets. Luckily, OpenVPN is flexible enough that I can configure it to use the TCP protocol instead of UDP. I will configure an alternate server that uses TCP. Unfortunately, our user is leaving the hotel in a few minutes so she won't get a chance to test the new server.

Okay, seems is working a little better now with DNS. Hoping for more improvements soon.

For what it's worth, we figured out a way to do it with the Cisco ASA 5505.  I was able to issue to the VPN users the IP addresses in the same subnet as the 10.4.0.0/20 network.  Then I had to add some very strange looking acl's allowing 10.4.0.0/20 to talk to 10.4.0.0/20.  That seems very strange to me, but it works.

I'd still really like to know how to make this work with Pfsense, so if anyone has any ideas, or has questions about my setup please chime in.

Thanks.

this is solved - the config I got through the client exporter expected username + password even though I had configured SSL/TLS Remote Access w/o user auth. Works well now!

Hi,

thanks for your feedback. Please post your results (in a few days).

np, once in a while i share the same boat

Anyone,

any idea how to remove "server 0.0.0.0" parameter? I delete it from /var/etc/openvpn/server1.conf but it always come back after system restart. Where I can disable "server" parameter. I need only "mode server" parameter.

well the easiest thing to do would be outbound NAT on the LAN interface, source of the openvpn subnet, translated to the LAN IP of the box.

Yes, you'd have to switch to manual.

You could do 1:1 NAT on LAN from an OpenVPN IP to a VIP (non-CARP!) in the LAN subnet, but that would only work for one client with a static IP.

check if the routing is correct on both ends …

it can happen that one side is able to send traffic, but that the other side does not know how/where to return the replies

I've had similar issues like this in the past. Some things to look at:

as heper said, check your routing table. make sure there is a route in  site A's table that routes traffic to siteB_subnet via the openvpn interface (do the same check for site B) make sure you have the allow rules on the openvpn tab check your lan rules on A, see which rule get hits when your sending traffic from A to B and double check that its using the "default" gateway. if there is no such rule, add one that has source->lan_subnet dest-> siteb_subnet gateway->default Run a wireshark on the receiving end (the machine on site B that you're pinging), see if the ping requests are coming in (could be that the responses aren't going from B to A properly)

-E

@jimp:

coughcoughcough
:-)

OOOOHHH, I was looking in pfSense's FAQ in the OpenVPN sections…  :D Thanks for the link!