There is no tunnel network - when using TAP the client is effectively directly connected to the LAN. It gets a DHCP lease from the LAN DHCP server.

I would recommend you read the OpenVPN documentation so you understand the basics of what you're dealing with.

If it is just OpenVPN under the hood of Zerina, then yes. The sticky post at the top of this forum for site to site covers the process, the GUI on Smoothwall should be the only difference.

Currently we have a bunch of 'satellite' systems that all serve the same purpose and don't have active users. It was looking to be a bit tedious (as we are constantly sending out new systems and such) to have to create a separate user in pfSense for our fluid usage of the network. However, as you have mentioned, if the certificate is compromised then anyone could have access to the network (which only allows access to one IP but that is beside the point) and we'd have to replace the certificate on all the systems.

Is there an easier way to create a user/certificate combination without having to go through so many steps every time? On IPCop, for example, you type in the hostname and one or two other things and it created the user and certificate and everything.

That is in Client-Specific Overrides in the OpenVPN config. Make an entry for each user's certificate CN, give each of them a hardcoded tunnel network (a /30 inside of your larger tunnel network on the vpn), then set your firewall rules accordingly.

I set both the server and client to "any" and it still doesn't come back up until it gets rebooted.

For example, the client machine was down for the weekend.  When I powered it back up the VPN would not come back up until I rebooted the server.

You may be seeing the clients randomized source port, not the server's listening port.

Edit the advanced options of each OpenVPN instance and remove any "management xxx xxxx;" declarations you have there. It's handled differently in 2.0.

Yes, it works fine.

That error generally means that the openvpn traffic is not making it through the firewall. Make sure you are allowing the traffic into the OpenVPN port on the server.

Does your VPN provider limit bandwidth?

RESOLVED!

Cryptography mis-configured

Push route command is successful. Layer 3 communication now successful. Thank you everyone for helping.

Fixed by jimp in "trunk" version git within minutes after reporting it via pfsense's bugtracker redmine

Removing the management option in advanced config worked for me.
I had it set up to a different port in my old config and that didn´t work with the GUI.

So try and remove the option completely.

My mistake.
add all the routes in advanced configuration in openVPN, and add Outbound NAT to the specific interface from openvpn address to all others.

Well if your saying your asking pfsense dns for fqdn of your servers, and it does not answer that has nothing to do with openvpn.

If your not on the vpn, and you query your pfsense for your fqdn servers?  Example my pfsense box is 192.168.1.253

; <<>> DiG 9.8.1 <<>> @192.168.1.253 ubuntu.local.lan ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46521 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;ubuntu.local.lan.              IN      A ;; ANSWER SECTION: ubuntu.local.lan.       3600    IN      A       192.168.1.7 ;; Query time: 3 msec ;; SERVER: 192.168.1.253#53(192.168.1.253) ;; WHEN: Thu Sep 22 08:05:11 2011 ;; MSG SIZE  rcvd: 50

If you can not query your dns for your fqdn, then its never going to work while over the vpn.  If works local, then you prob have a firewall rule blocking access from your vpn to the pfsense dns.

For example I run unbound, and had to allow for my openvpn segment to be able to query it. In the unbound ACLs, I had to allow for my 10.0.200.0/24 (openvpn ips) to query it.

There is many ways, you can build a shell script that check if openvpn service is on, or just ping the vpnips, etc…

That was it!  WOOT!  You are the MAN or WOMAN! LOL  Thanks a lot!

It is working fine now. I had put the rules in the Firewall tab and completely forgotten about the OpenVPN one. Thanks for the help!

The solution to this problem is to have multiple site-to-site VPNs. You can have a site-to-site between two nodes, but adding clients will cause issues. For inter-connectivity 2 VPN servers and 3 clients are required. This makes a mesh network.
Below is a diagram that outlines the solution. Adding a fourth client to the equation makes this even more complicated if inter-connectivity is required.

If anyone would like to comment on this solution please do so!

VPN.png
VPN.png_thumb

@jimp:

Yep, the classic Security vs. Convenience trade off.

Indeed.  In my case I need some convenience, so I'll try to give the "stored credentials" a try.

Thanks a lot for you help !