Hi,

did you play around with the "keepalive x y" command on the client site ?

http://openvpn.net/index.php/open-source/documentation/howto.html

# The keepalive directive causes ping-like # messages to be sent back and forth over # the link so that each side knows when # the other side has gone down. # Ping every 10 seconds, assume that remote # peer is down if no ping received during # a 120 second time period. keepalive 10 120

@jimp:

No, that would be very insecure.

You'd want a page, on your firewall no less, open to the internet protected by only a username and password, that would let someone get a VPN client and full access to your network, using that very same username and password?

You, as the admin, download their clients for them, and distribute them to users via network/usb/cd/etc. Because you are dealing with certificates and sensitive data, a physical means of transfer is preferred. I would not recommend e-mailing them.

But then again I tend to be paranoid when it comes to those things.

Yes that's exactly what I'm looking for.  That's how the OpenVPN AS appliance works.  That's how the Juniper Network Connect full tunnel vpn solution works.  That's how Fortinet SSL VPN connect works, etc. etc.

This is standard practice.  In a corporate implementation, authentication is going to be two factor, ala domain credentials + rsa (which itself will use a static N-digit PIN + random token number).

Regarding the security, I completely understand your position.  But I respectfully request that you do not hold back function because you're concerned about the security of my implementation.  When done right, more convenience does not always necessitate less security.  I can do it right, I don't need a big brother holding my hand.

Troubleshooting is done in console, not in gui.

Take a time at console and you will find something.

Tcpdump is your friend.

Just upload a firmware update. Nothing mysterious about it. It should all work.

Being able to properly filter wasn't really possible until 2.0. You can do it in 1.2.3 but it's not ideal.

The NAT is not automatic in that way because most VPN traffic is supposed to pass untouched. In this case wanted need NAT, so the default automatic rules were not correct for your case.

At one point we had (accidentally) added those networks to automatic outbound NAT and had a number of problems/complaints from people who didn't want their VPN traffic to have NAT applied.

Yes you can do that.
However do this only if you want to allow clients from one server on the other server.

A use case is to have the same server from the same CA on UDP 1194 and on TCP 443.
UDP 1194 is for normal ussage-.
If you're in a very restricted environment and you need to tunnel through an http-proxy you simply can switch to TCP443.

well it would make sense that you would not resolve netbios via broadcast methods over a vpn.  Your traffic is routed, not bridged so broadcast traffic would never get from your remote network to your segment on the other side of the vpn.

Yes dns would be a way of resolving name, or a wins server or host/lmhost file on your clients, etc.

so example, connected currently to my home network via openvpn from work.  my popcorn box, I can not view it by netbios name pch.  53 = can not find.

If I use dns, then it works pch.local.lan and I get error 5 access denied.  So I auth and then I can view, etc..

D:\>net view \\pch System error 53 has occurred. The network path was not found. D:\>net view \\pch.local.lan System error 5 has occurred. Access is denied. D:\>net view \\192.168.1.99 System error 5 has occurred. Access is denied. D:\>net use \\pch.local.lan\ipc$ /u:pch\nmt 1234 The command completed successfully. D:\>net view \\pch.local.lan Shared resources at \\pch.local.lan SMP8634 Share Share name  Type  Used as  Comment ------------------------------------------------------ share      Disk The command completed successfully.

Is your hardware sufficient to have those speeds with vpn?

I've been meaning to try it out thru DD-WRT GUI interface since it supports OpenVPN Server and Client.. You may have to add routes to it if you use the GUI.

It was my only guess, sorry for not been able to help more

That's a good idea and I've messed with it a little bit. What setup in pfSense would be analogous to the roadwarrior setup in IPCop? I guess my issue is that the terminology is different in the two firewalls and so I can't just make an identical setup with my current knowledge.

I'm using 2.0. Thanks for the reply !

The config is written out in /var/etc/openvpn

Yes thanks, works perfectly!!

So nice to have VPN working again since an upgrade killed my PPTP connection

I think the old routing table is gone. If I figure it out I'll post back, if I remember.
Thanks for reply.

btw, excellent book.

Well it's rare that you need to use OpenVPN via an http/https proxy ^^"

For roadwarriors which have to go regularly into environments where security is very tight, i have a second instance of our normal openVPN server (UDP 1194) with the same keys/certs providing access on TCP 443.
This usually allows them to reach our main-office.
But this is more of a failover if the normal server isn't reachable.

You can do NAT and port forwards with it too, but you can't ever do port forwards on broadcast traffic, nor do you ever want to.

sorry, no offense.
but you should be asking it in mikrotik forum.