No, his later method is probably best - though when making the separate server setups, make sure they each use a unique CA, otherwise the clients could connect to either server and jump into another subnet.

(Though I suppose having a unique TLS key alone would be enough, it never hurts to err on the side of caution)

Thanks so much for the information.  I'm not sure where I was looking before , but now I've definitely seen how to have multiple servers.
Your response led me in the right direction.
Thanks again!

Check openvpn faqs to create openvpn server, you may not need certificate authentication or anything that fancy.
Create openvpn interface and allow trafic to lan or describe local network in openvpn server settings or push route

Thanks - I figured so I managed a bit of a work around -

ovpn Client -> pfsense (load balance) -> debian ovpn instance -> pfsense captiva -> lan/internet

this worked…. and its all on a single VM machine..

Why the madness? We can do more flexible pre-authentication things w/ captiva than w/ radius.

If you have no vpn connection yet, then i think that fileshares has to wait. Sorry, but i thought that you had done that already.

@LeoLeung:

Hi,

I am a newbies to establish a vpn using OpenVPN and Pfsense.  I use ca cert.  The client can connect to pfsense firewall.  However, the IP address cannot ping after firewall.  I have tried using route X.X.X.X Y.Y.Y.Y or push "route X.X.X.X Y.Y.Y.Y.  It does not work.  Anyone help?  Thx

Ming

Show us your network infrastructure
Add an allow rule on the firewall tab for the OpenVPN interface

Last time I tried it, it "just worked" - though that was on a static/shared key tunnel and not a PKI setup.

Also both LAN networks have to be on different subnets of course.

Not sure what's up with tap, I'm not sure if it's even supposed to be working or not at the moment.

I upgraded to latest snapshot and recreated certificates, now it works fine!
So just an already fixed bug then.
Thanks for your help!

I mentioned iroutes, and they're covered in the doc I referred to:

http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_%28SSL%29

You add those in the GUI under client-specific overrides, you do not need to add them manually into files on the firewall.

I've managed to create an OpenVPN client on pfSense that connects to XeroBank.  I've also managed, at least partially, to secure the VPN connection.  However, I'd appreciate criticism and suggestions.

To summarize, I'm using a pfSense 2.0-RC3 guest in VirtualBox 4.0.12 ("pfSense").  The WAN interface is NATed to the VirtualBox host, and the LAN interface is connected to a VirtualBox internal network ("pfSLAN").  Also connected to pfSLAN is an Ubuntu Maverick guest ("Ubuntu").

With ovpnc1 up, I see new "def1 type" routes, and traceroute at pfSense shell on interface ovpnc1 to internet sites shows expected routing via XeroBank's exit node.  Enabling Outbound NAT for LAN to OpenVPN allows Ubuntu to access the internet via ovpnc1.  Use OpenVPN to connect to vpntunnel.se (or similar) and Re: How to create an OpenVPN client to a public OpenVPN provider offered key insights, BTW.

In System: General Setup, I've specified a public DNS server (XYZ.com) and disabled "Allow DNS server list to be overridden by DHCP/PPP on WAN".  I've disabled DNS Forwarder, and specified XeroBank's internal DNS servers (10.244.1.1 and 10.244.2.1) in DHCP Server on LAN.  Just to be safe, I also created firewall rules to block LAN access to XYZ.com's DNS servers.

With ovpnc1 down, Ubuntu can ping nothing except pfSense.  With ovpnc1 up, packet captures on WAN confirm that traffic from Ubuntu is restricted to ovpnc1.  That is, the only IP addresses that I see are pfSense (10.0.2.15), its VirtualBox gateway (10.0.2.2) and XeroBank's OpenVPN server.  Steve Gibson's DNS Nameserver Spoofability Test reveals that Ubuntu can access only XeroBank's internal DNS servers.

I got the OpenVPN running as an Interface (WAN). All the trouble was on the OpenVPN server site. Although I wasn't setting up site-to-site OpenVPN network but I was still required to route pfSense box LAN subnet to the OpenVPN server. Thanks to http://forum.pfsense.org/index.php/topic,12888.0.html.

Solution,

OpenVPN Server configuration /etc/openvpn/server.conf
1. Enable "client-config-dir ccd"
2. Add "route 192.168.1.0 255.255.255.0" (my pfSense box IP was 192.168.1.1 and all other LAN PC IP was behind)
3. Add "iroute 192.168.1.0 255.255.255.0" to /etc/openvpn/ccd/client8 (client8 was the Common Name of my client certificate)
4. Restart OpenVPN.
5. WAOLA…..Enjoy.

Take me a week to just a simple task. Hope this may help other people that are going to configure the samething. And thank for everyone that helping me out.

Don't call people out by name - it doesn't help. We don't get notified that it happens, and asking for personal help is frowned upon (See my sig, which some people seem to just never read…)

You probably need to install/use something like iftop on the console. The way the rate program that makes the table works I'm not sure it is (or can be) compatible with OpenVPN, and I doubt it would work as expected on IPsec.

So here you go sometimes pictures are worth a 1,000 words.

So I connected in from work to my home openvpn running on pfsense.

I then did a remote desktop to a box on my home network at 192.168.1.100, And did quick sniff of the icmp traffic – as you can see when I ping it from my work openvpn connected box that got an IP address of 10.0.200.6

The box your pinging would need to know how to get back to that 10.0.200.6 address, in my case since pfsense is gateway for the 192.168.1.100 box sends the response back to the pfsense box (gateway) and pfsense routes it down the tunnel.

But in your case it would send it to your cisco device.

openvpnping.jpg
openvpnping.jpg_thumb

During the day I will review the config, because I still don't know what he need to build a custom config for the client in the server side? I think is the tricky part, maybe someone with more experience in this field could clarify me.

thanks probie  ;D.

HI
I got the same problem.

at first, I think, there is no connection, but PPTP is working.
My firewall is whit the magic rule ,,, (pass all).
When I generate all CA from pfsense and  export client CA. Then leave the "ns-cert-type server" fild in client config file.
It give a error, that  server CA is not server certificate type. that got me thinking" there is some certificate negotiation.
Can someone help me?

sorry for my English. :)

Then start a new thread because your problem is unrelated to this thread.

Use this link, there should be the first hit that defines everything for you

you could try out in build certmanager