on 2.0 you can also require a username+password to login as well as the certificates. That username and password can come from pfSense, or a defined RADIUS or LDAP server.

That log is from my test box on my desk connected to the external line–-interwebs---pfsense server in the closet next to me.  The pfsense server open vpn logs got cleared when I restarted it.  facepalm

No, that is not the same. Those are still separate subnets. Operating them in that way is no different than if you made them two completely different /24's, you've just restricted the IPs you have available for use by both sets of systems.

If something on either side still has a /24 mask then it will never talk to things on the 'other' side of the tunnel. Or if by some miracle it gets traffic to it, it won't get it back.

There are ways to get them into one flat subnet with tap/bridging, search the forums for details.

Thanks. I got it to work by what was said here. First I added the OpenVPN service on VyprVpn (I had only standard vpn).

Followed the info from the first post.
Except that I added the 3 persists lines what was said about the advanced config. It now looks like this:

verb 5;engine cryptodev;auth-user-pass /cf/conf/Vypr.pas;tls-remote us1.vpn.giganews.com
persist-key
persist-tun
persist-remote-ip

Then did section 2 from the other post.

And now when I connect on the LAN side of pfSense, I come out on the VPN side. US IP so I can enjoy Netflix that they wont let Europeans enjoy :)

It should be safe to update.

From then you might have to do a console update by URL. I'm not sure if Auto Update was fixed yet then or not, and I think even the manual update in the GUI had a couple issues.

After you upgrade, edit/save your gateway entries, and it should be OK at that point.

Why are you making the keys by hand? Check the box to have the system make one for you, and then copy/paste from the GUI to the other side.

Even so, I've never had any problems copying and pasting keys made any which way into the GUI there. Are you sure you are copying whole shared key and only the shared key?

It should be like this:```

: openvpn --genkey --secret /dev/stdout

2048 bit OpenVPN static key

-----BEGIN OpenVPN Static key V1-----
6b5853bcafd3d4a87d8255c0fc14dbd1
35a8095c15e17e09c239c75f68095d85
0c2ec7794051de8c73daaffd00bbce12
d88720a8d137c02cd6d0370889ab9932
0f6bbf40efbe822cdcd2a601298023ec
ae2f39049142227a876e22bb2cf00830
7e9ea735748960fbb9a2b23c61894d69
49332cd7f680fea17f2c356f1211d457
b2e141027c2333bdf1a7c76ae405dd8b
e9a8e5569d922388a12d97484f5b9dfd
00a37ae3cdfe173c294a6b845521225a
dbb366077046b0ed5bec860f5db67707
d43d5a504de7db846bc524f045614771
0db1f091aa42b50ca5f42b7b971c8617
b85a21cb8ddbb399718c2c2dccba2b49
f71bd2f7f51535ce9e959055eeb90e6b
-----END OpenVPN Static key V1-----

When I paste that in, what I get in the server<x>.secret file is exactly what I pasted in.</x>

@geyser:

First, I don't know jack about OpenVPN but I've learned a fair bit in the past few hours.

Trying to setup pfSense with a connection to StrongVPN, found some nice guide here:

http://forum.pfsense.org/index.php?topic=29944.0

The guide works, I can get all traffic routing over the VPN.  But I don't want that :-(

Any time I connect to StrongVPN two new routes are put in pfSense that direct all traffic over the VPN leaving my default gateway unused.

The guide suggests to use this: redirect-gateway def1;

That redirects all traffic over the VPN, however even with that not in the configuration the new routing is stuck in there, I think the setting is still being pushed from the StronVPN server.

Anyone know how to do selective routing and/or not have the default gateway bypassed?

Can I ask, what openvpn setup are you using w/ StrongVPN - ie, what encryption levels etc.

Thanks,
Brian

Yes, there is a how to in the pfSense book that covers this.

This was the ticket I was thinking of:

http://redmine.pfsense.org/issues/1009

Though I don't recall the specific objections now. There were issues that caused it to be backed out.

Still not much further forward, I am guessing I need rules to send traffic to the WAN rather than the VPN but as to the specifics of such rules I am not quite sure.

How does it not work?
Config? Logs? Errors? Rules correct?

So do I, less problems and more secure, but can be harder to setup.

Got it. Makes sense. Thanks again jimp!

Try again with a new snapshot. If it still fails, odds are you had the Site-To-Site (SSL/TLS) connection configured improperly, it isn't addressed like a shared key setup, and there was a bug in the code earlier that wasn't correctly setting up the configuration.

Do the devices in the 164 range have a default gateway other than the pfSense?
Do you have the OpenVPN instance assigned as interface?
If yes, might you have a rule not allowing access?

The same on the remote side: Might you have a rule not allowing access?
Do you see anything in the firewall log?