Then start a new thread because your problem is unrelated to this thread.

Use this link, there should be the first hit that defines everything for you

you could try out in build certmanager

You can put a hostname, but I'm not sure how OpenVPN might handle that if the IP resolves to multiple IPs. So the traffic isn't going over the tunnel at all? Or it's going over the tunnel and it just isn't going to the web site? Or can you tell the difference since that site is blocked by IP? You probably also need outbound NAT setup to cover the OpenVPN subnet. (It's done automatically on 2.0 but I always forget that it's not automatic on 1.2.3)

Hi, it is working now for me now as expected. I am using 2.0-RC3 (amd64) built on Thu Jul 28 05:40:09 EDT 2011 Thanks jimp!

That would be great idea

Jimp.  The iroute command worked in the client overide.  I left /30 in the tunnel network in the client overide.  Thank you so much.

I've seen that the AES-CBC 256 bit is working fine so it is cypher related.

Need a lot more info there about the OpenVPN and system config to guess at a cause. Typically that error is due to a route for a network involved already existing.

If the OpenVPN tunnel terminates to the CARP VIP of fw1/fw2, you don't need to do any kind of fancy failover. Furthermore, if the setup is the same on both connections (same CA/Cert/settings) you can just add another "remote x.x.x.x;" line in the custom options of the client and it will try that other IP if the first one is down.

Probably means to only route select networks across the VPN instead of routing everything. That is the default behavior of OpenVPN on pfSense though. You have to check the box to force client traffic through the VPN in order to not do that.

That automatically puts the management line in?  I ran out of time, but when the next window of opportunity arises to change the network around I'll give it a shot!

You can easily use URL tables in 2.0 to do that with a list of the CIDR blocks of US IPs. Or if you want to limit that to just Netflix and Hulu, go to ARIN and find all their IP blocks and create an alias with those.

thanks much

http://forum.pfsense.org/index.php/topic,36060.0.html http://forum.pfsense.org/index.php/topic,36156.0.html Edit: http://forum.pfsense.org/index.php/topic,38166.0.html

I'm using 1.2.3, it is clear now what I have to do.

solved, it was a routing problem on the windos server just added a route to the 192.168.9.0 network and now it works fine

Solved! But I think I found a bug in the pfsense software …..... ?? The clue was here: routing table client: default    10.138.20.68    UGS    0    40850    1500    sis0     10.138.20.0/24    link#1    U    0    31725    1500    sis0     10.138.20.67    link#1    UHS    0    0    16384    lo0     127.0.0.1    link#5    UH    0    47    16384    lo0     192.168.2.0/24    link#2    U    0    63824    1500    sis1     192.168.2.8    link#2    UHS    0    0    16384    lo0     192.168.4.0/24    192.168.12.2    UGS    0    489    1500    ovpns1   192.168.12.0/24    192.168.12.2    UGS    0    1233    1500    ovpns1     192.168.12.1    link#8    UHS    0    0    16384    lo0     192.168.12.2    link#8    UH    0    0    1500    ovpns1     192.168.18.1    link#9    UH    0    0    1500    ovpnc3     192.168.18.2    link#9    UHS    0    0    16384    lo0 Initially I wanted a tls site to site tunnel and I used this pfsense box as server, I put 192.168.4.0/24 as remote network. Afterwards I deleted it, set up a road warrior network with tls and conigured a shared key tunnel for the site to site connection. 192.168.4.0/24 was removed from the server configuration (at least when I looked at the interface). I wanted to at 192.168.4.0/24 as remote network to the client but it refused to add the route. When I looked at the routing table I noticed that 192.168.4.0 was still connected to the server interface ovpns1! I made a backup of the configuration and there I saw an item <remote_network>192.168.4.0/24</remote_network> in the server config. (Again, in the interface this was nowhere to be seen!). I removed <remote_network>192.168.4.0/24</remote_network> from the xml and restored the edited config file and…...... it works :).

@Metu69salemi: It would be better if you don't have another nat between your setup Clients need to know what external ip-address they're accessing. But because there is router's own lan-subnet, i don't know does this work. Maybe using portforwards from router will do it, but not sure Indeed why not connect you pfsense directly to your modem? incase if it's one box most boxes have the ability to go into just modem mode so you can get your public ip on your pfsense As for a range take 192.168.254.0/24 ? It doesn't really matter just take something that is clear to you