@jimp:

See attached. When you add a CSC/CSO (Not sure why the tab name was changed, it's now Client Specific Overrides in the GUI) just put in the client's certificate/username and put a specific /30 net inside of the tunnel network you setup on the main OpenVPN page.

For more info on how OpenVPN assigns IPs out of that /30 (Null route, server IP, client IP, broadcast IP) see here:
http://openvpn.net/index.php/open-source/faq/77-server/273-qifconfig-poolq-option-use-a-30-subnet-4-private-ip-addresses-per-client-when-used-in-tun-mode.html

Thanks Jimp  :)

Well that would be client-specific config parameters for their certificate (search the forum for that, it's often abbreviated as CSC).

As for limiting their access, that is what the link was for. Once they're on a certain IP, you can filter their access with normal firewall rules.

To do this in 1.2.x could get messy, it would be much easier in 2.0.

Let's say you have your networks, 1, 2, HQ, and RW.

RW's OpenVPN needs routes pushed for the networks at 1, 2, and HQ
IPsec between 1 and 2 needs an IPsec phase 2 entry for 1<=>2 and RW<=>2
IPsec between 1 and HQ needs an IPsec phase 2 entry for 1<=>HQ and RW<=>HQ

You can use parallel IPsec tunnels in 1.2.x but some have had issues making that work. In 2.0 it's as easy as adding another Phase 2 entry to the IPsec tunnel.

If these are all pfSense, it would be much easier to ditch IPsec in favor of site-to-site shared key OpenVPN tunnels for the VPNs between 1, 2, and HQ. Then it would be as easy as adding the right route statements on each leg and it would all just work.

That's probably a feature of the newer openvpn version we're using in 2.0 then.

I have spent the last 2 days on this forum and openvpn forums without any progress.  I can't believe this question hasn't come up.  All I can seem to dig up is people having issues with clients accessing the LAN.  Since all of our clients are linux machines I need to be able to hit the clients from our LAN.  This was no big deal with just one Openvpn server because we could route everything containing to "10.130.0.0" through the openvpn server using our proxy.  Now that we are going to use two servers there seems to be no easy way to do this.

Does anyone know if pfsence is capable of performing this?  I want to have two openvpn servers with each one connected to different WAN's, then use openvpn load balancing to randomly select which server to connect two.  Since this is random we have no way to tell which client is connected to which server without getting on the openvpn server.  I want to be able to ssh to the clients openvpn IP from our LAN.  Any suggestions are greatly appreciated.

Thanks,
Adam

Yeah? Very sparse on details, I'll have to start guessing my way. At least, by your reply I know it's probably possible. Thank you.

If it was working fine for a year and then stopped, I would suspect one of two things:

ISP/upstream interference

Hardware

Neither of which would be rectified by resetting your OpenVPN settings.

To remove OpenVPN settings, if you really must, download a backup of your configuration file from Diagnostics > Backup/Restore, edit out the OpenVPN sections, then restore that edited backup file.

Hi,

Thanks for the tip. I had the same problem and effectively just changing the boundaries does not solve the issue.

What you must do is to convert your pem key file into a old RSA format.

Use the following command and specify the path to the key file you want to convert:

Then copy the output into your webGUI text box including the boundaries "–---BEGIN RSA PRIVATE KEY-----" / "-----END RSA PRIVATE KEY-----"

Got it.. Thanks for clearing that up.  I finally got everything working with PKI.  PFSense rocks..

Cheers

EB

http://doc.pfsense.org/index.php/OpenVPN_Bridging

Correct, no custom options are needed when going from pfSense to pfSense because on both sides the GUI has a field to list the remote side network.

Then so long as the pfSense routers doing OpenVPN are the default gateway of the internal networks on both sides, everyone can talk back and forth.

That should be just a routing problem - ensure that you push the appropriate routes so that all nodes know how to reach all others (or at least their default gateways do).

Finally I didn't try this solution because I used the 2.0 beta version and I am totally excited with the openvpn configuration !

1. It has OPENVPN Firewall seperately from the physical interfaces !
2. You can create certificates inside pfsense easily without using easy-rsa !
3. You can provide configuration to the client very easy by using an amazing package !

There is nothing more for someone to ask !!!!!!!

;D ;D ;D ;D ;D ;D ;D

Thanks for the real world information.  I knew that some VPN clients did not play nice at all and was hoping this was not the case with Juniper and OpenVPN.
Mike

hi, i have read the guide in the book you have wrote "pfsense the definitive guide" and i have solved my issue because the process is explained very well.

Thanks for all advice.