Question:
It seems as if I need to have OpenVPN in bridged mode to get my setup running. I followed this article (http://doc.pfsense.org/index.php/OpenVPN_Bridging) but again -> trapped.

In my OpenVPN custom options I added this:

dev tap0; float; server-bridge 192.168.0.1 255.255.255.0 192.168.0.160 192.168.0.199

Unfortunately this does not work, I get this error message:

openvpn[4446]: Options error: –server and --server-bridge cannot be used together

Are there any other ways to get this up and running? I read sth. about the ashahi package. Could this be my solution?

Regards,
Alexander

No specific settings for ubuntu, it should all just work as long as you have the settings match the server (proper keys, protocol, port, compression, cipher, etc)

Mine is for multiple sites so I am using PKI because it is much easier to manage after the initial setup of generating keys. I see you tried PKI but in your latest config you are back to Shared Key.

If you want to try PKI again I could try to help by comparing my config against yours but otherwise the configs are a little different already and I don't know where the problem could be.

You can also setup CSC entries for the CNs of the certificates being used to connect, force them to a specific IP addressed, and then firewall those addresses as normal. An alias containing all of the members of a given group would be helpful.

As shadowadepts said though, two separate instances would work as well. You might even want to make sure they use separate CAs if you do not use any other form of auth (e.g. TLS+Local User Auth)

@jimp:

Sorry I missed the IPsec bit first. You'd have to add the OpenVPN client subnet as an additional subnet in the IPsec config (or expand the subnet definition to include it) on both sides.

If it's pfSense at both sites you'd be better off making a shared key site-to-site tunnel instead of IPsec. Routing is much easier that way.

I never could get this to work so my setup is exactly like this one. The site-to-site tunnel never connected with OpenVPN, never opened a route to the remote site and no traffic moved site-to-site. My current setup uses an IPSec tunnel for site-to-site while my users use OpenVPN clients to connect to the internal network. As a workaround, I have OpenVPN servers in both locations and a user picks which site they wish to connect. I posted my problem here quite a while ago and never got an answer so I gave up and decided to wait for version 2. I will try adding the OpenVPN subnet to my IPSec config as you have suggested.

Hi,

I found a solution to correct my problem but it is a bit strange !

To connect to OpenVpn using the address 80.xx.xx.3, I have added a port forward NAT:
80.xx.xx.3:1194 -> 127.0.0.1:1194

What do you think about this solution ?
Could security problems happen ?

Thx

Check out this post. Haven't had the time to test it out but it looks promising.
It seems to have the thing that was missing on 1.2.3.

http://forum.pfsense.org/index.php/topic,24435.0.html

//Dan Lundqvist

iptables -I INPUT -s 10.x.x.x/16 -j ACCEPT
iptables -I FORWARD -s 10.x.x.x/16 -j ACCEPT

add this en firewall dd-wrt

@jimp:

Everything you need should be in the config.xml that you restore to the other system. Was the WAN IP address the same on the old and new unit? If it gets an IP by DHCP from upstream somewhere, it may have given a different system a different IP address.

If you need more detail in the OpenVPN log, just add "verb x;" in the custom options box, where x is a number. I think the default is either 2 or 3, you can go all the way up to 9, but you don't really want that much in most cases.

Yeah, same IP address (static from our ISP).  I will try the verb option.  Thanks.

The error about services failing is normal and doesn't mean there are problems.

I haven't heard of anyone getting this to work with a remote access client, but I have got it to work fine when using a pfSense box running Avahi on each end of an OpenVPN tunnel. I can see Bonjour users on both ends of the tunnel in Pidgin.

Yes.
With OpenVPN this just a tick in a checkbox.

Thanks a lot, you have been a great help!! I will test it and setup my Alix board as you said. I'll let you know about the outcome…

regards

rpf

thanks for all the info.
Just trying to make sure I understand how everything works and squeeze the most out of it.

@kpa:

DNS-servrar . . . . . . . . . . . : fec0:0:0:ffff::1%1

Looks like your client is using an IPv6 address for DNS, that's not going to get trough the VPN tunnel since pfSense by default drops IPv6 traffic.

I tried to turn it off without any difference. I did it by go to Start > Network > Interface (TAP-VPN) and properties then disable ipv6

Edit: I think that all ports works fine except 80. I can play games like Trackmania over internet. But i can't play it without vpn. Somthing wrong with port 80.

Your question is not very clear.  OpenVPN is not supported on Cisco gear.  Please try to restate your question.

What did you put for your address pool/tunnel network? (It should be a /24, not /30)

It's just basic routing. A router that is connected to two or more different networks has to be able to tell the networks apart somehow, it can not guess where to send the packets if two networks have ip address that overlap.

Our paid support offering isn't $2k - that is for the reseller subscription.

A 5-hour pack of commercial support is $600. For more details, see here: https://portal.pfsense.org/index.php/support-subscription

If you want to see if anyone is willing to help for money on the forum, please post in the bounty board instead.