Ok, I figured this out.

I needed to configure the DNS forwarder to be authoritative for the blah.com domain.

Also, on the same setup screen, I needed to set the local IP for server.blah.com.

Now, I can use the fqdn if I am at the home office or on the road.

I LOVE pfsense !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Your config isn't fine until you've made sure that the tunnel network (what I recommended to be 10.x.y.0/24) and the two office networks are all separate subnets.

After that you need to make sure you have proper routes in place. On the server (office1) the remote network should be set to the subnet of office2 (192.168.3.0). On the client(office2) the remote network should be set to the subnet of office1 (192.168.0.0/24).

If you need additional routes on top of those they should go to advanced options as "route subnet netmask" (e.g. "route 192.168.100.0 255.255.255"), push "route …" doesn't work in PSK mode, it's for PKI roadwarrior mode.

The available options change depending on the other options chosen. You probably need to use PKI instead of Shared Key

Starting with pfSense 1.2.3 you can assign the OpenVPN interface and you can do NAT and such on it.

http://doc.pfsense.org/index.php/OpenVPN_Traffic_Filtering_on_1.2.3

I have had the same experience as jimp and Cry have said. The only time I've ever had to use route-delay is because ICS was configured on the machine. Is this perhaps the case for you?

Thanks everyone.

I tried again on a fresh install with a different scenario. Still does not function as I want. Also use the same configuration file generated by pfSense to the OpenVPN server on a machine with CentOS linux and got the same result.

I will spend time reading the documentation for OpenVPN again.

Greetings and thanks again for responding.

Thank you very much. That solved the problem with the script!
I do not know why I thought that script-security was a server parameter.

Great!  That did the trick.

Now to figure out my other issues, but I'll post another thread if I get really stuck.

Thanks a bunch for your help.

@jimp:

That outbound NAT rule goes on WAN, not OPT2.

Thank you; it's transferring data now!  I'll put on a packet sniffer so I can see with my own eyes that data and DNS are both encrypted, but at this juncture I'm quite pleased.

I do appreciate your very quick and entirely correct response; I'm sorry I wasted your time.  Is there a wiki I can document this at, so others can find the right information more easily?

For anyone else going through this, the final configuration:
Current major setup:
Client: Windows XP, OpenVPN 2.1.1 with OpenVPN GUI 1.0.3
Netgate ALIX board with pfSense 1.2.3-RELEASE installed.
 LAN (192.168.1.13/27) ethernet goes nowhere, or to a computer for logging into the web interface.
  WAN (xxx.yyy.zzz.qqq/24) ethernet goes to the cablemodem (which is set for static IP use)
    WAN gateway xxx.yyy.zzz.nnn
 OPT1 (192.168.1.113/27) goes to wireless
   OPT1 is not bridged
   OPT1 gateway is blank
   OPT1 is set as an Access Point, WPA2 only, Pre-shared-key, Open System Auth, and works fine right now.
 OPT2 (192.168.2.1/24) goes to tun0, the OpenVPN
   OPT2 general config is Type Static
   OPT2 is not bridged
   OPT2 gateway is blank
 VPN OpenVPN is set up as "Server"
   VPN Protocol UDP
   VPN Dynamic IP unchecked
   VPN Local Port 1194
   VPN Address Pool 192.168.2.0/24
   VPN Use Static IPs is not checked
   VPN Local Network is blank
   VPN Authentication method is PKI
   VPN Custom Options:
     push "redirect-gateway def1"
 Firewall - based on a forum search here, I set:
   NAT - Outbound to Manual mode, and added
     NAT Outbound Interface WAN    Source 192.168.2.0/24 * * * * * NO
     NAT Outbound Interface WAN    Source 192.168.1.0/27 * * * * * NO  - Auto created rule for LAN (matches .13/27)
     *** nothing for 192.168.1.96/27, the OPT1 Wireless IP range, because I deliberately want to force all wireless to use VPN.
   Rules - OPT2
     Block TCP/UDP * * to destination (all firewall IP's, ports 80 and 443 - to prevent vpn clients form accessing WebGUI)
     ALLOW TCP from * * to destination * ports 80 and 443 gateway *

Ok, I have fixed that up as well.  Thanks for all your help!

I was testing openvpn on Pfsense, yesterday and stumbled across you post….
I had previously worked with Openvpn using the Openvpn how-to which specifies using .crt, .key, and dh.pem files

Like you, I was not sure how to use certs generated by IPCOP on pfsense openvpn....

It turned out that I was able to past the IPCOP PEM files into the PFSense openvpn config (I had wondered if I needed to convert to .crt file)
Then I was able to use the downloaded IPCOP client package as it was.
There was no need to convert pk12 to pem or crt.

After some reading i turned off captive portal… and now it works :)

Allthough captive portal is a nice feature im woundering if its supposed to behave this way or if its a bug?
Kinda want both openvpn > lan and captive portal to work.

I realize that and I also have the pfSense book which I was following as well. The small set of instructions for my own organization that I was referring to will probably be taken from those with a little side commentary is all. I did not mean to infer that mine would somehow fill a need for the community at large; just my workplace.

oh… is not a best solution for me, btw, i will investigate a bit... and then will decide what to do.

Thank you so much for your help, your support and your time!
Stefano.

@Xefan:

I can successfully connect to my pfSense 1.2.3 server through OpenVPN from a remote computer, but not from LAN the server belongs to.
I get the following error in the logs: TCP/UDP: Incoming packet rejected from 192.168.10.1:1194[2], expected peer address: XX.XXX.XX.XXX:1194 (allow this incoming source address/port by removing –remote or adding --float)
I don't have the --remote option in the client config.
Please help!

same problem I had also. when i was using UDP Port. But if you use TCP. You can connect your opnvpn client to your openvpn server from lan.
I dont know the reason why i couldnt use UDP. BUt same setting if i use tcp It works.
make sure your opnvpn client config file has those lines…...

float
port 1194
dev tun
dev-node tap0
proto tcp-client
remote your wan ip
1194
ping 10
persist-tun
persist-key
tls-client
client
ca ca.crt
cert whatever your clint name.crt
key whatever your clint name.key
ns-cert-type server
comp-lzo
verb 4
I hope it will help you....

@kpa:

Server:
ca.crt
server.crt
server.key
dh1024.pem

Client:
ca.crt
client1.crt
client1.key

Worked like a champ thanks (PS - Client1 was actually "frodo" in my situation)

yes sir. i am running it without any problem. and yes i open both tcp and udp. Yes i follow that tutorial and this tutorial also "http://www.scribd.com/doc/8142908/pfSense-OpenVPN-Tutorial".

my problem was as i said "server.crt". actually i couldn't get the code correctly. thats why i couldn't put correct code one pfsense openvpn server.crt field.

And now i know why i couldn't get the correct code. it was typing mistake. Something like this "build-key-server.bat"

Actually it should be like this "build-key-server.bat server"

but i am very happy now. thank you very much sir.

take care and ba bye…..

@cmb:

2.0 already has the equivalent of OpenVPN Access Server for free, and better in some ways.

I can't wait to put my hands on it.  :P

Thanks