This is just a repost i have from another topic but it may help you.

To me it sounds like you are not pushing your routes from your remote site to your client when it connects. Look under the "Custom Options" section of your openVPN config. You can add in something like…
push "route 10.10.10.0 255.255.255.0"

This will let the remote openvpn server push the correct routes needed to talk over the VPN to your client. I believe you must also have the "pull" option specified in your custom options for your "client". Using the openvpn gui client my config lists "pull ; Pull route data/DNS from server."

Let me know if this fixes it for you!

@completetech:

I have pfSense set up as the server.  the client is of course my windows xp laptop.

For the record, got working the 3-site routed VPN with this changed topology:
Site1 <-> Site2 <-> Site3 <-> Site1

The missing bit was to add routes for the Site2 FW before redirecting the default gw on the other two sites.

FW1 LAN1: 192.168.1.0 WAN: 10.10.1.2 --> intersite gw: 10.10.1.1 LAN2: 192.168.2.0 OPT1: 10.10.2.2 --> intersite gw: 10.10.2.1 WAN: Internet LAN3: 192.168.3.0 WAN: 10.10.3.2 --> intersite gw: 10.10.3.1

Site1 as client:

route 10.10.2.0 255.255.255.252 10.10.1.1; route 10.10.3.0 255.255.255.252 10.10.1.1; route 0.0.0.0 128.0.0.0; route 128.0.0.0 128.0.0.0; dev tun12;

Site1 as server:

route 192.168.3.0 255.255.255.0; dev tun13;

Site2 as client:

route 192.168.1.0 255.255.255.0; dev tun21;

Site2 as server:

route 192.168.3.0 255.255.255.0; dev tun23;

Site3 as server:

route 10.10.1.0 255.255.255.252 10.10.3.1; route 10.10.2.0 255.255.255.252 10.10.3.1; route 0.0.0.0 128.0.0.0; route 128.0.0.0 128.0.0.0; dev tun32;

Site3 as client:

route 192.168.1.0 255.255.255.0; dev tun31;

Thanks a lot to GruensFroeschli for the tip about redirecting default gw. Just out of curiosity, the two routes for that trick do the same as "redirect-gateway def1"?

I think this thread has all the current information about the problems with bridging and OpenVPN:
http://forum.pfsense.org/index.php/topic,1990.0.html

Afaik the problem only appears if you use CARP and an OpenVPN bridge together.

yes

Fixed it, turns out then encryption had nothing to do with it, that was setup fine all the time, I needed a little extra config on the server side.

To allow clients on the lan behind the pfsense client firewall (192.168.3.0/24) to access machines on server side lan (192.168.4.0/24)  I added this to the server config

client-config-dir ccd route 192.168.3.0 255.255.255.0

then in a directory called ccd I created a file with the same name as the client cert in use and in it I put

iroute 192.168.3.0 255.255.255.0

And everything stared working.

All this is probably obvious when you understand the inner workings properly but it took me a little while to understand so hopefully this will help anyone else in my position.

Post both the client and server side configs, or screen shots of each. It will make it a lot easier to figure out. I'm assuming this is a shared key site-to-site tunnel?

ok so i downloaded the development iso of pfSense, downloaded ykclient (yubico-c-client) as required by yubico pam

while running ./configure it states it needs curl, found a freebsd package of this. Installed it and running curl it states it needs libssl. I cant find this anywhere, package management in freebsd seems screwed or something.

Arent there ANYONE out there with a nice freebsd server up which can compile these things and put it up somewhere?

nice work!thanks!

You would only want that on the client I believe, it could otherwise cause the server to shut down. May be able to push that option, I'm not entirely sure offhand. Never tried that option before.

Though I do question if it's really necessary. Unless you have a very large number of simultaneous clients, and very slow hardware (less than 500 MHz), the load if they aren't doing anything is inconsequential. The load with VPN is primarily when you're pushing traffic and it has to do crypto on that.

jimp/kpa,

Thanks for the advice, the thing I was missing was the extra route statement in the server configuration. Just to close the loop on this thread, here's the final settings that worked.

Public IP: YYY.YYY.YYY.YYY
Net 1: 192.168.1.0/24
Net 2: 192.168.2.0/24
Net 3: 192.168.3.0/24
OpenVPN Pool: 192.168.100.0/24
Local Network: Left blank
Custom Options: push "redirect-gateway def1"; push "route 192.168.1.0 255.255.255.0"; push "route 192.168.2.0 255.255.255.0"; push "route 192.168.3.0 255.255.255.0";route 192.168.101.0 255.255.255.0;

Client-Specific Configurations:

Interface IP: 192.168.101.0/30 Push Reset: Unchecked Custom Options: iroute 192.168.101.0 255.255.255.0

Problem solved!

Amazing, isn't it?  :D

^ What he said.

If you want a "backup" VPN server that's routed, it would have to assume the role of default gateway. With pfSense you can use CARP for multiple firewalls, but if your other firewall isn't pfSense, you probably can't do that.

If you use bridged VPN, it shouldn't matter because the clients will get an address on your LAN, so no worries about routing.

You forgot to write any relevant information like:
Layout of your setup, OpenVPN configuration client/server, firewall rules, routes, etc.

@GruensFroeschli:

Setting the checkbox "Dynamic sourceport" on the client allows the OpenVPN process to use dynamically a different port.

Taking note…

Thanks Havok,

I've created a route on the pfsense2 (OpenVPN server) to route all packets to the remote subnet using the tun0 interface IP as the gateway on the pfsense3.(OpenVPN client)

All traffic between the server and client is now encapsulated.

Thanks for your advice

Thanks for the directive.

Of course virus will go on my enterprise network if the client is already infected.
But if someone can have a remote control of the client, at least he couldn't do it while the client is connected to the VPN.

Thanks very much for your reply.

@GruensFroeschli:

Sorry i dont have anymore the time to look at the forum as much as i used to ;)
I use quite something similar as you want to connect my workplace with my home.
I use this to redirect certain traffic i dont want to go over my workplaces network to my home.
(private traffic from my iphone as an example).

How i did this:
Basically the same as you describe, however with some minor differences.
I dont use a PKI. For site-to-site connections i just prefer private shared key setups.

I use a PKI since that's what I get from the provider (StrongVPN), there's no option to use shared keys. Some other providers have it the other way around though.

I redirect traffic not with the "redirect def1" but with my policy routing.
I dont think what you are after is even possible while using "redirect def1".

That was my thought too and that's why I tried to manually (while testing) remove the entries from shell (worked) and then use policy routing, but it didn't work all the way.

Also you dont need two entried in the failover pool. A single entry is enough. (see screenshot).

Ok

Just set on the OPT-config page the correct IP like in the OpenVPN config and the corresponding gateway. As monitor i use the other side of the VPN.
This is just a workaround from a previous version, with 1.2.3 you can assign the VPN tunnel as interface and thus select it as gateway directly

Hmm yes that's what I've done, the VPN is an interface and much seem to work, I have incoming NAT and FW rules working through the tunnel from the outside too, and verified. Pretty cool. Means I could place my web server or whatever in Hong Kong :) and since IP is static I could add that as A record in DNS too.

This is actually another reason why to use a PSK and not a PKI. In a PSK you can hardcode the IP you use in the config.
In a PKI you can get dynamically a different IP when you have multiple clients. (of course you can use a client specific configuration).

I get the same IP etc every time from StrongVPN, in fact that's part of this service, a static IP for the duration of that specific account.

In my "custom options" i forced the site-to-site connection to "dev tun10" to ensure i always have the same dev when assigning the interface.

Ahh, that may be practical.

In the example screenshot below i redirect my Iphone on wireless over the VPN to my home.
The normal policy routing rules apply.

What i would do in your case:

Get rid of the PKI and set up a PSK. Get rid of the failoverpool and use the gateway directly. Change the firewall rules to redirect traffic however you want.

Thanks for your input, I will try and compare and do some testing. In this case (with this account) I will have to use the PKI though.

There is the problem with dead peer though, if my tunnel stops working for some reason (has happened a few times, tunnel appear up but no traffic goes through) I need to like disable/enable to get it back up but until that is done the network would be effectively offline if I have entered the VPN gateway instead of 'default' in the FW rule.

Maybe one could have a cron job running, pinging some VPN exit point IP and if no answer take down tunnel, bring back up and then remove those routing entries.

I'm also a bit concerned about those problems with WAN-services, like OpenVPN, PPTP, they seem not to work while tunnel is up, even though port forwarded services work fine. I'll try to do some more testing on that too.

Cheers,

The Road Warrior config should be fine. If you can talk to anything at all on the LAN, it should all work – unless those stations which you cannot reach have something such as:

1. Local client firewalls on LAN systems which block ping or other services from outside your local subnet
2. Incorrect/different gateway set on the LAN system.
3. Some other routing or overlapping subnet issue on the OpenVPN client side.