I assume the site on which the camera is has it's own internet connection?
The request TO the camera arrive correctly.
The problem is, that the answer goeas directly to the cameras default gateway and not back over the VPN tunnel.

What you can do is:

Disable automatically generated rules for the VPN. Assign the VPN interface. Enable advanced outbound NAT and create a NAT rule for the VPN interface.
–> Set as destination the IP of the camera.

Like this , from the camera seen, the requests originate from the pfSense on the other side of the VPN tunnel
--> The answer will go back over the VPN.

I suggest you take another look at the OpenVPN config-page ;)

Your OpenVPN clients get an IP out of the pool you defined in the "Address pool" field on the OpenVPN config page.
It's not possible to assign an IP based on the MAC because the OpenVPN interfaces are virtual and not real.

If you want to use static IP's you can use the option "Use static IPs".

Will TAP interfaces be supported in pfSense 2.0 ?

@XZed:

@jimp:

You're probably better off following this for making keys/certs:

http://doc.pfsense.org/index.php/Easyrsa_for_pfSense

Well i remember have used easy-rsa for pfsense, at its beginnings… but it was still in "beta"... but it seems to be right now  ;D

So, i'll give it a try and will feedback here  ;D !

Just a question :

I suppose there isn't any package to backup folders (to backup easyrsa4pfsense folder) ? Well, winscp will be sufficient ^^ !

Thanks

I replied to this old post in order to give some feedback :

Indeed, the easyrsa package is very nice ! But, pfSense 2.x brings many nice changes to OpenVPN management (CRL missing in 2.x ?? How to do ?? Perhaps will be corrected in final version ?)  ;D !

Thank you

@mazzz86:

I haven't the System > Packages menu.

Maybe because I'm just testing it on a LiveCD…

Packages are not available on LiveCD, so that would explain why you don't see it. You have to install to the HDD first and then you can install packages.

OK it works !!!!!  :)

My last problem was an internal routing problem.

So the solution seems to be :

For clients running Vista or Seven, add those two lines at the end of your client configuration file :

route-method exe
    route-delay 2

Thank you for your help Jimp !!
See you

Here is the additonal screen captures.

pfsense3-tomato1.JPG
pfsense3-tomato1.JPG_thumb
pfsense3-tomato2.JPG
pfsense3-tomato2.JPG_thumb

God bless and take care
                            –  ll_hellBoy_ll

Wow. Does this forum support sigs? 'cause that brilliant and seemingly unintended use of irony needs to be remembered  8)

Hi,

do this post and this one tell the same thing ?
http://forum.pfsense.org/index.php/topic,21941.msg112804.html#msg112804

GruensFroeschli, when you say in the other post:
"With OpenVPN you have the ability to specify multiple servers and how to connect to them (balancing/failover)."
is this achieved by
"binding the OpenVPN server to both interfaces and do the failover in the OpenVPN client config"
i.e "using the Custom options ?

Thanks for your help

If you guys have this problem also and running Captive Portal remember thoose clients you need to connect to needed to be added to Allowed IP Adresses.

i've got exactly the same problem! "Options error: –server and --server-bridge cannot be used together"
could anyone shed some light on this?
i triple checked every setting and my custom option will not override the settings :(

my custom settings

dev tap0;server-bridge 192.168.2.254 255.255.255.0 192.168.2.218 192.168.2.250;tls-auth /etc/openvpn1196.key 0;management 127.0.0.1 1196;

First place is both the server and client logs.  Is there anything in either that indicates anything remotely out of the ordinary?

@jimp:

You can setup OpenVPN on pfSense under VPN > OpenVPN, on the clients tab.

You can't selectively route traffic based on firewall rules (easily, yet) but you can route whatever subnets you like down the tunnel.

Unfortunately I don't want to be sending all my web traffic to the vpn from any specific machine, I could very easily flood my work's dedicated VPN line (a T1 iirc) that would be bad  :D. I am perfectly willing to set up a proxy or something that would forward any traffic it receives to the OpenVPN connection, this does not have to be on the pfsense machine.

@jimp:

Without a WINS server your options are severely limited.

I've been trying to come up with a way to proxy/relay NBNS traffic across subnets/openvpn to see if it would work, but I haven't had any luck so far.

Browsing won't work at all without WINS. The only way you might get \servername to work would be to add a DNS override entry for "servername" with its remote IP address in the DNS forwarder. Be sure the use your pfSense box's domain as the domain for this entry, then your clients should resolve it with "\servername" – It's ugly, but it works.

Thanks for your help,

I have try the method you mention, however, I cannot get it work…. .

I already tick all of the three items under Services:DNS forwards Tab

Add a Static Mapping under Status:DHCP leases tab

However, I have not add a DNS servers under System:General Setup tab and also I have not install the tinyDNS becuase I seen the description mention that the tinyDNS is for failover purpose.

Please let me know if I omit some important step.

Thanks,

Kam

Yeah i still have the original CA ;)

I found the solution anyway, was a strange problem, heres a post I left on another forum:

When looking at the ca.crt file, I noticed that after "State or Province Name (full name) [LONDON]:" there was "\x09":

Subject: C=UK, ST=LONDON\x09, L=LONDON, O=OpenVPN

This was seen as just some spaces when trying to build a key, however \x09 is actually hex for the tab key, I must have pressed it by mistake when first creating the ca file, so basically now when building client keys, i just type LONDON then hit tab, then enter.

What I dont understand is how I managed to create the first 16 keys without pressing the tab key!

Anyway, thanks

Should look like this when you're done.


To be clear, netrefer, this is a user forum, where we try to help each other out. This isn't a ticket system for technical support. Developers of the software do post here at times, but no one is obligated is to resolve your issue. If you want help, you need to include relevant information and answer the questions people are asking.

To answer one of yours, no you cannot use telnet to connect to a UDP port.