what would be the point of such a setup?
I mean the idea of having multiple remote declarations is, if one is down you can move to the next.
Do actually have multiple openVPN servers in the same location on the same internet-line?

Can anyone offer any further details on this issue?

I'm hitting some bumps getting bridging configured and am wondering if this is the trouble. I bought the book in hopes of getting some more light on this - it pointed me back to the online community.

I am sorry to bump this, but i reely need some help here or maybe some directions i can check of fix. but guess none have thought in this.

We attempted to set this up previously with 1.2.2 and had major issues where connectivity was failing until we disabled the VPN tunnels. The instructions we followed were from the OpenVPN site. Perhaps they must be modified on pfSense or we did something wrong? Single OpenVPN tunnels were fine.

@Cry:

If you can ping from the OpenVPN client to the LAN then routing is working.  Anything else comes down to firewall rules, either on the clients or on the pfSense host.

**Do you have rules on the LAN interface allowing communication to the OpenVPN subnet (remember, the default is block)? ** Do the OpenVPN clients have any software firewalls?  Is the unspecified service you're trying to access bound to the OpenVPN interface on the client?

I had to add the rules to the LAN interface to allow traffic from the LAN net to the OpenVPN subnet.  Now it works. Thanks!

So to summarize, getting this to work required me to do the following:
  1. I followed the steps in the section "Including multiple machines on the client side when using a routed VPN (dev tun)" of http://openvpn.net/index.php/open-source/documentation/howto.html#scope
  2. Add a rule to the LAN interface to allow all traffic from the LAN net to the OpenVPN subnet.

Thank you for your answer  ;)

Did you assign the OpenVPN interfaces as OPTx interface?
Then created appropriate firewall rules on the OpenVPN interface to allow different subnets?

I read that it is only possible with pfSense 1.2.3, isn't it ?

My two pfSense boxes are in version 1.2.2.

@GruensFroeschli:

You can set in the custom "custom option" field which tun will be assigned to which connection.
See the OpenVPN man-pages on how to do that.

@tester_02:

2.  If i currently only want port 80 traffic through the vpn, add I would have to do is set a firewall rule to allow port 80 on the opt1 adapter from opt to lan? (if I remember right all traffic is blocked and the rules overwrite?).

What exactly do you want?
Allow what kind of traffic from where to where?
Can you describe that and show a screenshot of the rule you already have?

Thanks for support!
I did figure out which vpn was which by assigning the opt and seeing which ip it was assigned.  So now I have both vpn's assigned.
Opt1 is my site to site vpn, and Opt2 is my roadwarrior style.  The only setting I have on it is that I set the bridge to disabled, and I set the ip address to match my setup in the openvpn settings. 
  What I am a bit of a loss at is the firewall blocking.  What I want to do is just allow port 80 on my opt1.  So I just setup a rule to only allow tcp port 80, as I believe everything else is blocked by default in pfsense.  It does seem to block traffic from the other site to mine.
  The problem is that I can still connect directly to other ports on the remote site.  What I am guessing is that the NAT is causing my problems?  Would I have to override the automatic outbound nat, and set it for AON.  The problem there is I am not sure about the rules..
Background info..  local net 192.168.4..  Site 2 192.168.1.

I am still a bit of a loss to all this, as I would have assumed that opt1 would block all traffic unless I open it up.  That NAT portion makes a bit of sense, but I would have originally thought the rules would override it.

Any help is appreciated.

D'oh.
Well i never use PPTP…

Another option would be to have a connection from each client to swissvpn...
But if that is practical  ::)

I played around a bit with the OpenVPN options.

On box 1: The Server uses port 1194 (UDP); the client uses port 10111 (UDP)
On box 2: The Server uses port 10111 (UDP)

When i check the "Dynamic sourceport" checkbox in the client configuration everything seems to work fine!

I will run a few tests later.

I will second that it is covered quite extensively in the book. He's not only saying it because he helped write it  ;). I have not actually set up any openVPN on pfSense but after reading through those chapters I feel prepared to do it.

Thanks folks, I got it. I feel silly for not figuring that out. Can't wait till my pfSense book gets here, hopefully that will cut down on the forum posts :)

Thanks again.

Thanks for pointing this out. Manually adding pfSense address to the resolv.conf did the trick. As mentioned in the thread you posted a simple trick should be able to do that automatically.

Thanks again.
alphazo

Nice.. thank you very much. When I put 192.168.100.8/30 in the client config, I was able to set filtering rules for the IP 192.168.100.9.

IT WORKS !!!

I don't know the WHY details, but it works.
what I did ?
    First, I upgraded to 1.2.3 release nanobsd on both sides.
    Since there was messages in the log saying there was an error trying to add the routes in my custom options, I tryed first to remove all routes in custom options to see what append !  The result is that it works without any custom option anywhere!

From both sides, I can take control of PC on other side (ultravnc) by using their respective IP addresses (192.168.0.* or 192.168.1.*)

And now I have to do the bridging stuff, just waiting for the tutorial to be updated.

PS:    By the way, I discovered that the firewall in windows XP SP3 prevents the PC to respond to pings if activated. silly thing :)

Patrice

@GruensFroeschli:

I'm not sure if this works with a bridged setup.
You could use the command:
redirect-gateway def1

Hmmm.
Just read up a bit on the openVPN man-pages:
http://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html

It seems redirect-gateway def1 really doesnt work with a bridge.
But you have to option to use
push "route-gateway x.x.x.x"

Thanks,  I'll try the push "route-gateway x.x.x.x".  I should just add it to the "extra options" area on the OpenVPN page?

I'll let you know if it works.

Got this resolved; apparently a FW rule was moved to a wrong position  ::)

1.2.3 is based on FreeBSD 7.2
Your OpenVPN is a port to FreeBSD 6.0.

Either you're not really on 1.2.3 or something went terribly wrong when you updated.