@ndelong:

Go to Interfaces > OPTx (you just created) and assign an IP. I typically use the IP address that OpenVPN defaults to when you first create your VPN (x.x.x.1). I've used both /24 and /32 as the subnet with success. I agree with jimp that you could probably put anything in here.

You should actually set this to "none" here instead. It's a shortcut that will just not assign an IP, instead of using an invalid one.

That's your problem then - if you search the forum you'll find how to make the disk writeable while you configure OpenVPN.  I don't remember the details myself.

I haven't done it with pfSense but I have setup SecurID with ASA/PIX numerours times. The SecurID Server has it's own RADIUS server. Then use the sticky post in this forum for configuring PAM to use RADIUS with OpenVPN and point to the RSA RADIUS server. Can't see why it won't work.

Can I strongly suggest you:

a) Read the documentation for OpenVPN, as found on the OpenVPN site
b) Stop making random assumptions based on nothing but guesswork

You add that setting (push redirect-gateway def1) to your OpenVPN server configuration (which is what you asked about).  That will then cause the default route for traffic to be through the VPN.  Assuming you've configured the rest of your network accordingly you can then browse the Internet.

can you vnc to 192.168.0.206 ? and ping back to 192.168.0.205, also what about windows firewall is it diabled on both computers , are the computers on the same switch or different switches

solved, :) I had to be more attentive to my index.txt and ca.crt content..

my old ca.crt has serial 00 (not sure why - historical) and .. of course it was treated as revoked by crl as far as there was client certificate with the same serial number, wich was revoked ages ago and ..there were no any crl checks (historical again)
unfortunatelly I have just two ways.. rebuild all certificates or make client certificate with serial 00 valid ( first is better )

@caigeliu:

Hi uz, I'm having a problem exactly as yours:

–-------------- your log -------------------------
Jul 29 14:26:00 gw openvpn[471]: XXX.XXX.XXX.XXX:55929 TLS Error: Auth Username/Password was not provided by peer
Jul 29 14:26:00 gw openvpn[471]: XXX.XXX.XXX.XXX:55929 TLS Error: TLS handshake failed
Jul 29 14:26:00 gw openvpn[471]: XXX.XXX.XXX.XXX:55929 Fatal TLS error (check_tls_errors_co), restarting
–----------------------------------------

Would you please let me know how you solve it. Thanks.

Also hope any one can give me some hint to solve it. Thanks.

Add this parameter in your client config file (client.ovpn): auth-user-pass
TIPS: The file /etc/radius.conf need to have an empty line after the 2 lines acct and auth

Hope it helps

In theory you'll find the routing configured on the OpenVPN server will handle that.

No, this is a regular client to server VPN. I've set up DNS server manually and all worked. Now I wonder how do I set up a default gateway for VPN connection…

@kmichal:

I have the same exact problem on TWO pfSense boxes, and I'm getting desperate.

The information is from three different setups. Anyway, the routes are all messed up and it will never work like that.

He had to delete the following directive to get it to work.

ok thanks you

@Briantist:

I'm not 100% clear on what you mean, but I think you're asking about filtering an OpenVPN interface. If so, this can only be done on 1.2.3 and it's kind of buggy. There have been several posts about it. If you want to try it, you need to disable auto created VPN rules in advanced options, and then add the openvpn interface as an opt. If you have other existing VPNs setup (of any kind) be careful here and don't forget to recreate rules for them.

You need to create the rule on the LAN interface - all pfSense rules apply to the interface the traffic arrives on, not the interface it leaves on.

I can confirm that it works fine with the 64bit Windows 7.

Note that questions about OpenVPN clients are probably best asked on the OpenVPN list ;)

See this thread:
http://forum.pfsense.org/index.php/topic,18801.msg97227.html

Also if you want to do bridging, you have to do more than add server-bridge to custom options (you actually leave server-bridge out if you want to use an existing DHCP server).

Seems like you would have to create a static route on every other machine for that to work. If a machine on your LAN gets an echo request from some IP (in this case let's a say a remote LAN IP of one of your clients), it will go to the default gateway, which will be pfSense. The traffic won't get to the openVPN server even though that's how it got into the network in the first place.

The problem with this is that if these are mobile clients (and it sounds like they are) you don't know what their remote subnets are going to be, so you can't add static routes for them, either on the clients or on the pfsense machine (not 100% on whether that would work anyway even if you knew the subnets).

I do exactly what you're doing with a few servers (openvpn server on a NAT'd IP) but it works for me because I only want the clients of those servers to have access to the IP of the server, so I haven't actually tried to solve the problem you're having.

Edit: maybe a bridged rather than routed setup would work better; it would also solve the problem of the possibility of overlapping subnets with your road warriors.

pfSense, as of at least 1.2.0, has OpenVPN server built in, and PPTP and IPsec.

Windows has PPTP built in, anything else will require a client to be installed.

Yes, you have to be able to connect to your server - if the network is blocking ports then you can't connect.

I dont think i'll have time to try anything today.. but i'll give that a shot over the weekend!

Thanks!