Yep…sorry  :(

I like your "backup" definition  :)

Thank you for all your answers !

I finally opted for manually setting up OpenVPN in a fresh Debian install  ;D !

It works like a charm  :) !

Could you explain how to do that? This is my first experience with setting up any kind of VPN.

Details of the error message (logs etc) and your configuration would be useful.  There are also forums for people who's primary language isn't English if you would find it easier working in your native language.

Ok this was a tricky one:

I was doing a migration from ipsec to openvpn (bc/ ipsec does not support site-to-site where B as has a dynamic IP) and i still had my ipsec config activated - so this somewhat confused pfsense.

I disabled the tunnels in question on the ipsec page and my openvpn started working!

Thanks got it working now.

Answering myself:

If you don't set a LAN rule as described in the following thread, it won't work:

http://forum.pfsense.org/index.php/topic,7840.0.html

After adding the LAN rule all is fine… I added only the WAN rule which was one to less!!

Greetz
Mircsicz

quick update : procedure doesn't work for me

during boot, I get an error regarding the tap0 device (about the fact that I cannot be added to the bridge)

I'm not sure how to set up the tap0 - can anyone give me some guidance ?

thanks

Hi folks!

Same problem again, I haven't done anything with the FW since my last post.
So my solution now is to remove one instance of OpenVPN and only use one.

I have another PfSense with OpenVPN at home that has been working with one instance since march this year.

So it could be a limit in OpenVPN, and hopefully it will be solved in 1.2.1 or 1.3.

Regards
Beach

Hi,
I was having similar issues at one potin. Where my problem was is that i was copying the ta.key (The TLS key) that is generated when you create your tunnel on the server (pfbox) just using standard copy/paste. For some reason odd formatting was being added into the file and it would not work and would throw the error like you are getting because of an incorrect tls.

I suggest enableing SSH access on your PFbox and using SCP to copy the "server1.tls-auth" key to your client or to another box where you can put it on a jumpdrive then move it to your client.

Also, i would make sure in your  "server mode" for your openVPN server that it is not set to "Remote Access (SSL/TLS + User Auth ) if you have not set up your client to use a username/password. Otherwise you will get this error as well.

If you do want to use the user auth.. Add this to the top of your client config and try it out. (It will pop-up a username/password box for you).

–auth-user-pass

If you are still having problems please post back with your config from your client and server and i will try to help you debug your settings.

What I meant by tap interface is the TAP-Win32 Adapter V8 listed in network connections on the Windows client. Both sides are using dev tun.

Yes it's a PKI setup.

The Openvpn subnet is 10.12.0.0/16 and isnt pushed as a route.

I have found a workaround to the problem. By using

the routes gets set permanently. The user has to wait 15 seconds when connecting to the VPN. But its an acceptable solution.

Im not sure if this will help you guys but i was having a similar problem.

Where i was getting issues is the TLS stuff. For some reason my system didn't like me just copying the TLS (ta.key) out of the web browser and dumping it to a standard text file. I had to ssh into the pf box and SCP the server1.tls-auth file to a server which i then used winSCP to download it to my windows client.

1. ssh into pf box
2. locate the serverX.tls-auth (replace X with the server number.. if you only have one OpenVPN server configured it would be 1, for 2 it would be 2, etc…)
    find / -name server1.tls-auth
3. Use scp or something similar to move the file Securely to another box.
4. Get the server1.tls-auth file to your client and configure it to use that file for TLS auth.

After this i was able to connect properly and no longer was getting these odd auth/decrypt errors.... If your still having problems please PM me or post back and i will attach copies of my working config files.

-E

Can i do the same with PPTP ?
Or PPTP enable connection only from the same natwork of WAN ?
Because i try it and i can connect to 192.168.1.2 only from WAN class..

Thanks !

@GruensFroeschli:

To be honest i'm surprised you can get it actually working with a Windows-xp machine doing routing…

To enable TCP/IP Forwarding in Windows XP, you just need to enable a setting in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
IPEnableRouter = 1

For more information on it, please check out the following links:

http://www.home-network-help.com/ip-forwarding.html
http://support.microsoft.com/kb/315236

Try setting the "Bypass firewall rules for traffic on the same interface" option under system–>advanced

Has definitely already been enabled, as it will not let me ping remote hosts at all without that option enabled.

But if you have 2 pfSense's on both side i would just stick to let the two do the routing.

I have one minor issue when using two pfsense devices for a direct site-to-site connection.  I will get a post ready for those items.

Thanks for checking in with your input.  It is much appreciated!

Try drawing a diagram of how you want it to be setup then we might understand it better but I'm no Linux/BSD hawk but still managed to set it up. with different user accounts, you don't need to create the .ca's in the pfsense box you can create them on a different one aslong as ALL of your .ca's are created on the same computer(no exception).

No problem, glad you got it sorted. Sometimes you have to go down to nearly bare metal!