please use the search function:

solution: –> http://forum.pfsense.org/index.php/topic,5282.0.html

I'll go with the large neon letters, flames and strobe lights….

You will not get OpenVPN reliably working if the local and remote subnets are the same (or overlap)

See the OpenVPN HowTo: http://openvpn.net/howto.html#numbering.  You will have to renumber one network or stop trying to use OpenVPN.

hmmm… nice suggestion... i think i will shrink the subnet on LAN from /16 to /24 or using different ip block for openvpn.

quote from man

Server Mode
Starting with OpenVPN 2.0, a multi-client TCP/UDP server mode is supported, and can be enabled with the –mode server option. In server mode, OpenVPN will listen on a single port for incoming client connections. All client connections will be routed through a single tun or tap interface. This mode is designed for scalability and should be able to support hundreds or even thousands of clients on sufficiently fast hardware. SSL/TLS authentication must be used in this mode.

--server network netmask
    A helper directive designed to simplify the configuration of OpenVPN's server mode. This directive will set up an OpenVPN server which will allocate addresses to clients out of the given network/netmask. The server itself will take the ".1" address of the given network for use as the server-side endpoint of the local TUN/TAP interface.

For example, --server 10.8.0.0 255.255.255.0 expands as follows:

mode server
        tls-server

if dev tun:
          ifconfig 10.8.0.1 10.8.0.2
          ifconfig-pool 10.8.0.4 10.8.0.251
          route 10.8.0.0 255.255.255.0
          if client-to-client:
            push "route 10.8.0.0 255.255.255.0"
          else
            push "route 10.8.0.1"

if dev tap:
          ifconfig 10.8.0.1 255.255.255.0
          ifconfig-pool 10.8.0.2 10.8.0.254 255.255.255.0
          push "route-gateway 10.8.0.1"

TLS Mode Options:
TLS mode is the most powerful crypto mode of OpenVPN in both security and flexibility. TLS mode works by establishing control and data channels which are multiplexed over a single TCP/UDP port. OpenVPN initiates a TLS session over the control channel and uses it to exchange cipher and HMAC keys to protect the data channel. TLS mode uses a robust reliability layer over the UDP connection for all control channel communication, while the data channel, over which encrypted tunnel data passes, is forwarded without any mediation. The result is the best of both worlds: a fast data channel that forwards over UDP with only the overhead of encrypt, decrypt, and HMAC functions, and a control channel that provides all of the security features of TLS, including certificate-based authentication and Diffie Hellman forward secrecy.

To use TLS mode, each peer that runs OpenVPN should have its own local certificate/key pair ( –cert and --key ), signed by the root certificate which is specified in --ca.

When two OpenVPN peers connect, each presents its local certificate to the other. Each peer will then check that its partner peer presented a certificate which was signed by the master root certificate as specified in --ca.

If that check on both peers succeeds, then the TLS negotiation will succeed, both OpenVPN peers will exchange temporary session keys, and the tunnel will begin passing data.

The OpenVPN distribution contains a set of scripts for managing RSA certificates & keys, located in the easy-rsa subdirectory.

The easy-rsa package is also rendered in web form here: http://openvpn.net/easyrsa.html

--tls-server
    Enable TLS and assume server role during TLS handshake. Note that OpenVPN is designed as a peer-to-peer application. The designation of client or server is only for the purpose of negotiating the TLS control channel.

so theoretically it shouldnt make a difference if you write it manually.
sorry i dont know why your connection is not working :(

AFAIK OpenVPN listens on all interfaces, it's "just" a matter of routing ;)

You add something to "Local Network" if you want OpenVPN to push a route to it to the client (in your case it would be 192.168.1.0/24).  If you simply want to have all traffic pushed through the VPN leave it blank and add the following to the "Custom Options":

push "redirect-gateway"

The rule - the external IP address(es) of the pfSense host you want OpenVPN to be visible on.

On the last point, replace n.n.n.n with the external (213.94.182.) address and ensure the device(s) that has/have those IPs forward the relevant ports to pfSense host (if the pfSense host doesn't have them).

@naughtyusmaximus:

Does anyone know if a 500MHz AMD Geode (LX800) will have enough processing power to handle being an OpenVPN client for three-five people?  I have a satellite office that I want to send an enclosed unit to, but don't want to buy it, configure it, ship it off, only to find out that it doesn't have enough processing power to do the job…

I just setup my alix.2c3 (LX800) and I'm able to push about 15Mbit over an OpenVPN tunnel.

Hi,

If you're interested in pinging across the link, I advise you change your rule to allow Protocol -> ANY, instead of TCP/UDP.  Pinging requires ICMP traffic.

Wow, I've been struggling with this for a while and actually saw the persist-remote-ip option in the config but couldn't think how to remove it but still maintain float. Thanks!!!

I'm trying to think though where this combination could be used if you want site-to-site. I presume the diff is that float allows diff machines to connect with diff ips but persist-remote-ip only allows the same machine to connect with it's previous address. So I think it's more suited to multiple remote clients where you wouldn't use the 'remote network' setting.

But perhaps there should be a settting for this then eg. checkbox for dynamic ip and checkbox for site-site with dynamic client.

Regards

Robby

@GruensFroeschli:

http://forum.pfsense.org/index.php/topic,7001.msg39657.html#msg39657

or do you want just "some" addresses and not all?

Thanks but I just want some addresses and not all traffic to vpn tunnel ;)

Hi,

the LAN rule did the trick!

Many thanks.

oh i see… i missed that one.  :-[
thanks for your info.

yes.

http://openvpn.net/howto.html#revoke

On pfsense there is below the fields to set the server key and certificate a field to put your CRL in.
No need to mess around with copying files manually and modify the config files.
Just use the field which is already in the GUI.

Got it.  LZ0 compression is on in the config file supplied with the how-to in the wiki, but i did not have it turn on @ the pfsense.  Removed the LZ0 line from the client config, and everything seems ok.

I want to have a LAN Party with remote locations.  I would like to avoid lag (unless the lag only hits them and I can win easier!)  ;D.  We tried to use the Sony servers and could not get on…I guess they are selling a ton of playstations.

@noitalever:

I have on the client side: (which is the 192.168.250.1 Lan)

Protocol  TCP
Server address :70.xxx.xxx.xxx
Server port :1193
Interface IP  192.168.10.0/24
Remote network  192.168.252.0/24

and on the server side,

Protocol  TCP
Dynamic IP  is checked
Local port  1193
Address pool: 192.168.10.0/24
Use static IPs  not checked
Local network  blanked,
Remote network  192.168.250.0/24

I think that this could help, you should set a rule a for a push route so the client side know what is what on the server side? (email servers Domain controllers?)

push "dhcp-option DNS x.x.x.x";push "dhcp-option WINS x.x.x.x"

that was the old school way now they have a fill in the boxes with your needed servers ip

also shouldn't you fill in the local network in the upperbox?