@jimp: That outbound NAT rule goes on WAN, not OPT2. Thank you; it's transferring data now!  I'll put on a packet sniffer so I can see with my own eyes that data and DNS are both encrypted, but at this juncture I'm quite pleased. I do appreciate your very quick and entirely correct response; I'm sorry I wasted your time.  Is there a wiki I can document this at, so others can find the right information more easily? For anyone else going through this, the final configuration: Current major setup: Client: Windows XP, OpenVPN 2.1.1 with OpenVPN GUI 1.0.3 Netgate ALIX board with pfSense 1.2.3-RELEASE installed.  LAN (192.168.1.13/27) ethernet goes nowhere, or to a computer for logging into the web interface.   WAN (xxx.yyy.zzz.qqq/24) ethernet goes to the cablemodem (which is set for static IP use)     WAN gateway xxx.yyy.zzz.nnn  OPT1 (192.168.1.113/27) goes to wireless    OPT1 is not bridged    OPT1 gateway is blank    OPT1 is set as an Access Point, WPA2 only, Pre-shared-key, Open System Auth, and works fine right now.  OPT2 (192.168.2.1/24) goes to tun0, the OpenVPN    OPT2 general config is Type Static    OPT2 is not bridged    OPT2 gateway is blank  VPN OpenVPN is set up as "Server"    VPN Protocol UDP    VPN Dynamic IP unchecked    VPN Local Port 1194    VPN Address Pool 192.168.2.0/24    VPN Use Static IPs is not checked    VPN Local Network is blank    VPN Authentication method is PKI    VPN Custom Options:      push "redirect-gateway def1"  Firewall - based on a forum search here, I set:    NAT - Outbound to Manual mode, and added      NAT Outbound Interface WAN    Source 192.168.2.0/24 * * * * * NO      NAT Outbound Interface WAN    Source 192.168.1.0/27 * * * * * NO  - Auto created rule for LAN (matches .13/27)      *** nothing for 192.168.1.96/27, the OPT1 Wireless IP range, because I deliberately want to force all wireless to use VPN.    Rules - OPT2      Block TCP/UDP * * to destination (all firewall IP's, ports 80 and 443 - to prevent vpn clients form accessing WebGUI)      ALLOW TCP from * * to destination * ports 80 and 443 gateway *

Ok, I have fixed that up as well.  Thanks for all your help!

I was testing openvpn on Pfsense, yesterday and stumbled across you post…. I had previously worked with Openvpn using the Openvpn how-to which specifies using .crt, .key, and dh.pem files Like you, I was not sure how to use certs generated by IPCOP on pfsense openvpn.... It turned out that I was able to past the IPCOP PEM files into the PFSense openvpn config (I had wondered if I needed to convert to .crt file) Then I was able to use the downloaded IPCOP client package as it was. There was no need to convert pk12 to pem or crt.

After some reading i turned off captive portal… and now it works :) Allthough captive portal is a nice feature im woundering if its supposed to behave this way or if its a bug? Kinda want both openvpn > lan and captive portal to work.

I realize that and I also have the pfSense book which I was following as well. The small set of instructions for my own organization that I was referring to will probably be taken from those with a little side commentary is all. I did not mean to infer that mine would somehow fill a need for the community at large; just my workplace.

oh… is not a best solution for me, btw, i will investigate a bit... and then will decide what to do. Thank you so much for your help, your support and your time! Stefano.

@Xefan: I can successfully connect to my pfSense 1.2.3 server through OpenVPN from a remote computer, but not from LAN the server belongs to. I get the following error in the logs: TCP/UDP: Incoming packet rejected from 192.168.10.1:1194[2], expected peer address: XX.XXX.XX.XXX:1194 (allow this incoming source address/port by removing –remote or adding --float) I don't have the --remote option in the client config. Please help! same problem I had also. when i was using UDP Port. But if you use TCP. You can connect your opnvpn client to your openvpn server from lan. I dont know the reason why i couldnt use UDP. BUt same setting if i use tcp It works. make sure your opnvpn client config file has those lines…... float port 1194 dev tun dev-node tap0 proto tcp-client remote your wan ip 1194 ping 10 persist-tun persist-key tls-client client ca ca.crt cert whatever your clint name.crt key whatever your clint name.key ns-cert-type server comp-lzo verb 4 I hope it will help you....

@kpa: Server: ca.crt server.crt server.key dh1024.pem Client: ca.crt client1.crt client1.key Worked like a champ thanks (PS - Client1 was actually "frodo" in my situation)

yes sir. i am running it without any problem. and yes i open both tcp and udp. Yes i follow that tutorial and this tutorial also "http://www.scribd.com/doc/8142908/pfSense-OpenVPN-Tutorial". my problem was as i said "server.crt". actually i couldn't get the code correctly. thats why i couldn't put correct code one pfsense openvpn server.crt field. And now i know why i couldn't get the correct code. it was typing mistake. Something like this "build-key-server.bat" Actually it should be like this "build-key-server.bat server" but i am very happy now. thank you very much sir. take care and ba bye…..

@cmb: 2.0 already has the equivalent of OpenVPN Access Server for free, and better in some ways. I can't wait to put my hands on it.  :P Thanks

This is just a repost i have from another topic but it may help you. To me it sounds like you are not pushing your routes from your remote site to your client when it connects. Look under the "Custom Options" section of your openVPN config. You can add in something like… push "route 10.10.10.0 255.255.255.0" This will let the remote openvpn server push the correct routes needed to talk over the VPN to your client. I believe you must also have the "pull" option specified in your custom options for your "client". Using the openvpn gui client my config lists "pull ; Pull route data/DNS from server." Let me know if this fixes it for you! @completetech: I have pfSense set up as the server.  the client is of course my windows xp laptop.

For the record, got working the 3-site routed VPN with this changed topology: Site1 <-> Site2 <-> Site3 <-> Site1 The missing bit was to add routes for the Site2 FW before redirecting the default gw on the other two sites. FW1 LAN1: 192.168.1.0 WAN: 10.10.1.2 --> intersite gw: 10.10.1.1 LAN2: 192.168.2.0 OPT1: 10.10.2.2 --> intersite gw: 10.10.2.1 WAN: Internet LAN3: 192.168.3.0 WAN: 10.10.3.2 --> intersite gw: 10.10.3.1 Site1 as client: route 10.10.2.0 255.255.255.252 10.10.1.1; route 10.10.3.0 255.255.255.252 10.10.1.1; route 0.0.0.0 128.0.0.0; route 128.0.0.0 128.0.0.0; dev tun12; Site1 as server: route 192.168.3.0 255.255.255.0; dev tun13; Site2 as client: route 192.168.1.0 255.255.255.0; dev tun21; Site2 as server: route 192.168.3.0 255.255.255.0; dev tun23; Site3 as server: route 10.10.1.0 255.255.255.252 10.10.3.1; route 10.10.2.0 255.255.255.252 10.10.3.1; route 0.0.0.0 128.0.0.0; route 128.0.0.0 128.0.0.0; dev tun32; Site3 as client: route 192.168.1.0 255.255.255.0; dev tun31; Thanks a lot to GruensFroeschli for the tip about redirecting default gw. Just out of curiosity, the two routes for that trick do the same as "redirect-gateway def1"?

I think this thread has all the current information about the problems with bridging and OpenVPN: http://forum.pfsense.org/index.php/topic,1990.0.html Afaik the problem only appears if you use CARP and an OpenVPN bridge together.

yes

Fixed it, turns out then encryption had nothing to do with it, that was setup fine all the time, I needed a little extra config on the server side. To allow clients on the lan behind the pfsense client firewall (192.168.3.0/24) to access machines on server side lan (192.168.4.0/24)  I added this to the server config client-config-dir ccd route 192.168.3.0 255.255.255.0 then in a directory called ccd I created a file with the same name as the client cert in use and in it I put iroute 192.168.3.0 255.255.255.0 And everything stared working. All this is probably obvious when you understand the inner workings properly but it took me a little while to understand so hopefully this will help anyone else in my position.

Post both the client and server side configs, or screen shots of each. It will make it a lot easier to figure out. I'm assuming this is a shared key site-to-site tunnel?

ok so i downloaded the development iso of pfSense, downloaded ykclient (yubico-c-client) as required by yubico pam while running ./configure it states it needs curl, found a freebsd package of this. Installed it and running curl it states it needs libssl. I cant find this anywhere, package management in freebsd seems screwed or something. Arent there ANYONE out there with a nice freebsd server up which can compile these things and put it up somewhere?

nice work!thanks!