Yes this is possible with the "Client-specific configuration" (client specific pushes) and with OpenVPN firewall rules. (Although the firewalling of OpenVPN is currently quite a hack). But you missunderstand that you get an IP out of your 3 subnets. This wont happen. You connect from a different subnet to these private LANs. Yes you can integrate this with active directory. Read the stickies ! http://forum.pfsense.org/index.php/topic,14946.0.html

I got it! My god.. all this hair pulling. The problem was that the tap0 interface on machine B did not have an IP address assigned to it. That was it. It works, wonderfully. I am way behind schedule on what I need this for, but with any kind of luck I'll have some time in a few weeks to write up a start to finish guide. Until then, I'll try to check the thread as often as I can to answer any questions.

What is your IP and gateway for you external network, that is what it should be.  This is a example of the client configuration: ovpn_client.txt dev tun proto udp remote 63.162.xxx.xxx 1194 ping 10 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert ovpn_client1.crt key ovpn_client1.key ns-cert-type server comp-lzo pull verb 3 This from my workstation that I use to connect openvpn with. RC

It seems like it works somehow, strange but works.  ??? all works on vmware workstation 6.5                                                       client                                                          server vm1<–-lan--->vmnet3<----lan--->em1 pfs1 em0<---wan---->vmnet1<---wan---->em0 pfs2 em1<---lan---->vmnet4<---lan---->vm2 192.168.4.21/24            192.168.4.11/24  172.16.1.10/24                      172.16.1.11/24  192.168.4.10/24                192.168.4.20/24 gw 192.168.4.11            tap 192.168.4.2                                                                    tap 192.168.4.1                gw 192.168.4.10 I know that this seems to work on vmware, but I don't think that this would a standard network configuration.  I can see several potential issues, DNS, DHCP.  In most wide area networks you would have a core site with a 21 network or larger.  For your remotes they would some 24 networks or smaller.  It all depends on the size of your company. So in that case you would extend your network either with secure VPN's, or metnet's, openvpn's.  When I mean extend your business network to 10 sites I would do the following and let's assume that the connections are ipsec or openvpn. We are also using windows 2003/2008 for servers. Our core network has 200 users and each site has 32 users.  We will have a 510 addresses (23 bit mask) at the core(10.10.10.0- 10.10.11.254),  each site will have 64 addresses. Core:10.10.10.0 Site 1: 10.10.20.1 - 10.10.20.64      GW:10.10.20.1 Site 2: 10.10.20.65 - 10.10.20.128  GW:10.10.20.66 Site 3: 10.10.20.129 - 10.10.20.193  GW:10.10.20.130 Site 4: 10.10.20.194 - 10.10.20.254  GW:10.10.20.195 Site 5: 10.10.21.1 - 10.10.21.64      GW:10.10.21.1 Site 6: 10.10.21.65 - 10.10.21.128    GW:10.10.21.66 Site 7: 10.10.21.129 - 10.10.21.193  GW:10.10.21.130 Site 8: 10.10.21.194 - 10.10.21.254  GW:10.10.21.195 Site 9: 10.10.22.1 - 10.10.22.64      GW:10.10.22.1 Site 10: 10.10.22.65 - 10.10.22.128  GW:10.10.22.65 So at the core site we would be building a main router so we would reserve the first 32 addresses for addresses for routers and vpn devices.  Then we would build out from there through our firewalls and start building out our tunnels (what every secure method that you would use, your choice).  So at the core we would then be looking at something like the following: Core: 10.10.10.10 core router managment Core: 10.10.10.1 Default gateway Firewall Lan interface: 10.10.10.11 Firewall VPN interface 1:10.10.10.12 (5 vpn tunnels per interface) Firewall VPN interface 2:10.10.10.13 (5 vpn tunnels per interface) DHCP Server: 10.10.10.14 contains scopes for core site with all vpn sites Baracuda: 10.10.10.15  (mail filtering) We would build our VPN's with rules in place to allow DCHP, DNS services to extend over the vpn tunnels.  Our internet and other services would be provided from the core site.  Remote sites would have a file server and data would be replicated over the vpn tunnels for backup.  The local server would also run DNS services for local names resolution.  Other services could be provided via terminal services or citrix to conserve bandwidth. I hope this helps.  I know it might draw more questions. RC

I'm having the same problem I can make a remote desktop connection from my mobile client to one of my servers and request the webpage of one of the printers in the Office. I can't directly access that webpage from the mobile client. As far as I can see, all the gateways are correct. [image: VPN%20Verbindingen.png] Firewall rules: IPSec: Allow all on all for all WAN: Allow TCP/UDP on port 1194 for all LAN: Allow All from LAN Net to all Maby I'm missing something? //Edit: When I traceroute a host in the office network from the mobile client, I get a response from the PFSense server and than from the default gateway of PFSense. So PFSense is routing the traffic the wrong way… Doing the same traceroute from one of my servers, i get the PFSense host, than the router at the office and than the host I'm looking for.

Looks like this is addressed now in the latest version of OpenVPN.  Does anyone know when we might see this change in pfSense?  Or what steps are required to manually upgrade OpenVPN meanwhile? Here's an excerpt from a recent OpenVPN changelog: 2009.05.30 – Version 2.1_rc17 Increased TLS_CHANNEL_BUF_SIZE to 2048 from 1024 (this will allow for more option content to be pushed from server to client).

Have you added a route to the VPN on your local LAN's router? You will need that to enable packet routing between your local and remote computers. Simple home routers enable configuration of a few static routes (some are even capable of running RIP). You will need to add a static route to your VPN subnet in your router's configuration. If, for instance, the address of the VPN's virtual interface on your server is 10.8.0.1, your VPN's subnet will most likely be 10.8.0.0/24. I'll use these addresses in my example below. In my Linksys home router to add a route I go to Setup tab, then choose Advanced Routing (it can vary depending on router's manufacturer), and there I type in the following: Enter Route Name: VPN (or any other name you want) Destination lan IP: 10.8.0.0 Subnet mask: 255.255.255.0 Default gateway: 192.168.1.254 (<=== this is the VPN server's IP on the LAN) Obviously adjust IP addressing to your particular setup. That should do the trick. Good luck http://szymi.bogsite.org

Hi ! And sorry for my english I have just set up a vpn with 3 sites To done that i add satic routes. The gateway to use with route is the ip assign in the adress pool you have configure your tunnel. For exemple : network : site1 : 192.168.1.0/24 site2 : 192.168.2.0/24 site3 : 192.168.3.0/24 Adress pool : site1 -> site2 : 10.0.1.0/30 site1 -> site3 : 10.0.2.0/30 When the tunnel is up, and if you do an ifconfig on site1 you will see a interface name (tun or tap). And in my exemple site1 will have ip 10.0.1.1/30 and at the over side of the tunnel site2 have the ip 10.0.1.2/30 In the second  pool you will have : site1 10.0.2.1/30 and site3 10.0.2.2/30 So the route to add are : On site2 (to join site3 by site1) 192.168.3.0 255.255.255.0 10.0.1.1 On site3 192.168.2.0 255.255.255..0 10.0.2.1 Note you have to push this two routes on both side in one time, the sites have to know how to respond to the over site. Hops it helps you. (And sorry again for my english)

Just replying with what fixed it. It was as simple as adding "local 2ndexternalipaddress" as a custom option.

Do you mean that you want to do this? OpenVPN can do this. There are the stickies explaining how to get this going.

Well I figured out the problem, but I can't come up with a way to fix it (for me) yet. Let's say your client network (the client to the CARPed firewalls) is 10.20.30.0/24. The server network is 10.40.50.0/24, firewall A is 10.40.50.1 and firewall B is 10.40.50.2. If the client tries to connect to 10.40.50.1 it works fine of course. If the client tries to connect to 10.40.50.2 it goes out on the LAN from 10.40.50.1 correctly, the problem here is actually the reply from 10.40.50.2, because it has no route to 10.20.30.0/24. You can solve this by adding a static route on firewall B (10.40.50.2) on the LAN for 10.20.30.0/24 with the gateway set to 10.40.50.1. This only works if firewall A is the VPN server and firewall B is not (if firewall A is down, there is no VPN connection). In my situation, I have the OpenVPN server configuration duplicated on both firewalls, and I have it listening on the CARP WAN IP. The client connects to the CARP IP so that if one firewall goes down, it will reconnect to the other one automatically as soon it picks up the CARP IP. That part of it works fine, but I can never connect to the server I'm not connected to. I can't add a static route because both have routes for 10.20.30.0 already even if the tunnel is not up and as far as I can tell there's no way I can change this behavior, or otherwise allow for automatically changing the route.

@jtpagaran: Last question: If a need to create additional client..do i really need to create it on the same machine that i build the keys? Can i just copy the "keys" folder to a ney box and redo the instruction in making client files? will it work ? Anyone? Yes you can as long as you copy everything to the new machine and set the key creation environment exactly as it was on the old machine.

Hi, Did you solve your problem? I have the same exact error. Thank you!

Sigh, you are right, my fault: a wrong subnet mask did not allow new routes. Thank you!

Ok, it's working for us now.  We simply used udp port 1194 for the site-to-site tunnel, and 1193 for the road warrior clients.  Now we're looking into pushing routes into the tunnels.  Anyways, I hope this helps anyone else who's having this problem.

This is solved. I managed to have the remote clients go thru the office gateway and the Win XP machine had as default gateway the old gateway in the office.