What I meant by tap interface is the TAP-Win32 Adapter V8 listed in network connections on the Windows client. Both sides are using dev tun.

Yes it's a PKI setup.

The Openvpn subnet is 10.12.0.0/16 and isnt pushed as a route.

I have found a workaround to the problem. By using

the routes gets set permanently. The user has to wait 15 seconds when connecting to the VPN. But its an acceptable solution.

Im not sure if this will help you guys but i was having a similar problem.

Where i was getting issues is the TLS stuff. For some reason my system didn't like me just copying the TLS (ta.key) out of the web browser and dumping it to a standard text file. I had to ssh into the pf box and SCP the server1.tls-auth file to a server which i then used winSCP to download it to my windows client.

1. ssh into pf box
2. locate the serverX.tls-auth (replace X with the server number.. if you only have one OpenVPN server configured it would be 1, for 2 it would be 2, etc…)
    find / -name server1.tls-auth
3. Use scp or something similar to move the file Securely to another box.
4. Get the server1.tls-auth file to your client and configure it to use that file for TLS auth.

After this i was able to connect properly and no longer was getting these odd auth/decrypt errors.... If your still having problems please PM me or post back and i will attach copies of my working config files.

-E

Can i do the same with PPTP ?
Or PPTP enable connection only from the same natwork of WAN ?
Because i try it and i can connect to 192.168.1.2 only from WAN class..

Thanks !

@GruensFroeschli:

To be honest i'm surprised you can get it actually working with a Windows-xp machine doing routing…

To enable TCP/IP Forwarding in Windows XP, you just need to enable a setting in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
IPEnableRouter = 1

For more information on it, please check out the following links:

http://www.home-network-help.com/ip-forwarding.html
http://support.microsoft.com/kb/315236

Try setting the "Bypass firewall rules for traffic on the same interface" option under system–>advanced

Has definitely already been enabled, as it will not let me ping remote hosts at all without that option enabled.

But if you have 2 pfSense's on both side i would just stick to let the two do the routing.

I have one minor issue when using two pfsense devices for a direct site-to-site connection.  I will get a post ready for those items.

Thanks for checking in with your input.  It is much appreciated!

Try drawing a diagram of how you want it to be setup then we might understand it better but I'm no Linux/BSD hawk but still managed to set it up. with different user accounts, you don't need to create the .ca's in the pfsense box you can create them on a different one aslong as ALL of your .ca's are created on the same computer(no exception).

No problem, glad you got it sorted. Sometimes you have to go down to nearly bare metal!

Thanks for the info.

@GruensFroeschli:

The OpenVPN interface is not firewalled.
The virtual OpenVPN interface is treated like a normal interface, just without the firewalling capabilities.

To be able to NAT from the OpenVPN subnet to the internet:
http://forum.pfsense.org/index.php/topic,7001.0.html

Thank for your reply but I still don't understand/analyze the configs/directives that i'm missing.

Do I have mo add a LAN interface alias (192.168.10.1 ) for my openvpn segment or just having advance Nat  192.168.1.0/24 & 192.168.10.0/24 for my LAN & openvpn will suffice? or do I have to do both?

I need to be precise in my configs because my box is running in the production and I dont want to encounter system downtime, that's why I'm analyzing my situation carefully.

Again thank and good day.

tnx. all.

solved

recreated everything once again, like http://forum.pfsense.org/index.php?topic=7840.msg44065, just created a few ovpn_client files
and it works.

Thank you! ;D
Not so good with all that code…

It created 3 files test.crt
test.csr
test.key

All normal?

What is the csr for anyway?

I will try it later and let you know

Thank you very mutch

No, I don't have that option in the client configuration, today I've changed again the configuration this time using UDP as protocol with LZO compression and some specified ports besides 1194 and voila, it's working  ;D
I can see that the client used port 1194 instead of any random port, weird, right? Anyways it's working and that is what matters!  ;D

Hi

err….address pool.... :P

cheers,

With so little information, I doubt it.

Can you provide a simple network diagram, showing the networks and the IP ranges.

Thank You sir!  :)

@GruensFroeschli:

Also please provide the config-files of the server and the client.
http://forum.pfsense.org/index.php/topic,7001.0.html

Mostly the file of the client since you seem to have missconfigured something there.

Hello

I had the same problem as you, change port from UDP 1194 to TCP 1194 for both client and server and it worked.

try it.

Edward

How would you connect to the pfSense?
Does each client install OpenVPN or do you have another firewall solution?