If you just want to view it, use "cat" not "vi". And with cat, you can also do that from the GUI under Diagnostics > Command

What would the client.conf look like for using PKI on the OS? Thanks

I changed the iroute to "iroute 192.168.0.0 255.255.255.0;" and did some testing with a linux based vmware host as client. With this client I connected successfully and could also ping in both directions!! So the problem seems to be my home-router, which is an embedded version of 1.2.3… So I installed tcpdump and did some capturings. All I could see is that no packages are arriving at the tun interface's. So the problem seems to be the routing! so if someone with more routing experience on pfsense could give me a hand? Greetz Mircsicz P.S.: here's an output from tcpdump: \ [mirco@macbook-pro-wlan.mirco.home ~] 4$ ping 192.168.115.2 PING 192.168.115.2 (192.168.115.2): 56 data bytes 36 bytes from wall.mirco.home (192.168.0.1): Redirect Host(New addr: 192.168.0.1) Vr HL TOS  Len  ID Flg  off TTL Pro  cks      Src      Dst 4  5  00 0054 6d9c  0 0000  40  01 1878 192.168.0.66  192.168.115.2 Request timeout for icmp_seq 0 36 bytes from wall.mirco.home (192.168.0.1): Redirect Host(New addr: 192.168.0.1) Vr HL TOS  Len  ID Flg  off TTL Pro  cks      Src      Dst 4  5  00 0054 4fd4  0 0000  40  01 3640 192.168.0.66  192.168.115.2 Request timeout for icmp_seq 1 ^C --- 192.168.115.2 ping statistics --- 2 packets transmitted, 0 packets received, 100.0% packet loss [root@wall.mirco.home]/root(8): tcpdump -i sis0 icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on sis0, link-type EN10MB (Ethernet), capture size 96 bytes 19:51:40.556932 IP macbook-pro-wlan.mirco.home > 192.168.115.2: ICMP echo request, id 30693, seq 0, length 64 19:51:40.557817 IP wall.mirco.home > macbook-pro-wlan.mirco.home: ICMP redirect 192.168.115.2 to host wall.mirco.home, length 36 19:51:41.555681 IP macbook-pro-wlan.mirco.home > 192.168.115.2: ICMP echo request, id 30693, seq 1, length 64 19:51:41.556078 IP wall.mirco.home > macbook-pro-wlan.mirco.home: ICMP redirect 192.168.115.2 to host wall.mirco.home, length 36 4 packets captured 50 packets received by filter 0 packets dropped by kernel

Any VPN will have an overhead.  I can't find any product called "Simple VPN" it's hard to say much more than PPTP and IPsec should have slightly lower overhead than anything using SSL.

Perhaps your current system shipped with driver integrity checking disabled. Google for it, there are ways to turn it off.

VPN would add overhead to VOIP calls, it wouldn't help call quality, it may hurt it. The only advantage might be that it would look like a different protocol to your ISP's equipment and may be bypassing some QoS in places. It depends on what kind of filtering is being done by your ISP, but they could detect and block VPN traffic if they have powerful enough equipment to run protocol analysis on every connection that passes through their network.

Our staff are able to access windows shares over a bridged (tun) openvpn connection just fine. I looked into a bridged network, but it seemed to be too much of a headache to make it work on pfsense.

The addresses are assigned out of the /30, not exactly what you specify. This should mean that… 172.16.0.0/30 - Client .2 -> Server .1 172.16.0.4/30 - Client .6 -> Server .5 172.16.0.8/30 - Client .10 -> Server .9 172.16.0.12/30 - Client .14 -> Server .13 172.16.0.16/30 - Client .18 -> Server .17 172.16.0.20/30 - Client .22 -> Server .21 Try putting in .8/30 and see if your results are any different.

Success!! After updating to the latest revision, and redoing all the certs and the OpenVPN Server; I am now presented with a package installer link. I am now having an issue with my VPN connection timing out when I connect to it using my phone, but that is a story for another time and another forum post. Thank you jimp for your help, and all the hard work you and the pfSense group does.  I definitely owe you one.  :D

You can assign tun0 as an interface under Interfaces > (assign), though check the doc wiki for OpenVPN filtering on some more specific instructions.

How did you generate and issue the keys before?  You run the revoke steps there.  If you don't still have that device, and the master CA key, then you have to re-issue all certificates, including the CA and server keys.  You should also take steps to ensure that you can revoke keys in future.

Hello, ssooooo, I bought the VPN1411 and it did … nothing. At least not to the OpenVPN througput, using any Engine my OpenBSD offered (cryptodev too). I will test a little more, but I guess now it's an Atom I have to go for. What a shame. Greets

Excellent. Thanks again.

Client and server config files?

Question: It seems as if I need to have OpenVPN in bridged mode to get my setup running. I followed this article (http://doc.pfsense.org/index.php/OpenVPN_Bridging) but again -> trapped. In my OpenVPN custom options I added this: dev tap0; float; server-bridge 192.168.0.1 255.255.255.0 192.168.0.160 192.168.0.199 Unfortunately this does not work, I get this error message: openvpn[4446]: Options error: –server and --server-bridge cannot be used together Are there any other ways to get this up and running? I read sth. about the ashahi package. Could this be my solution? Regards, Alexander

No specific settings for ubuntu, it should all just work as long as you have the settings match the server (proper keys, protocol, port, compression, cipher, etc)

Mine is for multiple sites so I am using PKI because it is much easier to manage after the initial setup of generating keys. I see you tried PKI but in your latest config you are back to Shared Key. If you want to try PKI again I could try to help by comparing my config against yours but otherwise the configs are a little different already and I don't know where the problem could be.

You can also setup CSC entries for the CNs of the certificates being used to connect, force them to a specific IP addressed, and then firewall those addresses as normal. An alias containing all of the members of a given group would be helpful. As shadowadepts said though, two separate instances would work as well. You might even want to make sure they use separate CAs if you do not use any other form of auth (e.g. TLS+Local User Auth)