Yes, I've waded through all available docs.  It seems to be a Fedora rawhide specific problem, FC9 works.

Please read the stickies and the howtos since there are step-by-step guides.

I assume your mobile warriors dont get NATed to the internet. http://forum.pfsense.org/index.php/topic,7001.0.html Per default for every local "real" interface a rule will be installed that NAT's from this interface to WAN. If you want to have Internet access from multiple LAN subnets (ie. you have a router behind pfSense with another subnet) enable Advanced outbound NAT and create a rule for every IP range you want to be NAT'ed. The same goes for OpenVPN if you want the OpenVPN subnet NAT'ed to WAN. You need to create a rule for every subnet you want NAT'ed. Alternatively you can change the source of single existing rule from LAN to "any" thus NAT'ing everything. (screenshots to clarify: http://forum.pfsense.org/index.php/topic,7693.0.html ) This might create a problem for FTP with multiWAN more here: http://forum.pfsense.org/index.php/topic,7096.msg40810.html#msg40810 Try this. I'm not sure, but i think this should help.

This isn't too hard. The point is that you have to have your wins server announce on the subnet where the VPN hosts are too. This requires a few changes in the setup. 1. You need to make the WINS server know it has another subnet to relate to: in smb.conf: make sure hosts allow contains the subnet hosts allow = 127.0.0.1 10.23.23.0/24 wins support = yes 2. The you have to add the following options to the openvpn server: push "dhcp-option NBT 2" push "dhcp-option DNS <your dns="" ip="">"    push "dhcp-option WINS <your wins="" server="" ip="">" I find browsing a bit slow. I am not sure why, so if anyone has some input on that, I would be greatfull.</your></your>

I'll test this now with creating and revoking certs and see how I go. Good to see I wasn't insane and others couldn't revoke as well! Update Creating certs works ok, you can't do a ./pkitool on its own now to get the usage message because the CN is now defined in the vars (so it generates a passwordless cert called whatever you set that variable to) but if you define your own CN on the command line it overrides vars. After playing around it seems to revoke the certs but not actually use the CRL?  I tried a few different things stop start service manually add the crl to the config page etc… but cant do a system restart at the moment. What needs to be done to get them to actually be revoked on login?  At the moment they just time out after seemingly verifying ok.  Logs also dont mention revoke. Jul 11 12:15:15 openvpn[90005]: xxxxxxxxxxxx:1194 TLS Error: TLS handshake failed Jul 11 12:15:15 openvpn[90005]: xxxxxxxxxxxx:1194 TLS Error: TLS object -> incoming plaintext read error Jul 11 12:15:15 openvpn[90005]: xxxxxxxxxxxx:1194 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned Jul 11 12:15:15 openvpn[90005]: xxxxxxxxxxxx:1194 Re-using SSL/TLS context Jul 11 12:14:16 openvpn[90005]: xxxxxxxxxxxx:1194 TLS Error: TLS handshake failed Jul 11 12:14:16 openvpn[90005]: xxxxxxxxxxxx:1194 TLS Error: TLS object -> incoming plaintext read error Jul 11 12:14:16 openvpn[90005]: xxxxxxxxxxxx:1194 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned Jul 11 12:14:13 openvpn[90005]: xxxxxxxxxxxx:1194 Re-using SSL/TLS context

Yep, I have that rule

ok, i've found it in /cf/conf/config.xml thanks

have been using asterisk locally for above 2 years. i just only set up broadhand access to remote site. so sip over vpn is all new for me !! cannot say it has worked and stop or run !! up to now it runs well  (1week) !! so i have pfsense in main site and dd-wrt on the remote site. openvpn server with pfsense remote site use pap2 adapter and is connect via vpn tunnel to asterisk server. just need to create extension on freepbx. once tunnel is up and route ok, work is done ! d

IT WORKS i told openvpn to listen on TCP 80,  the standard ports (udp and tcp) must have been blocked by my providers network. its also the expected speed (fast) thanks for your help TUNNEL THROUGH 80 for those who are having problems with openvpn

@GruensFroeschli: Glad to hear it works :) I assume this is a testnetwork. So your two WAN's are in the same subnet. If you move this into production you will have to add a static route for the WAN of the server. Something like route x.x.x.x 255.255.255.255 y.y.y.y with x.x.x.x being the WAN of your server and y.y.y.y the gateway of your client. Otherwise your client does not know how to send the VPN packets to the server after the tunnel is up. I'll be moving to production within a month. Thanks alot again! :)

Hello thanks for explanation my other site have only one computer so maybe it could consider as roadwarrior connection. i will test different solution. i choose PKI cause it look like more secure dd-wrt config with PKI use gui , shared key use script ;-) PKI allow client-to-client connection ( i think) but not tested yet ! i hope have not to use IPSEC for firewall rules over vpn ! so maybe i should contribute to the project to stay using openvpn…

What Valhalla1 said :) If you set up OpenVPN yourself you would have to write these files yourself. But on pfSense they will get created automatically if you just create a client specific configuration on the respective tab in the GUI.

Hi, drbowen, Congratulation that you successful make the tunnel and works fine. If u plan long term running pfsense, better build with a best condition hardware. Ya, you are running the vpn tunnel for files access or bridging? From what i know, you should not able to do bridging if doing shared key method. Correct me if i m wrong. kelvin

Hi, I got found a solution by this idea: Patch the registry to change the MAC address according IP. Disable the tap adaptor and enable back. The mac address of tap adaptor will changed to new one. Then enable openvpn client GUI. It should work. Now will start work out the solution… or some Programming expert can help on this? Thanks Kelvin

Can you post the output of the openVPN log? I think i've read somewhere something about OpenVPN only working with TCP with multiple WAN's.

Thank you very much GruensFroeschli, Now everything much more clear. The topology that has been setup is obviously the problem. 10x again.

1:1 NAT forwards (as the name say) all ports to a server. Including the port you would use for openVPN. But why do you use 1:1 NAT? You could use normal NAT forwardings.

Bridge mode can successful for 2 LAN sites in a "normal" condition. "Normal" mean a normal office or group network. If those client is "cloned" then will meet the problem with MAC address issue. This is because if the PCs are cloned, that mean the MAC address also will duplicated. Bridge mode i use is form a pfsense as openvpn server and other client pc install openvpn with tap-adaptor. Client can be successful connected but need a different MAC address of TAP-adaptor. I m try to come out a script that can make the TAP-adaptor MAC address can change according to IP address. But, what i hope that is 2 site PF sense can form bridge mode and no need to do any setting or installation to the client PC.. It is possible. I know that PFsense routed VPN is not work with what i want.. Anyway i hope that i can make a successful case under GruensFroeschli help :) or someone interest on it can study together. My network knowledge is level 1 only ^^

So, lets forget about my XP. While trying with my XP I was also trying with a Suse distro using the same settings as in the XP. The Suse is the router of the remote network I would liek to connect. So to accomplish my mission, I need to: Switch back to PKI - a road warrior setup. I had that setup and almost no luck with the VPN. While changing settings, the most i got is to ping the remote VPN gateway, but not the network, so no success with s2s vpn! :( Could it be from the RFC 1918 networks incompatibility??? 10x PS. I was just wondering, Can I still make ping from Pfsense network to my XP vpn gateway???