@chazers18: Thank you Guys you are all great. i will work with some of the scripting that i know how to do and post the results also. Again THANK YOU!! :) now from a window pc couldnt i just create a static key and with winscp ssh in to the ddwrt thing and place the static key in there under one of the permanet files. and then just run this command? echo "dev tap link-mtu 1492 remote public IP resolv-retry infinite ifconfig 192.168.1.0 255.255.255.252 client –---BEGIN OpenVPN Static key V1-----   ...INSERT YOUR OWN CONTENT HERE...   -----END OpenVPN Static key V1----- " > /tmp/static.key #ca /tmp/openvpn/ca.crt #cert /tmp/openvpn/client.crt #key /tmp/openvpn/client.key #comp-lzo persist-tun persist-key verb 3 cipher AES-256-CBC" > /tmp/openvpn/openvpn.conf killall openvpn openvpn --config /tmp/openvpn/openvpn.conf

i would jus t set up a server that can be reached via internet and then password protect it. :-\ :-\

Ok, I got it to work but not in a way that is useful outside of the lab.  Here are the remaining hurdles: I need to use tls auth and there is no way I can see yet to make the upload of the ta.key survive a reboot.  Maybe a full install on a microdrive… When I added the line to nat on the tun0 device to the lan subnet it worked, packets were passed from the lan to the tunnel but I don't know how to add the line into the pf.conf file permanently.  It seems to go away when the tunnel goes down and comes back up too and it of course goes away on reboot. Thank you for your assistance.

Does your pfsense openvpn server have multiple WAN connections? What firewall rules do you have on the interface with the stations you're trying to ping?

Ok here it is my network layout Maybe you guys have some other opinions… all of them will be apreciated :D ISP [Poll of 5 Pubic IP's]                                         |                                         |                                         |                                   [16 Ports HUB]                                         |                                         |                                         |                                         |–--------------------------[router Drytek Site to Site other Office]                                         |                                         |                                         |                                         |                                         |                                         |–--------------------------[PFSENSE - VPN SITE to SITE][Lan-192.168.1.254][Wan-Public IP]                                         |                                         |                                         |                           [IP NOKIA 330-Firewall-Def. Gateway]–------------------[DMZ - Linux - Trustix - SMTP - PostFix + Squid]                                         |                                         |                                         |                                         |                                         |                                   [192.1168.1.1]                                         |                                         |                                         |                                         |                                         |                                         |                           –----------------------------------------------------------                           |                                    |                                            |             [D.C->192.168.1.17]        [Exchange->192.168.1.30]              [App Server->192.168.1.20] IP330 NOKIA -> default gateway for servers and pc's with fixed IP's PFSENSE -> default gateway and Proxys for lan PC's –-------------------------------------------------------------------------------------------------- Its Pfsense that i want to connect to someother pfsense or cisco etc etc need to be IPSec But i dont want that the other end of the site to site vpn see / browse my office pc's / Shares etc etc Thanks

the gateway, I always forget about the gateway.  That was it. Thanks!

Well you should have thought about the expiration time before. If your Identification Card expires there's no way to extend the current one and you need a new one…. http://openvpn.net/archive/openvpn-users/2002-07/msg00033.html (there is always google you can ask if you dont beliefe me that you have to redistribute your certificates)

Gruens that is what i would have told him too. ;D

Still would like to know how to do this in Linux but I figured it out in Windows.  I am going to try some more with Linux later tonight. I downloaded PSKill for windows and was able to accomplish this by using 2 scripts.  Run the Connect_Script then Run Disconnect_And_Backup_Script 10 seconds or so after. PSKill can be downloaded here http://technet.microsoft.com/en-us/sysinternals/bb896683.aspx Connect_Script.bat openvpn –config "C:\path\to\file.ovpn" Disconnect_And_Backup_Script.bat FOR /f "tokens=2-4 delims=/ " %%a in ('DATE/T') do SET tmpdt=%%a-%%b-%%c wget -q --post-data=Submit=download --http-user=username --http-passwd=password --no-check-certificate https://IP:PORT/diag_backup.php -O "C:\path\to\backup%tmpdt%-firewall-config.xml" pskill openvpn.exe

The log file makes it pretty clear you're not pushing any routes to the client.  As such it doesn't know how to get packets anywhere, so it'll never work ;) I'd guess you either need to add 192.168.1.0/24 to the "Local network" field or add push "redirect-gateway" to the "Custom Options" field.

In your OpenVPN config (i.e. OpenVPN\config\client.ovpn) on the client machine what do you have set up as "proto"? If it is set to "proto tcp-client" it needs to be changed to "proto udp"

Nothing to do directly with this thread, but OpenVPN development itself continues after a long stop. New RC has been released. A final version (2.1) when it will be ready :) Regards

Asenkevitch, I too am a bit scared of a hole as I see it in pfsenses OpenVPN implementation. If my mobile user loses control of his laptop anyone with access to that machine can connect to my network. Yes, I can revoke the keys, but what if my user cant/doesnt tell me for several days. Also the adminsitration overhead of all those certificates gets cumbersome when you start getting beyond 10-15 users. You want filtering which could add some protection to certain boxes segments, but what I would like is user authentication via RADIUS. Without the right credentials, nobody gets in. In fact they get locked out. That said,  I have seen several posts of people who have done some twists and turns to get RADIUS, and PAM working, however we use the embedded version which has no package support. So my question is how can an enterprise using pfsense on the embedded platform sleep easy knowing they have certificates and authentication protecting the OpenVPN dooway?? I would love to help any bounty propsing for out of the box OpenVPN/RADIUS on the embedded platform if anyone knows of one. Thanks, Pedro

Right Thank you for that info Gruens, that is exactly the question I was meaning to ask.

Get a bigger UPS ;D

solved, i have 2 gateways in both networks, so i have to add the routes to the non-pfsense gateways :-/

any thing???? am i the only one that has the problem?

Well it seems to work sometimes. It seems like it I coming in one and going out the other. Normally I have to kind of play with the connection to get it to work. Any thoughts?

1.2RC3. The boxes are ALIX WRAP systems and they're in remote locations so I'm not able to upgrade to 1.2RC4.