FIXED I went into the VPN interface, clicked 'Save' and all miraculously started working again. got the idea from another Thread: https://forum.pfsense.org/index.php?topic=75142.0 Same problem too (vpn tap with certificate + bridge) The vpn connects correctly (from logs either client and server side), but no traffic passes through it as interface is down. Going to the interface properties hitting save makes it work The problem doesn't happen with vpn tun with shared key to another location Thanks for the help though!

Well that figures, after dealing with it for weeks and finally asking for help, I seem to have fixed it. I ran 'addtap' and it gave me some dialog about how it was installed and updated?  It's working now.

A couple potential solutions. Use different networks for the local and VPN.  e.g. local: 192.168.1.x, VPN: 192.168.21.x Edit: Oh wait a minute, just realized that isn't what you are talking about.  It's the work and local networks that would need to be different also.  I think. Place the OpenVPN interface at the top of the binding order. This was pointed out to me by hero member johnpoz in an earlier thread last week: https://forum.pfsense.org/index.php?topic=77421.0 Good luck.

If you had used EasyRSA on pfSense 1.2.x to make the certificates and imported the CA from there, you have to be careful to get the serial number from EasyRSA when importing. EasyRSA tracked it in a separate text file. See https://doc.pfsense.org/index.php/Using_EasyRSA_Certificates_in_2.x

I'm a little unclear on what's your actual problem. Does the Tomato router connect, but you simply can't ping it from the pfsense side? Or does the Tomato connect and then drop off forcing a restart of the OVpn connection? If it's just a ping issue, you may need to add the "iroute 192.168.1.0 255.255.255.0" to the "OpenVPN->Client Specific Configuration" section for your Tomato connection.

Hi kpa, thanks for your fast response. The VPN is a TAP/bridged one, as fas as I understand there is no tunnel on this kind of vpn, or am I missing something? Thanks, Jakommo

ok i confirm the workaround. For an OpenVPN in TCP 443 on pfsense 2.1.3 i have to disable TCP Inflight Mode. If not, i have only 1.3 Mbit, without, i have 12 Mbit !

Yah, been there ::) Sometimes the magic works…... Sometimes you just have to get all the details just right..... Glad it's up and running  :)

I got panicked while I run``` pkg_add openvpn anyway I did pkg_delete openvpn-2.2.2 pkg_add -r http://ftp-archive.freebsd.org/pub/FreeBSD/ports/i386/packages-8-stable/All/openvpn-2.3.2.tbz and now I got openvpn version 2.3.2 and also the shared object : /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-pam.so thank you very much… I ll make my tests now...  :)

My reply is after adding that option and testing for however many days since your post. At first, it seemed to have done the trick but then I realized same problem exists. Here is my config auth-user-pass xxxx; #route-gateway x.x.x.x; #dhcp-option DNS x.x.x.x; #dhcp-option DISABLE-NBT; route-noexec; #dhcp-option DNS 8.8.8.8; #verb 6; reneg-sec 0; keepalive 10 60

"But I use this vm for business use and this request is for my personal use" So you want to route your personal traffic through your business box?  And you don't want to even reboot it, etc.  Why don't you just get a lowend vps, install the simple openvpn access server package on it and be done? https://openvpn.net/index.php/access-server/download-openvpn-as-sw.html  You say this is personal use, it comes with 2 connection license for free. I have started a doc/howto in connecting to this and using policy routing, etc.  But have gotten side tracked and have not finished it yet, etc. I have multiple lowend vps for play, they are $15 a YEAR ;)  route your personal vpn traffic through one of those - my plan has 500GB a month, etc. If you want I could post a link to the plan I am using.. But there are plenty of low end vps to play with out there..  Why you would even think of touching a business box for personal use, not sure thinking would be the word I would use ;)  Be it over or under.. Unless not was the term you were looking for..

Thanks for the reply macboy6.  I do already have Tomato on an Asus router to do this, but I want to route the VPN through a computer with a faster processor to get better download speeds.  And I do like having pfSense on an old desktop.  It has worked great for several weeks now for the local network. May I ask how you were able to get it to work with pfSense?  I've followed the tutorials in the sticky link on this, but I can't seem to make it work. Thanks for any words of wisdom you may have!

ok. thanks, now I understand, /32 has to put in the list. I have one more concern: currently we are using  2.1.2-RELEASE of pfsense. and quagga we are using: 0.99.22.3 v0.6.1. With my previous setup where I turned on accept filter in OSPF interface config on openvpn interfaces and setup /28 filter subnets in quagga OSPF main page we had the problem when a link went down and ospf neighbour has gone the Quagga Zebra service stopped. So all routes via OSPF have gone. I was not able to manually start Quagga Zebra daemon, till I remove the accept filter setting on openvpn interface in Quagga interface configuration section. Did you experience something similar? I can reproduce this error anytime. Thanks for help, klajosh2

I used the client export utility on pfsense's web management page, and yeah I think it installed the adapter.  I uninstalled OpenVPN and reinstalled it and its working, for now.  Not sure what happened.  I installed it exactly the same way the first time around.  Hopefully it continues to work.

Marvosa, you're right I very well may be using the wrong solution.  If there is a better way to go about it I am completely open to it, and in fact if there's a way to have anything that connects to my VPN just be directly on the same subnet that's what I want but haven't found a way to do so yet.  Thanks again, and here is the server1.conf. (I removed my public IP, but everything else is untouched.) Edit:  After looking into what you said, I'm pretty sure I do just want it bridged.  I don't want them to be segregated in any way.  I'm tinkering with it trying to set the "Device Mode" to "tap" without much luck yet. dev ovpns1 dev-type tun tun-ipv6 dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-128-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown client-connect /usr/local/sbin/openvpn.attributes.sh client-disconnect /usr/local/sbin/openvpn.attributes.sh local <my public="" ip="" is="" here="">tls-server server 192.168.2.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc username-as-common-name auth-user-pass-verify /var/etc/openvpn/server1.php via-env tls-verify /var/etc/openvpn/server1.tls-verify.php lport 443 management /var/etc/openvpn/server1.sock unix max-clients 10 push "route 192.168.1.0 255.255.255.0" ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key dh /etc/dh-parameters.1024 tls-auth /var/etc/openvpn/server1.tls-auth 0 comp-lzo</my>