okay so everything was up and running yesterday, one of my employees for a reason beyond me rebooted the server side lastnight, after they did this the vpn stopped working agian, it still shows that it connects just fine from the logs but I can't seem to get any traffic to tunnel thru it.

It means that you missconfigured your tunnel. You probably followed this tutorial: http://www.pfsense.org/mirror.php?section=tutorials/openvpn/pfsense-ovpn.pdf which contains a bug as described in the sticky here: http://forum.pfsense.org/index.php/topic,2228.msg53309.html#msg53309

I decided to go down the IPSec route, after banging by head against the wall and meticulously looking at the configurations to ensure they were the same at both ends I managed to get it working.  I say got it working I really mean I left it and went home and when I came in the next day it magically had connected, probably lost a days worth of effort due to my own impatience.

I never really run into this problem, but as far as i see it, you cannot use the redirect-command in a shared key setup. You would have to add routes for the remote gateway and 0.0.0.0/1 and 128.0.0.0/1 manually. But from that thread: http://forum.pfsense.org/index.php/topic,6056.0.html It doesnt seem to be a problem :) Let us know if it worked for you.

http://openVPN.net –> documentation Sticky: http://forum.pfsense.org/index.php/topic,2228.0.html My post at the end of the thread. Also: http://doc.pfsense.org/index.php/Tutorials

@GruensFroeschli: I dont think a shared key setup is easier to manage with 50+ different tunnels. In a shared key setup you dont use pushes on the server to add routes to the clients. You have to add the routes in the client config directly. Meaning if you ever add a new office you will have to change the configuration of every client. If you use a PKI you just add a push command on the server and reinitialize the connections. If you want to use pushes you have to use a PKI. What about starting 50 instances of openvpn with shared key. Is it considerable load for the system or there is no real way to tell? I will look into the PKI setup.

hello, i have the same problematic, so if you have find a solution i am interested. let me know, thanks

Well one "way" (ugly hack) would be that you set up a second machine and define on it the OpenVPN interface as WAN. Then i think you can NAT to the WAN. http://devwiki.pfsense.org/OpenVPNasWAN But this would require that you have more than one machine. One as router and another one just for the openVPN tunnel. (and i'm not even sure if that works….)

Ok now it works. It is due to a bad configuration.

I do stuff similar to this, but instead of having 1 VPN tunnel between the remote box and the pfsense box, instead each client on the LAN has to run openvpn client and connect to the remote box.   then all their traffic is routed over the tunnel.  this takes pfsense out of the openvpn equation disadvantage - instead of one tunnel, there are many. more to manage,  scalability problems I imagine.. but end goal is the same,  clients on LAN all traffic goes through tunnel

The problem with the route is that when the openvpn tunnel is up, traffic destined to the remote network should be going to tunX interface, not the normal gateway. This is what I have on my pfsense box that is a client on a site-to-site tunnel, my local LAN is 192.168.13.0/24, remote LAN is 192.168.42.0/24, transfer net is 10.13.42.0/24. Destination Gateway Flags Refs Use         Mtu Netif Expire 192.168.42 10.13.42.1 UGS 0 32133 1500 tun1 (tun1 because tun0 is used by another site-to-site tunnel) At the other end (the server): 192.168.13 10.13.42.2 UGS 0 1000282 1500 tun1 (tun1 in this case because the other end also has a server for roadwarriors at tun0)

Wow - I need sleep.  Thanks for pointing that out…

I have the same problem, I try to use an static route with the server ip connection (openvpn) but when I go to system logs - openvpn, I see the gw of wan1, I don´t know how to use the gateway of wan2 with openvpn (client side). Somebody help? Sorry for my bad english…...

i know this is not recommended but i am using the same setup for pfsense as a server and the ddwrt as the client. is there any way that i can just assign an (vpn ip) to the ddwrt and then set a static route of 192.168.1.0/24 and use the vpn ip as the gateway? i would like to do this because i really like the fact that the ddwrt is a good platform for soho but a real pain in the ass to get the right syntax in for vpn site to site connect.

I already mailed him. No answer. In the meantime you can find it here: http://www.pfsense.org/mirror.php?section=tutorials/openvpn/pfsense-ovpn.pdf Also note that on page 21 is a typo. The field "Interface IP" should be 192.168.10.0/24 and NOT 192.168.1.0/24

Your questions have already been answered in the forum before. To summarize: Key managment should come in a future version. Until then you have to do it manually. Read the sticky to that. You can revoke single clients with the CRL (look at the webinterface for that and read about it on http://openVPN.net ) pfSense is not much else than a GUI to the creation of the server-config-files. I you really want to use it you wont come around knowing how OpenVPN works. OpenVPN can run in two "modes". Shared Key and PKI. In a shared key setup you connect two computers. Not more. This is for site-to-site. In a PKI every client has his own key and vertificate. (you cant have the same key for multiple clients) This is for a RoadWarrior setup.