Why don't you put all the addresses of your pfSenses (the main and the failover backup) into the configuration of your clients? Then the client would just try to connect one server after the other until it works. You can even tell the client to randomly choose an IP to connect (which would more look like loadbalancing).

Ok I wont….... Thanks for all your help. hockey ;D

While I can't speak specifically to running multiple instances of OpenVPN, as someone who runs sshd on 80, 443, and 5190 (AIM; Continental Airlines used to allow 5190 through to any address, not just AOL), I can suggest that you want to move the management interface to another port and run an OpenVPN listener there - places that are big on the walled garden often have cacheing proxies in the middle for http (https is impractical to proxy, so it is more likely to go straight through). -rob

Then I added a 64.208.129.0/24 route with the OpenVPN link as the gateway. I wouldnt add routes like these static. You can just add the -route command to your config. OpenVPN adds these routes dynamically when the tunnel comes up and removes them when it goes down.

I have discovered that the password is needed for the decryption of the private key(my private key, the file with .key extension). So i have removed the password with a tool. Now, using OpenVPN it does not request a password to connect. so, i'm trying to configure pfsense but it does not work ! On the logs of pfsense i see this [image: pfsensewi7.jpg] any idea ? thank you PS:I have noticed that my .key file begin and end with –--BEGIN PRIVATE KEY-----, instead pfsense need a key with ----BEGIN RSA PRIVATE KEY----. Trying to copy and paste my key it does not work, so i have added the word RSA.

@Cry: You should have searched the forum… Currently there is no way of applying NAT or firewall rules to the OpenVPN traffic.  ISTR that this will change in 1.3, but you should search the forum for details. I assume I can make openvpn run an "up" script that creates things behind the scene to do this, though I haven't tried yet.

If you dont do anything, the openVPN server will bind to all interfaces to which it can bind. Can you view the Bindings anywhere?

I'm sorry. I didnt read right. kpa describes it a bit better than i did :) What i mean: in a shared key setup: you have on the server-log something like openvpn[2560]: /sbin/ifconfig tun0 172.16.40.1 172.16.40.2 mtu 1500 netmask 255.255.255.255 up and on the client something like openvpn[2560]: /sbin/ifconfig tun0 172.16.40.2 172.16.40.1 mtu 1500 netmask 255.255.255.255 up While in a PKI setup the client usually has something like openvpn[2560]: /sbin/ifconfig tun0 172.16.40.6 172.16.40.5 mtu 1500 netmask 255.255.255.255 up

Yes, making the client use the company dns through the tunnel should usually be enough.

Yes, I saw this today. I edited the configuration today and made a mistake. I moved it to the previous configuration but I still had the same problem. I redid the vpnconfig from source, I reconfigured the Rule and I found a bug in my config (one device used a gateway who wasn't anymore in use). I managed to get it working. So it was a silly mistake of me. Thank you anyway for the help.

Thats the way openVPN in routing PKI mode behaves. rtm on http://openVPN.net

Wake on lan won't work for routed subnets. You have to be in the same layer2 subnet. Version 1.3 will have a user manager where you can add webgui users with specific rights (for example only access to the wake on lan page). This way you could allow your users to wake up the machines from the webgui. Just had a weird thought but maybe it will work: enable the captive portal at an interface that you don't use (could be even a vlan). generate and upload a php page that has the remote machines listed and that uses the php script to wake up the clients (just copied a link from a client that I created in my webgui): services_wol.php?mac=01:23:45:67:89:00&if=lan "mac" is obviously the macadress of the client and "if" the interface name that the client sits behind. You also could try to just embedd the code of services_wol.php in your page. users can access the page by going to http://<captive-portal-interface-ip>:8000. You can make that easier by adding some nice dns name like "http://caffeine:8000"  ;) For this to work make sure that you route the traffic to the captive portal IP through the tunnel as well. Btw, if you get this working please provide the code of the php page that you use for your captive portal  :)</captive-portal-interface-ip>

We'll see that feature sooner or later and I would guess it will be sooner than later  ;)

I see that you have in your current config tls-auth: If you really "need" that you need to add the tls-file manually. I think there is somewhere a thread around from someone that did that. Not sure if/how that worked. (could you leave it away?) EDIT: found it Smiley Enable TLS Auth support: http://forum.pfsense.org/index.php/topic,2747.0.html How do I make my ta.key permanent? http://forum.pfsense.org/index.php/topic,7956.0.html Thanks for all your help. I got all the tls stuff under wraps, I've already had a read about all that.

Very cool  ;D You could send it in to be linked :) @http://blog.pfsense.org/?p=183: First a user from the forum who has replaced his Cisco PIX firewall with pfSense. This is far from the first person who has replaced a PIX with pfSense, we know of numerous others ranging from the small office PIX 501 to the enterprise class PIX 535. In most networks, pfSense can do everything the PIX can, and at a significantly lower cost even with commercial support. Another person with a blog entry with a nice multi-WAN howto. Write up something about pfSense on your site you would like to share? mailto:coreteam@pfsense.org a link to us, we’d be glad to link it here.

Study the man pages of the OpenVPN documentation. Take a look at the possible flags of the redirect command.

The conflict is that you DIDN'T set the virtual interface IP to a 10.10.10.0/24 IP but to a 192.168.9.0/24 IP –>"Interface IP" field on the client