i would jus t set up a server that can be reached via internet and then password protect it. :-\ :-\

Ok, I got it to work but not in a way that is useful outside of the lab.  Here are the remaining hurdles: I need to use tls auth and there is no way I can see yet to make the upload of the ta.key survive a reboot.  Maybe a full install on a microdrive… When I added the line to nat on the tun0 device to the lan subnet it worked, packets were passed from the lan to the tunnel but I don't know how to add the line into the pf.conf file permanently.  It seems to go away when the tunnel goes down and comes back up too and it of course goes away on reboot. Thank you for your assistance.

Does your pfsense openvpn server have multiple WAN connections? What firewall rules do you have on the interface with the stations you're trying to ping?

Ok here it is my network layout Maybe you guys have some other opinions… all of them will be apreciated :D ISP [Poll of 5 Pubic IP's]                                         |                                         |                                         |                                   [16 Ports HUB]                                         |                                         |                                         |                                         |–--------------------------[router Drytek Site to Site other Office]                                         |                                         |                                         |                                         |                                         |                                         |–--------------------------[PFSENSE - VPN SITE to SITE][Lan-192.168.1.254][Wan-Public IP]                                         |                                         |                                         |                           [IP NOKIA 330-Firewall-Def. Gateway]–------------------[DMZ - Linux - Trustix - SMTP - PostFix + Squid]                                         |                                         |                                         |                                         |                                         |                                   [192.1168.1.1]                                         |                                         |                                         |                                         |                                         |                                         |                           –----------------------------------------------------------                           |                                    |                                            |             [D.C->192.168.1.17]        [Exchange->192.168.1.30]              [App Server->192.168.1.20] IP330 NOKIA -> default gateway for servers and pc's with fixed IP's PFSENSE -> default gateway and Proxys for lan PC's –-------------------------------------------------------------------------------------------------- Its Pfsense that i want to connect to someother pfsense or cisco etc etc need to be IPSec But i dont want that the other end of the site to site vpn see / browse my office pc's / Shares etc etc Thanks

the gateway, I always forget about the gateway.  That was it. Thanks!

Well you should have thought about the expiration time before. If your Identification Card expires there's no way to extend the current one and you need a new one…. http://openvpn.net/archive/openvpn-users/2002-07/msg00033.html (there is always google you can ask if you dont beliefe me that you have to redistribute your certificates)

Gruens that is what i would have told him too. ;D

Still would like to know how to do this in Linux but I figured it out in Windows.  I am going to try some more with Linux later tonight. I downloaded PSKill for windows and was able to accomplish this by using 2 scripts.  Run the Connect_Script then Run Disconnect_And_Backup_Script 10 seconds or so after. PSKill can be downloaded here http://technet.microsoft.com/en-us/sysinternals/bb896683.aspx Connect_Script.bat openvpn –config "C:\path\to\file.ovpn" Disconnect_And_Backup_Script.bat FOR /f "tokens=2-4 delims=/ " %%a in ('DATE/T') do SET tmpdt=%%a-%%b-%%c wget -q --post-data=Submit=download --http-user=username --http-passwd=password --no-check-certificate https://IP:PORT/diag_backup.php -O "C:\path\to\backup%tmpdt%-firewall-config.xml" pskill openvpn.exe

The log file makes it pretty clear you're not pushing any routes to the client.  As such it doesn't know how to get packets anywhere, so it'll never work ;) I'd guess you either need to add 192.168.1.0/24 to the "Local network" field or add push "redirect-gateway" to the "Custom Options" field.

In your OpenVPN config (i.e. OpenVPN\config\client.ovpn) on the client machine what do you have set up as "proto"? If it is set to "proto tcp-client" it needs to be changed to "proto udp"

Nothing to do directly with this thread, but OpenVPN development itself continues after a long stop. New RC has been released. A final version (2.1) when it will be ready :) Regards

Asenkevitch, I too am a bit scared of a hole as I see it in pfsenses OpenVPN implementation. If my mobile user loses control of his laptop anyone with access to that machine can connect to my network. Yes, I can revoke the keys, but what if my user cant/doesnt tell me for several days. Also the adminsitration overhead of all those certificates gets cumbersome when you start getting beyond 10-15 users. You want filtering which could add some protection to certain boxes segments, but what I would like is user authentication via RADIUS. Without the right credentials, nobody gets in. In fact they get locked out. That said,  I have seen several posts of people who have done some twists and turns to get RADIUS, and PAM working, however we use the embedded version which has no package support. So my question is how can an enterprise using pfsense on the embedded platform sleep easy knowing they have certificates and authentication protecting the OpenVPN dooway?? I would love to help any bounty propsing for out of the box OpenVPN/RADIUS on the embedded platform if anyone knows of one. Thanks, Pedro

Right Thank you for that info Gruens, that is exactly the question I was meaning to ask.

Get a bigger UPS ;D

solved, i have 2 gateways in both networks, so i have to add the routes to the non-pfsense gateways :-/

any thing???? am i the only one that has the problem?

Well it seems to work sometimes. It seems like it I coming in one and going out the other. Normally I have to kind of play with the connection to get it to work. Any thoughts?

1.2RC3. The boxes are ALIX WRAP systems and they're in remote locations so I'm not able to upgrade to 1.2RC4.

Hi again, Here are the IP4 routes from netstat -nrW: pfsense A Destination        Gateway            Flags    Refs      Use    Mtu    Netif Expire default            194.XXX.XXX.253    UGS        0  168620  1500      vr1 10.0.20/24        10.0.20.2          UGS        0    20300  1500    tun0 10.0.20.2          10.0.20.1          UH          1        0  1500    tun0 10.0.30.2          10.0.30.1          UH          1        0  1500    tun1 127.0.0.1          127.0.0.1          UH          0        1  16384      lo0 192.168.0          10.0.30.2          UGS        0  107810  1500    tun1 192.168.254        link#1            UC          0        0  1500      vr0 192.168.254.204    00:0d:93:9d:fd:3a  UHLW        1      392  1500      vr0    702 192.168.254.240    00:16:cb:a9:e8:67  UHLW        1      43  1500      vr0    437 194.XXX.XXX.224/27  link#2            UC          0        0  1500      vr1 194.XXX.XXX.225    00:XX:XX:XX:XX:de  UHLW        1      19  1500      vr1    93 194.XXX.XXX.227    00:XX:XX:XX:XX:de  UHLW        1        0  1500      vr1    98 194.XXX.XXX.254    00:XX:XX:XX:XX:0b  UHLW        2    5955  1500      vr1  1189 pfSense B Destination        Gateway            Flags    Refs      Use    Mtu    Netif Expire default            220.XXX.XXX.241      UGS        0    81874  1500      vr1 127.0.0.1          127.0.0.1          UH          0        0  16384      lo0 192.168.0          link#1            UC          0        0  1500      vr0 192.168.0.1        192.168.0.2        UH          1        0  1500    tun0 192.168.0.193      00:16:36:53:c8:64  UHLW        1    5963  1500      vr0  1187 192.168.0.232      00:19:d1:61:a3:aa  UHLW        1    10363  1500      vr0    939 192.168.0.233      00:14:2a:8a:1e:42  UHLW        1    7065  1500      vr0  1149 192.168.0.234      00:14:85:5e:9a:de  UHLW        1    6628  1500      vr0  1144 192.168.0.236      00:08:a1:92:31:94  UHLW        1    1826  1500      vr0  1140 192.168.0.237      00:11:5b:f4:1d:ff  UHLW        1    1010  1500      vr0  1200 192.168.0.238      00:16:76:c5:51:e0  UHLW        1    4272  1500      vr0  1145 192.168.0.239      00:19:d1:ee:1e:6a  UHLW        1    2951  1500      vr0  1179 192.168.0.240      00:14:2a:8b:7b:b1  UHLW        1    8819  1500      vr0  1188 192.168.0.241      00:11:5b:f4:26:4e  UHLW        1      845  1500      vr0  1198 192.168.0.242      00:14:2a:08:8f:56  UHLW        1      331  1500      vr0    797 192.168.0.243      00:16:76:c5:58:61  UHLW        1    4768  1500      vr0  1101 192.168.0.244      00:14:2a:8b:79:df  UHLW        1    1715  1500      vr0  1156 192.168.254        192.168.0.1        UGS        0        0  1500    tun0 220.XXX.XXX.240/29  link#2            UC          0        0  1500      vr1 220.XXX.XXX.241      XX:XX:XX:XX:XX:1f  UHLW        2    3755  1500      vr1  1174 I've obviously changed the external IP addresses, but the important information is still there. BTW, aside from not being able to ping anything on network B from pfSense A, everything else is working fine in terms of cross-network access to internal servers and VoIP systems. Consequently, although I'm academically interested to know what the issue is, please don't bust a gut on this. Thanks again.