Doing a traceroute from de XP client i see it goes through the PFsense's end of the VPN connection. XP has not firewall, nor the local linux host. XP LAN: 10.129.4.X TUN: 10.1.8.6 ping LINUXBOX: works ssh LINUXBOX: doesn't work http LINUXBOX: doesn't work PFSENSE LAN: 10.1.1.X TUN: 10.1.8.1 LINUXBOX LAN: 10.1.1.X ping XP: works rdp XP: works

it will work fine, i run mine like this as well. 192.168.125.0/25 LAN 192.168.125.128/27 VPN as far as how to access the other non-LAN subnets, youll just need to tinker with it… but it doesnt sound unresonable.

did u put ur Local Network in Local network place openvpn server configuration ?

ahhh finaly!! thanks GruensFroeschli and mihai, i love you <3

just fixed… thank you !

do your remote client know a the route to your local subnet?

It is a PKI what i get from the IPCOP, but the pki does have a password When i use it on windows with the client from openvpn.se it is asking me for a password. (Client to Net) and on the setup on the IPCop i had to enter a Password even in PKI pfsense is setup as client and it took my CA, Client certificate and Client Key just fine. Pfsense is always coming up with this Aug 2 20:39:04 openvpn[43938]: Exiting Aug 2 20:39:04 openvpn[43938]: Error: private key password verification failed Aug 2 20:39:04 openvpn[43938]: Cannot load private key file /var/etc/openvpn_client0.key: error:0906A068:PEM routines:PEM_do_header:bad password read: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib Aug 2 20:39:04 openvpn[43938]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Aug 2 20:39:04 openvpn[43938]: OpenVPN 2.0.6 i386-portbld-freebsd6.1 [SSL] [LZO] built on Apr 6 2006 I'm a noob on OpenVPN … :-)

I've had a friend help figure this one out.  What we had to do was use iroute in conjunction with the route command.  We now have a working PKI VPN infrastructure where all remote locations and the local office are fully connected.  (Can ping from anywhere to anything). If you're having issues, try looking at using the ccd directory and the iroute/route directives.

is this pertaining to the challenge password i setup in my keys? I can still connect to my VPN and i don't need to enter any password. Is this secure without having a challenge password? I'm a little concerned about the man in the middle type attack

ive been working on getting a CRL generated, but each time i do, i get errors. (hesitant to post all my output, as it has lots of information pertaining to one of my clients). has anyone else sucessfully revoked a cert, and if so, how did you do it?

I've resolved my problem ! I add a static route in "mypfsense2" for network subnet of "client1"

on the openvpn wishlist… i didnt log in and try to post yet another, but maybe someone could edit their GUI wish, to be able to not only add certs, but to revoke them as well.  this would probably be a given if someone were to actually go to the trouble, but either way, i think its worth wishing for  :)

No need for rules, but need to specify remote subnets in the openvpn config on both pfsense-sides…

OpenVPN-Filtering is not available until now… Will come later...

False alarm. :) The problem is on the ADSL router. I can't traceroute also from the LAN to the internet (traffic goes only through the ADSL router) So nothing to do with pfsense. Thanks for the response.

Hi! Thanks for replying. I've Pfsense 1.2-BETA-1, and with the OpenVPN package, i'm already capable of doing this three things: Listen on multiple ports Listen on multiple protos (tcp & udp) Listen on multiple IP's (multi-WAN) I just put on the "custom options" of the my two openvpn tunnel configuration this line: local 85.35.218.x;remote 85.35.219.x # for tunnel A local 85.35.219.x;remote 85.35.220.x # for tunnel A and doing a netstat -an it shows: udp4      0      0  85.35.218.138.1194    . udp4      0      0  85.35.219.219.1195    . So openvpn daemon is listening correctly on both two wans fo incoming connections (with tcpdump i've tested it). And changing the protocol tab of the config, should also do the trick to listen on different protocol (tcp/udp). But my question was referred to the possibility of doing policy routing for the two vpn, for the hosts inside the lan subnet of both sites. If i create a firewall rule, the tun0 and tun1 interface should appear in the gateway tab, so that i could choose the tunnel to use for a particular host/subnet to host/subnet communication. Is there another way to do this, waiting for the possibility to choose also the tun interfaces in the gateway tab of firewall rules option? Thanks again. PS. For failover over vpns i can wait, but the policy routing would be the choice to decide to switch or not to this great product.

@fumes87: Is there a way I can connect to all elements on my LAN without changing their gateway to the PFSENSE machine? Appropriate routing configured on whatever device is their default gateway.

http://doc.pfsense.org/index.php/Setting_up_OpenVPN_with_pfSense part at the bottom: "advanced hackery"