I spent  a few hours this weekend reading replies to similar problems and I found one reply that talked about Phase-2 entries.  Once I added an entry into Phase-2 on both psfA and psfB I was then able to connect to servers on lanB. Thanks for the help and a great product.

The 0.0.0.0 thing was automagically added by the pfSense code (filter.inc 2.1-RELEASE). It is not needed - it was changed to 0.0.0.0/32 in GitHub recently then removed altogether by this commit: https://github.com/pfsense/pfsense/commit/992324efad8f8c2c8144619e8c7681458560cd16 So you can ignore it - no special NAT rule needed for that.

Normally a reboot is not required for any pfSense config changes, including setting up VPNs… But it is so long since I used 2.0.1 I can't be sure if there were some things that did not always work on-the-fly. Certainly in 2.1-RELEASE I setup and reconfigure OpenVPN servers and clients without needing to reboot - the system changes all the routes... on the fly.

Thanks.  I implemented the solution today.  During the Holidays it is near impossible to gain access to/leave our building due to the City area being extremely busy for shopping.  As a rule we work remotely for this week, however I moved the PBX to another more manageable and secure network.  The work we do is similar to a NOC, but Tier 2 which is on call.  When persons try to contact the office it was difficult to get to my Staff members or the member needed to fix a problem.  My staff can now work remotely using their Cell, Yealink or PC Soft Phone to remedy issues when someone calls the office PBX. Thanks to you Jimp for guidance and showing me/us how to patch the GUI  issue and also to sscardefield….a fantastic job of putting the step by step guide together showing the creation of Certificates for OpenVPN both with and without User Authentication.  This actually got me to understand the process better than using the wizard.  Thanks to everyone else who participated in this thread as well.

Yes.  Anyway, don't worry about it.  I moved back to the old IP a few days ago, it's working fine ever since and I've moved on to other projects.

I ran a packet capture on a client and the server, and the clients are sending data, but no traffic is showing in the packet capture on the server. Literally none; the box is blank after I stop the packet capture on the OpenVPN server interface.

What I had posted would work? changing every server? Yes, you can put the servers at the branch offices, like your 2nd diagram, and have 4 clients connecting out from the main office. But myself, I make my OpenVPN servers listen on a different port to the default (1194) anyway, and it is no problem having 4 of them listening on 4 different port numbers.

Yes, you can use a single site-to-site OpenVPN server with Certificates, have multiple site-to-site OpenVPN clients connecting in and use Client-specific-overrides to tell the server which remote office subnets are reached down which client. Or you can make 3 separate servers at main office using pre-shared keys, listening on 3 different ports. If you only have a couple of remote offices then it can be easier to use the pre-shared keys method and have a few servers, rather than bothering to make the certificate authority, certificates,…

Well, the firmware update solved the VPN and aPinger issues. My long term to do list includes switching this router over the straight pfSense, but all is well for now. Andy

Thanks heper! I'll try that.

So i created a new rule at the top my connection status image is attached. Rules are LAN IPv4 * LAN net * * * OpenVPNinterface_VPNV4 IPv4 * LAN net * * * * none OpenVPNinterface IPv4 * * * * * * none OpenVPN IPv4 * * * * * * none This results is some very unexpected behavior, i.e. i can only reach a handful of websites and alot of domains become unreachable. My IP is identified as ISP IP and not VPN. **Update: I got the traffic to route through VPN somewhat. So by adding redirect-gateway def1, i get the correct Remote IP but i have the same problems mentioned earlier: i can ONLY reach a handful of websites **Update 2: Ok now it WORKS!! and i am even able to selectively route traffic for specific domain/IPs that i define. I have no idea why it works now, all i know is i m backing this shiz up. Is there a easy way to backup the whole image of the OS and not just configuration? If someone is pulling their hair with vpn setup on this great software my recommendation is to make changes 1 at a time then reboot and test. **Update 3: The routing problems were caused by HAVP antivirus, specifically Transparent proxy.    

Thanks for the link Mirimir, unfortunately I think we have different ideas of what is "easy-to-follow", besides your page discuss a very different setup, installing pfsense in VM's and what-not. I already have a dedicated pfsense router that I wish to use. I futher wish to route traffic to one of 3 VPN servers based on protocol/target name/IP address. My pfsense is set up in what I believe is the standard way for dual wan.  Normally I'd go to the Lan tab and create a new rule, I can make selections for which conditions I'd want to use the VPN, but I can't see where I then pick the VPN link?  I would assume I should pick "Gateway" but when I do that I don't see VPN as a gateway???

The route statements need to be there, so in theory it shouldn't matter whether they're added to the advanced box or generated by the GUI using the new "172.20.10.0/24,172.16.1.0/24" syntax of 2.1.  All the commands get entered into the same config. So, if using "172.20.10.0/24,172.16.1.0/24" on the remote networks line works while adding routes to the advanced box doesn't… I'm wondering if that's a bug. For the DEVS Does v2.1 and above now prefer multiple subnets be entered on the "IPv4 Remote Network/s" and "IPv4 Local Network/s" line vs. the advanced config box or are we looking at a possible bug?  Please confirm.

@Marvosa: thanks for your suggestions and observations. In response to your suggestions: I already have in place any to any rules in all relevant interfaces in my testbed I'm not using windows at all, and yes, I have permissive host firewall rules in both desktops at each LAN I've tried rebooting several times (although not quite after each change/attempt) It is. The weirdest thing to me is the fact that when I ping a Client-side LANs desktop from a Server-side LAN desktop and capture traffic at the virtual interface from the PFSense that runs as OpenVPN server (opvpns1) I do see the packets passing through, but I don't see them coming to opvpnc1 (virtual interface from the PFSense that runs as OpenVPN client). It seems as those packets 'get lost' at the OpenVPN tunnel. And as I mentioned in previous posts, I don't spot any issues either with the traffic routes or with filtered out packets at the firewall log. Thanks once again though