Just saw it. The rule in OpenVPN that I added back was only for UDP. I had tried a traceroute and then an nslookup. NSlookup worked, UDP. Changed the rule to TCP/UDP and we are back. Thanks again.

The server errors are really old and I do not think related to your current problem, so I will ignore them. It seems that the client is simply not getting through to the server at all. Mar 13 10:48:38  openvpn[12597]: UDPv4 link local (bound): [AF_INET]10.60.3.21 Mar 13 10:48:38  openvpn[12597]: UDPv4 link remote: [AF_INET]192.168.31.34:1194 From the above, the client is correctly bound to a LAN IP at Branch2. For some reason it thinks it should connect to the server on 192.168.31.34 - which is a private IP. Unless you have setup a completely private test environment, then that is not a valid address of the server. If the client is setup correctly, with an extra "remote" statement in the advanced box, then the client log should cycle around about every minute trying "UDPv4 link remote: [AF_INET] n.n.n.n:1194" and "UDPv4 link remote: [AF_INET] m.m.m.m:1194" where n.n.n.n and m.m.m.m are the 2 WAN IPs at the server end. Both those server WAN IPs should be port-forwarded to LAN on the server end, where the server should be listening. What did I misunderstand about your setup?

thanks that has fixed my problem  :)

@m9820441: This is an interesting case as I'm suffering from exact the same issue. Could you please elaborate more in detail how you fixed this? More specifically : what has to be done on the remote side for routing? Thx You just need an additional Phase 2 entry on both ipSec site pointing to the OPenVPN network. So on your site it the local network will be the openVPN network and on the remote site the remote network will be your openvpn network. Cheers,

@phil.davis: Can't I just add two rules under the default rule on WIFI1? I.e., two not-rules just over/under each other? Any special rules need to go before (above) the more general rules. The rules are checked from top to bottom, and the first match is what counts. If you put 2 rules on WiFi1   (a) (destination !LAN) to WAN_DHCP   (b) (destination !WIFI2) to WAN_DHCP then:   (i) traffic from WIFI1 to WIFI2 matches (a) - so it gets routed to WAN_DHCP   (ii) traffic from WIFI1 to LAN matches (b) - so it gets routed to WAN_DHCP not what you want! The rule on WIFI1 needs to be (destination (!LAN and !WIFI2) to WAN_DHCP) For that, you need an alias that covers LAN and WIFI2 together, and use (destination !alias) in the rule. Wouldn't it be clever to implement AND, OR into the pfSense ruleset right away to be able to use them within the firewall rules? I think this would make sense, because the two dimensional matrix layout (aliases) doesn't suit very well for a three dimensional problem (single host aliases, groups of hosts, groups of groups meaning different layers).

Thank you very much deltalord. It works very well.

Gladly: [image: finalconfigvpn.jpg]

I can confirm the problem is fixed. The connection was successfully tested with remote clients with windows 7 and 8 and openVPN gui version 2.3

Try looking at the following, found by random Google searching: http://forums.freebsd.org/archive/index.php/t-26035.html http://www.linuxquestions.org/questions/linux-newbie-8/error-pem-routines-pem_read_bio-no-start-line-pem_lib-c-644-expecting-trusted-certif-654698/ http://forums.freebsd.org/showthread.php?t=26035 http://www.question-defense.com/2009/07/08/litespeed-ssl-error-error0906d06cpem-routinespem_read_biono-start-line http://stackoverflow.com/questions/3617293/openssl-pkey-get-public-not-open-public-key-no-start-line-error

I ended up using an OPT interface in pfsense and giving it a seperate subnet from my lan.  Just setup a rule in opt interface firewall rules  to allow traffic from the opt subnet through the openvpn gateway. I should also add that i'm using two nics on the machine i'm routing through the vpn.  I also use forcebindip to force binding applications i want to to the nic connected to the opt interface.

I am trying to do the same as you and it works as expected if the VPN is up.. However if the VPN is down or you disable the service it seems to route through the default gateway regardless of rules. Do you see this as well?

Jimp to the rescue! Thank you, that was it. I did not check it because computers were connecting fine. Best regards Kostas

Use Diagnostics->Routes to see what routes are on each pfSense. If you have the local network and emote network in the OpenVPN config correctly, then there should be routes on each box to the opposite LAN. And yes, the WAN of each pfSense should be fine pointing to your D-Link router 192.168.0.1 - in your test environment, 192.168.0.0/24 is playing the role of the real internet.

@johnpoz: So your fully working and functional now, even to your window boxes, which I take it were running firewalls blocking the traffic you wanted to allow. So you get your browselist working, or live without that MS nonsense ;) As you said (without that MS nonsense)…thank you man your a hero .

Need more specifics to troubleshoot. Which guide did you follow to set up the tunnel? Post your Server openvpn config Post your client openvpn config (site b) And I have to ask… but is there a PFsense box on both ends? Post screen shots of firewall rules on both ends on the openvpn tab