@nadaron: I looked around and found a strange thing in the ifconfig output (server and client): Not strange, that's just how it works when using certificates. My guess is you're missing either a route or an iroute. http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_(SSL)

Hello, If I recreate the bridge or change the STP proto (stp/rstp) stp will be enabled on the openVPN interface. However, after a reboot stp is only enabled on the physical nic. For now this isn't a game changer for me as my network is working ok with each connected stack electing it self at the root when stp is disabled. When I have STP on the nic in pfSense the switches elect the pfSense nic as the root (I can change this by adjusting the priority though). Thanks for your time, Fred

Check the logs on the other side. The 60 second timeout just means it failed to contact the server, so no connectivity. The other side would be more helpful.

Hello, I just set up the same config and had it working. The issue I ran into is that I needed some layer2 stuff to cross the network and pf was placing in layer 3, thus breaking my config. Anyhow, I have Cisco switches that were connecting to my pf setup. I have three Nics in my pf boxes (1 for LAN, 1 for WLAN and 1 for Internet) I created openvpn tun sharedkey tunnels between my pf boxes, and assigned the openvpn clients to interfaces. In QuagaOSPF add the three interfaces to area 0.0.0.0. On the switch side I added the pf LAN network to area 0 and my failover was good to go. Just play with the interface cost in quagga to determine when a failover should occur. I think my fail over was sub 2 minutes. In pfsense you will want to set up some rules to handle traffic that ospf doesn't know about. I used the gateway groups to handle this so that in a failover my internet traffic would still go out. However, I route all my outgoing internet traffic through my data center so YMMV. BTW if you need to trunk (802.1q) between your switches and they support ospf you can connect the wlan to the switch use pfsense to create a vpn backup there. At least that's what I am trying now…. Fred

That blog post is correct as well. No, not everyone who's ever written a site to site OpenVPN guide is conspiring against you. They really do work as illustrated. My guess at this point is you have a general connectivity problem between client and server for some reason. Packet capture, check firewall states, for the outer 1194 or whatever port you picked.

The server's raw config would be in /var/etc/openvpn/ If the clients have routes, try doing a traceroute and see how far it gets. See if you can ping/reach the pfSense firewall's LAN IP. If you can reach the LAN IP and no farther, it could be something on the target machine (local firewall/filter), or it may not be using pfSense as its default gateway. If you can't reach the pfSense firewall's LAN IP, then I'd double check the routing, make sure the client is being run as Administrator on Vista/w7/w8/etc.

Oh my god, I feel like an idiot. You guys were correct about the routes.  Unfortunately, I made an error while adding the route, to the VPN settings. While I added the route under the Server settings, I forgot to add the 10.10.20.0/24 route under the Client Specific Overrides.  As soon as the route information was added there, communication worked bi-directionally. Thanks so much for your help!  This was a great learning experience.

When you enter Tunnel Network, Local Network and Remote Network it uses these to make a route to Remote Network across Tunnel Network for you. So when there is just 1 LAN subnet at each end, the routing happens "automatically". The extra things you have to do are; open the port you are using at the server end, so the client incoming connect can get through. Add firewall rule/s on OpenVPN at each end to allow the traffic you want that comes from the other end of the tunnel. Then it all just works in a simple site-to-site config.

Actually for a site-to-site openvpn just between two nodes, a shared key setup is much, much easier. No need to make or export certificates. Also that guide seems to have been written a long time ago against 2.0-RC1. The Guide for a multi-site PKI setup on our doc wiki may be more accurate: http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_%28SSL%29 Actually one thing that guide doesn't mention is if you do SSL/TLS and it's still just between two sites, if you just use a /30 for the tunnel network, it does not require that you add the client-specific overrides or anything like that. You can't push settings to the client, so you do need to fill in the tunnel network on both sides, and you need to fill in the 'remote network' fields on both sides. It's much simpler to do shared key though, as described here: http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_%28Shared_Key,_2.0%29 Though even that is a lot of detail, it really boils down to: On the server: Add the server entry, set to Peer to Peer (Shared Key) Set a tunnel network In remote network put the client side LAN network Add a wan rule to allow traffic to the wan address on the port (probably 1194) Add openvpn firewall rules to pass traffic inside the tunnel On the client: Add a client entry, Peer to Peer (Shared Key) Enter the server IP and port Uncheck "automatically generate" and copy the shared key from the server screen to here Set the same tunnel network as on the server Set the remote network to be the server's LAN network Add openvpn firewall rules to pass traffic inside the tunnel The guide goes into much more detail than that, but I probably set up 6-10 of these things a week for people and it works every time…

Don't know why it is working on the IPSec Tunnel but I was connecting the same way than via OpenVPN. Doesn't matter iT#s working now and I'm happy with that  :)

Well then setup your firewall rule on your vm pfsense box to prevent whatever you don't want. I for the life of me can not figure why you would want to do such a thing.. but hey, whatever floats your boat. I see a triple nat when I look at that setup, and for the life of me don't understand why you would need a firewall to specific vms behind a triple nat ;)  But sure again whatever floats your boat. Just set your rules on your pfsense to only allow access to your openvpn connection.

well, I resolved with this post http://forum.pfsense.org/index.php?topic=35445.0 Works but but I have to assimilate the reason.

New version of the OpenVPN client export package coming up now, quoting the server CN is now optional, and off by default.

If you're looking for a client download make sure you either use our client export package, or the OpenVPN Community Downloads page. They do sell some software but it's not required.

Well, this is the weirdest thing. I go and try it today and it works like nothing was ever wrong. I did reboot PFsense a thousand times this weekend trying to get Dansguardian to work and also rebooted my work machine. Anyhow, I'm still going to post what you asked because it is binding on a weird I{. This may or may not help someone else so what the heck: [image: vpn1.jpg] [image: vpn1.jpg_thumb] [image: vpn2.jpg] [image: vpn2.jpg_thumb] [image: vpn3.jpg] [image: vpn3.jpg_thumb]

@Stevej: @cmb The upstream of the customer side (supplied by ourselves) varies, it can be ADSL or leased line. What i've noticed is that if the connection on the customer size drops (this could be due to a link failure or such) then when the link re-establihes the VPN doesnt come back up, unless i disable the VPN profile and re-enable it. Is the key the infinetly resolve tick box? No, the completely default settings will reconnect automatically on their own. Would have to see some logs from the OpenVPN client while it's failing to reconnect to have an idea of what might be happening.

@ReneG: Hi any news to the 2.0.2 release? We are really really like to see Working Openvpn with UDP and CARP without Disable Openvpn on the salve. Any chance to get a update url? regards btw pfsense is very nice and stable! There's a thread on that here - http://forum.pfsense.org/index.php/topic,52810.0.html

@pkwong: Are you having issues passing traffic out the openvpn connection?  Is that what you are saying? Do you config pass? Thank's everyone interested,i have done.