The problem is the identical IP address for the all vpn. Thanks.

Openvpn will work fine there, but you will need to put the sites on separate subnets and run DHCP at both locations.  Separate subnets will not break communication between the two sides.  Thats my opinion anyway.

Check this out.  Read down to "This indeed was the issue! I have had my old certs from a previous attempt (that also failed) on my laptop. I've regenerated this clients certs, and ta da" This thread might help you. https://forums.openvpn.net/topic12623.html Basically, he ended up regenerating his server CA and certs as well as client certs.

Sorry, from your diagram it looks like you have DMZ's on both firewalls. Yes, adding push "route 10.10.8.0 255.255.255.0" to your advanced config when it's already in your Local Network field is redundant and can be removed.  If you look at your config, you'll see the duplicate entry.

Yep - I'm not sure how much bandwidth you need, but a cheap ($10 or so used) E1000 with a DDWRT VPN load can act as server or client. I've had excellent results with them so long as I'm only pulling 5 Mbps or less through it.  You can max out their CPUs pretty fast after that and be sure to put it somewhere where it can breath.  They get warm because openvpn is a cpu user. I would probably use pfsense as a client on your end to the ddwrt router you send to their end acting as server. There would just have to be a little cutting and pasting of certs and CA between the two before you sent it. For dynamic dns, I have had good luck with dyndns.com but there are MANY that work. freedns.afraid.org also works.

Thank you again for your help  :P I've made the changes recommended here, and it appears to be working correctly now (although PFS didn't remember the block rule for my local LAN, which I added to the OpenVPN-rules in the firewall; very strange, I had to enter the rule 4 times  ???). Well, it has to be working anyway, since her majesty has left the house and is on her way to the airport, so I can't do anything about it anymore right now. And I am on my way to the kitchen, to learn how to prepare food for myself   :D Thank you again for your help   ;D (And yes, Windows firewall = yuck. As is Windows. But she wouldn't allow me to put PC-BSD on the laptop :-).

Ok got OpenVPN working I had to add in the OpenVPN configuration also a Tunnel Network for IPv6. Thank for you help doktornotor and I have used the your prefered manual for the configuration not the one with the bridges. Kind regards Simon

OpenVPN client - ics-openvpn-0.5.39.apk - does not work in Android v4.0.4 connecting to pfSense v2.0.3 + Client Export Package + OpenVPN Patch Package Works from WinXP. The Android OpenVPN client gets disconnected at once with the following error message for both the non-default port of 33121 and the default one of 1194. Unfortunately, OpenVPN for Android has stopped. The FEAT VPN App for Android works though - ics-2013-01-23.apk. [image: openvpn_pfs_203_android404.png] [image: openvpn_pfs_203_android404.png_thumb] [image: Android_FEAT_VPN_withpfsense203.png] [image: Android_FEAT_VPN_withpfsense203.png_thumb]

Hmmmm.  I would do a few things differently. I would create 1 openvpn thread on 10.23.10.0/24 and the second on 10.23.11.0/24 or so…  (just to get away from the 192.168s) Then I would check my firewall rules to be sure the rules had been generated properly to PASS those subnets to ANY.  Check the subnets match above. Then I would create the outbound NAT rules to allow the LAN and for both openvpn subnets. (I stopped using auto outbound NAT on WAN). Now try it on manual.  Be warned that manual outbound NAT is picky.  Has to be done correctly, but it never leaves me wondering "what went wrong"? If that doesn't work, having a snapshot of you NAT rules, Firewall rules, Outbound NAT rules, and openvpn config would help people help you. P.S.  The reason I quit using Automatic Outbound NAT is because it kept rewriting SIP packets and was killing my servers. And I'm a control freak...  Thus the pfsense.

Phil, 1. The pfSense interfaces are subnets carved out of the supernet; we have a lot of subnets behind each firewall.   2. I'm not sure why there is a /29 on the existing OpenVPN tunnel, I will change it to a /30 in the future. Additionally, my issue is now resolved.  The issue was that the server side of the tunnel (Site B) was not properly routing the traffic, even though the proper routes were there.  Rebooting the pfSense box appears to have fixed it.  On that note, I'm working on another tunnel, and I've run into the same issue, is there ANY way to restart specific components of pfSense that would kick-start the routing system without having to completely reboot my production firewall? -ct

Not on 2.0.x, but on 2.1 I have added a command-line management script for managing services that can control OpenVPN. I'm not sure if it would pull back to 2.0.3 OK, I never tried it. But if you're on 2.1 you can just run, for example: pfSsh.php playback svc restart openvpn client 2

Now I understand, Yellow router has a WAN IP in Green network - e.g. 192.168.0.2 Blue router has a WAN IP in Red network - e.g. 192.168.1.2 Devices in Green and Red can already talk to each other, because the Green and Red routers have a VPN link across the internet. To directly route from Yellow, across Green and Red, to Blue, you need access to Green and Red to add routes to them. But, you can setup an OpenVPN site-to-site link from Yellow WAN IP 192.168.0.2 to Blue WAN IP 192.168.1.2 without changing Green or Red routers. Then follow the information in the other post I linked to, and it it should work.

Well, you have posted in the OpenVPN section, so I guess you will get somewhat biased opinions :) For what it's worth, run pfSense on something at the internet interface, to be your router, firewall and OpenVPN server. There are OpenVPN clients for plenty of OS that are known to work. For Windows, pfSense can download you a client install exe that has the necessary application and configs all bundled up to go. Also, if your private subnet is something common like 192.168.1.0/24 then change it now to something less common, so you don't get hassles when clients connect from somewhere that is already 192.168.1.0/24

Sure, push the vlan subnet through the advanced config and block what you want thru firewall rules on the openvpn tab. Or you can simply tell openvpn that your "Local Network" is the vlan and it will only route that subnet thru the tunnel.

Your server config screen cap is kinda low res… can't read anything once you zoom in... can you post the server1.conf? Also need to see the firewall rules from your OpenVPN tab.

@Fr0ntSight: It is a 64bit machine 64bit machine != 64bit OS. @tjgertge: I'm having the same issue as well.  Have you found any resolution? The resolution is to NOT try to install 64bit applications on 32bit OS.

1. Use "tun", that is for routing between different subnets at each site. "tap" is for bridging, when you want the same subnet everywhere and broadcast traffic to go across the OpenVPN and be seen everywhere. 2. You don't need to change any NAT. NAT is not needed between the subnets on your private intranet - they can route happily to each other across the secure OpenVPN links. The internet traffic at each office goes straight out the office WAN/s and the automatic outbound NAT takes care of it. (If, one day, you want to send internet traffic from a branch office across the OpenVPN to the main office, then out to the internet, then you have to mess with manual NAT) 3. Each office has a LAN subnet, and each OpenVPN link is a subnet - this is the "Tunnel Subnet". Technically the tunnel subnet for a single site-to-site connection can be just 4 addresses (a "/30"). But it is much easier on the brain to give it a "/24". e.g. Main Office - 10.77.0.0/24 Branch 1 - 10.77.1.0/24 Branch 2 - 10.77.2.0/24 OpenVPN Tunnel Main to Branch 1 - 10.78.1.0/24 OpenVPN Tunnel Main to Branch 2 - 10.78.2.0/24 Make up 10.n.n.0/24 numbers to your liking. 4. The OpenVPN client keeps trying every 60 seconds, forever until it gets a response. In my experience, OpenVPN is very good at reestablishing itself after 1 end has gone away and come back again. If you need Branch 1 and Branch 2 to talk to each other, then make another OpenVPN site-to-site between the 2. Then if Main office is down, branch 1 and 2 can still communicate. Note: It is possible to route from branch 1 to branch 2 via main office, but in this 3 office triangle it is simple to add the 3rd OpenVPN link.