That worked perfectly! I just tested the setup you suggested with 3 test users and had filtering working exactly the way I want. Thanks for the help!

It can be done, but it involves using client bridging and adding custom configs to the server. Stick with the routed solution, it's more efficient and it looks like they are eliminating bridging from 2.0 anyway.

What eventually fixed it for me was swapping the openVPN protocol from UDP to TCP. Up to this day this still makes NO sense to me whatsoever as it all worked though UDP as long as I did't leave the LAN. Accessing remote websites as an openVPN client jsut didnt work using the UDP protocol. I made a small post on my blog explaining the steps I took to get it working. URL : http://henri.kuipersite.nl/2011/02/25/the-alix-project-part-2/ I hope this will give you enough info to get it working for you too. If not (or if it does) let me know via a reply here and/or a little note at the blog :) Happy VPNing

no takers? -Rich

sweet! Good to hear

Is this true even if the openVPN is setup in bridged mode? I can't speak to Bridge mode as I've never tried it, but theoretically then your clients would be on the same IP network so I would say no it probably wouldn't be true for that scenario.  I don't think pfSense has bridge mode as an option out of the box but you might be able to configure that using the custom options field. Yes, it is true that my Internet connection is only 100 Mbit. However, the network between LAN and DMZ is at Gbit speed today. I don't want LAN/DMZ communications to be affected negatively. Well….. pfSense runs on a PC, can you use Gbit NICs?  Or are you running it on an embedded device? -Rich

@jimp: Client should have dev tun, not dev tap. It's always the simple things - that did it!  Thanks! -Rich

huh, it's probably one of the ones with broken hardware checksum offloading under some circumstances, disabling that under System>Advanced would possibly resolve, but you're vastly better off with the Broadcom NIC anyway.  ;D

Okay…all updated to 1.2.3 now. Went through and changed some things back to how they were supposed to be according to the setup guide....and it's working now. Part of this though included having to use a WWAN card to make it so I was attempting to vpn in from the Internet....vs. from my own internal private network.  Apparently, that won't work. :)

I check that ipsec was disabled, and delete another vpn server that one box haves (to roadwarrior) and now i can ping :s but cant enter in any service of the other net (a webserver and the pfsense itself) I have this firewall rules in vpn in both sites: [image: rules.PNG] [image: rules.PNG_thumb]

Look in the system logs and the logs for OpenVPN. You may find an error in one or the other that leads you to the cause of the issue. Otherwise it's all just speculation.

@spiritbreaker, your error messages is not the same as the one being discussed in this thread, please don't confuse matters.

Anything from 0-255 should work in that octet. So 192.168.42.x, 192.168.201.x, etc, etc. Whatever you want that isn't in use.

Nevermind. I think this was just logging an error because the route was already in the route table. I'm still having a route issue, but I'll post that seperately

You can do that either way. You can have it be site-to-site, or you can assign the OpenVPN interface as an opt interface and setup NAT rules so that when traffic leaves OpenVPN, it gets NAT applied to the OpenVPN client address, and as long as the remote end doesn't have a route back to your LAN, it should be just how you describe.

???Anyone?

I was going to ask if you tried rebooting both machines or had an active IPSec connection as the config settings look right, but you figured it out, glad to hear.

good evening, i have one question to your related posts. i use pfsense 2.0 beta 5 newest version till yet! and in openvpn client site is no entry for default gateway. all clients can ping and share with local network, with right routes, but the entry for default gw is missing. (gateway should be the pfsense openvpn server - in my config is it 10.10.0.1) Feb  7 10:56:18 proxyfuck openvpn[15604]: /sbin/ifconfig ovpns1 10.10.0.1 10.10.0.2 mtu 1500 netmask 255.255.255.255 up why it is hiding for me on client site??? :)