Is there fix for 2.1.3 ? I've made TUN bridge but vpn gateway is down.

Glad I could be of help..

Thanks very much! Not sure why my search didn't turn that one up, I'll follow that thread.

There is no way to make "per-user" rules using the GUI alone. It is possible to do if the users and rules come via RADIUS, though. Giving each client a unique certificate/login and override with a unique IP is best, and the only way to make that work in the GUI.

I needed to login to the VPN and ping a 172.17 host for the tunnel to be established.

thanks a lot guys. i appreciate your help and info.  ;)

I did a complete reinstall and started fresh.  I read a thread around the forums regarding the Traffic Shaper, and i think i might have went in there and tried it out which broke things in the background.  After a fresh install and some minor setup hiccups it seems that i'm up and running with OpenVPN routed to the one client that i want!! Thanks for all the help! Edit: I believe i found the culprit as well to the issues that i was having this entire time.  Squid…after i installed it again it ended up breaking the VPN connection.  Had to put in a bypass proxy setting in there and all is well again!

I'm assuming this is an OpenVPN client config on pfSense? Have you tried comparing the working script against the pfSense rewrites that fail? If there are a few necessary lines removed when pfSense does its write, you should be able to add them to the advanced section of the client config.  If it's something more there may be other ways, post back with more details.

I restarted CARP on Master and Slave and now it works.

Bad form in posting back to my old posts, but just to let you know, that I've finally fixed it. Phil, I dug around regarding your suggestion and found this: https://forum.pfsense.org/index.php?topic=76015.0 All working as intended! I've not restarted any of my client VPN connections, or rebooted, but I'm sure that if the client comes up with same interface (ovpnc1) then I consider myself a happy chap. Only 1 year in the making… wow.

If it is site-to-site, then, in the Remote Network/s box at both client and server end, list all the remote networks reachable across the VPN link. (i.e. the list will be "opposite" on client to server) If it is road warrior server, then put all the networks reachable through the server into the Local Network/s box - this will tell the clients what they can reach across their link to the server. In all cases put rules on OpenVPN to allow traffic from the clients to the various networks. Put rules on the server-end LAN etc to allow traffic from the server network/s to the clients (if you want traffic to be initiated in that direction also)

A few things… first, this clearly is not a PFsense box... you should probably post in the forum of whatever distro you're using or openvpn.net, but will attempt to help anyway. 1.  Provide a network map, so we know more about your network and what you're trying to access. 2.  Is this in a lab?  Because it appears as though you are trying to connect to the VPN from the same LAN the server is on... but we'll know more when you provide the network map. 3.  When you say "I can access the tunnel but I cannot access internet.", can you truly not access the internet or just unable to resolve domain names?  Because those are two separate issues.

Ramotalana, when you setup the tunnel it will only route traffic that you tell it to route… and it will only allow the traffic that your firewall rules tell it to allow...  i.e. only traffic destined for the tunnel will be routed over the tunnel.  Internet traffic along with everything else will follow the routing table on both ends.

How can we even begin to help troubleshoot?  There are no details.  Provide a network map, post your config, post your firewall rules.

Yes - If you have multiple VPNs you can give them different sets of firewall rules.  Thats just for one.

No luck. It turns out snort was being triggered and blocking my second site.  I simply disabled the offending rule, unblocked my IP and all seems well.  What's strange is that it didn't fail until significant data started being transferred through the tunnel.  That was very confusing.  I noticed that my client connection wasn't found in the server firewall log and after verifying with packet capture that the client was indeed sending, it dawned on me that something was eating the request.  Too many hours lost due to my own foolishness. Found on snort alerts tab (I copied this after disabling the rule): 11/27/14 09:27:06 1 UDP Potential Corporate Privacy Violation <clientwanip>Icon Reverse Resolve with DNS  Add this alert to the Suppress List and track by_src IP 13467 <serverwanip>Icon Reverse Resolve with DNS  Add this alert to the Suppress List and track by_dst IP 1195 1:2003320 Add this alert to the Suppress List  Rule is forced to a disabled state. Click to remove the force-disable action from this rule. ET P2P Edonkey Search Results Beware snort users.</serverwanip></clientwanip>

Check out this site and the articles, they all address the concern of chaining vpn tunnels: https://www.ivpn.net/privacy-guides/advanced-privacy-and-anonymity-part-8 The simplest way to do it is with pfsense running in multiple VMs (you create multiple ESXI or VMware workstation VMs and chain them up). I hope this helps..

Thank you very much for pointing to OSPF direction. Quagga behaves wierd a bit, exactly as written in this thread.  I had to add tunnel adresses manually, as advised here , and it worked for me. Everything runs fine for two weeks already, client reconnects properly. Restaring server side of OVPN tunnel does not crash client side anymore. The issue is solved.