You need to create the rule on the LAN interface - all pfSense rules apply to the interface the traffic arrives on, not the interface it leaves on.

I can confirm that it works fine with the 64bit Windows 7.

Note that questions about OpenVPN clients are probably best asked on the OpenVPN list ;)

See this thread:
http://forum.pfsense.org/index.php/topic,18801.msg97227.html

Also if you want to do bridging, you have to do more than add server-bridge to custom options (you actually leave server-bridge out if you want to use an existing DHCP server).

Seems like you would have to create a static route on every other machine for that to work. If a machine on your LAN gets an echo request from some IP (in this case let's a say a remote LAN IP of one of your clients), it will go to the default gateway, which will be pfSense. The traffic won't get to the openVPN server even though that's how it got into the network in the first place.

The problem with this is that if these are mobile clients (and it sounds like they are) you don't know what their remote subnets are going to be, so you can't add static routes for them, either on the clients or on the pfsense machine (not 100% on whether that would work anyway even if you knew the subnets).

I do exactly what you're doing with a few servers (openvpn server on a NAT'd IP) but it works for me because I only want the clients of those servers to have access to the IP of the server, so I haven't actually tried to solve the problem you're having.

Edit: maybe a bridged rather than routed setup would work better; it would also solve the problem of the possibility of overlapping subnets with your road warriors.

pfSense, as of at least 1.2.0, has OpenVPN server built in, and PPTP and IPsec.

Windows has PPTP built in, anything else will require a client to be installed.

Yes, you have to be able to connect to your server - if the network is blocking ports then you can't connect.

I dont think i'll have time to try anything today.. but i'll give that a shot over the weekend!

Thanks!

Change the default port from 1194 to something else should resolve your ISP from blocking your VPN connection

I got it working….had to fenaggle BGP but it is now working, and no route-flapping. WHooo Hoooo! :)

Yeah, you can leave off the "–" part of the command, which is for use when you call it from a command line.

local 1.2.3.4

Just putting that in the custom options should do it (remember to use a semicolon to separate multiple options if you have more). After you save it look in System Logs -> OpenVPN to make sure it's binding to the correct IP.

@joebarnhart:

I have two pfSense boxes and I want to route the openvpn traffic through the OPT1 interface at work to my system at home.  The work box is the "server" my home is the "client".  My home box is set to use the gateway connected to OPT1 at work, but there is no way to tell the server at work to send packets back through the OPT1 interface (instead of WAN).

Create a static route for the IP of the remote end and as gateway your OPT1 gateway.

@joebarnhart:

The static route suggestion leaves me confused.  I can set a default gateway, but it wants a "source" for the packets.  LAN, WAN, etc. don't seem to create a static route that OpenVPN respects or uses.  Nothing seems to affect it since it sits inside the pfSense box and does not seem to pay attention to any routing rules other than from it's openvpn page itself.
'

You're obviously in the wrong place.
You dont have to create a firewall-rule and set a gateway.
You have to create a static route in place i wrote above.

@joebarnhart:

Looking at my logs, I can see the client is connecting to the OPT1 interface at work, but the server at work is responding over its WAN interface.  I could just set "float" in my client, but it misses the point of having a T1 line for VPN use.

I've googled many many messages about this multi-homed madness and openvpn, but have found few who actually claimed to get it working.  99% of the messages never attract even a single response.  This is a big problem for anyone with multiple WANs and there isn't much to go on getting pfSense and openvpn to work.

I think you need to clarify something.
Do you want the pfSense to connect to a server?
In this case you need the static route above.

Do you want clients to connect to the pfSense on the OPT?
In this case you dont need a static route, but you need to set the correct commands in the "Custom options" field on the OpenVPN server page.
AFAIK something along the line of "–local host IP_of_OPTx".
Just to tell the OpenVPN instance that it should listen on the IP of the OPTx instead of the main WAN.

PS: Why do you think that "This is a big problem for anyone with multiple WANs and there isn't much to go on getting pfSense and openvpn to work." ?
It's not a problem of pfSense if you dont know how to handle OpenVPN....

Thanks Havok ill try this month :)

jigp

Problem fixed!

I forgot to add the route on the site B and C. Always add routes for the both directions.

Are the server certificates the same on both openvpn servers?  if different that might becausing you issue.
RC

I'm getting the same error, and so far as I've read and understand, all is config'd properly…  This is with internal CA, until I can get the import of cacert.org's keys to succeed...

Yes this is possible with the "Client-specific configuration" (client specific pushes)
and with OpenVPN firewall rules. (Although the firewalling of OpenVPN is currently quite a hack).

But you missunderstand that you get an IP out of your 3 subnets. This wont happen. You connect from a different subnet to these private LANs.

Yes you can integrate this with active directory.
Read the stickies !
http://forum.pfsense.org/index.php/topic,14946.0.html

I got it!

My god.. all this hair pulling. The problem was that the tap0 interface on machine B did not have an IP address assigned to it. That was it. It works, wonderfully. I am way behind schedule on what I need this for, but with any kind of luck I'll have some time in a few weeks to write up a start to finish guide.

Until then, I'll try to check the thread as often as I can to answer any questions.

What is your IP and gateway for you external network, that is what it should be.  This is a example of the client configuration:

ovpn_client.txt

dev tun
proto udp
remote 63.162.xxx.xxx 1194
ping 10
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert ovpn_client1.crt
key ovpn_client1.key
ns-cert-type server
comp-lzo
pull
verb 3

This from my workstation that I use to connect openvpn with.
RC