I tried it out with the box hosting the VPNs for us and it works great for just checking to see if the box is up and rebooting if not.  We just tested it running it and unplugging the WAN.  On the WRAP I tried this on though, the /var/db/hosts file was cleared on reboot.  I made something in /usr/local/etc/rc.d recreate it though.

The only problem is that I guess I have the syntax right.  For just checking up and down, it works fine though.

Here's the error I get:

PROCESSING 192.168.75.7|4.2.2.2|10|/tmp/shutdown.sh|/tmp/up.sh|999|999
Processing 4.2.2.2
PING 4.2.2.2 (4.2.2.2) from 192.168.75.7: 56 data bytes
64 bytes from 4.2.2.2: icmp_seq=0 ttl=247 time=16.167 ms
64 bytes from 4.2.2.2: icmp_seq=1 ttl=247 time=15.761 ms
64 bytes from 4.2.2.2: icmp_seq=2 ttl=247 time=16.309 ms
64 bytes from 4.2.2.2: icmp_seq=3 ttl=247 time=18.847 ms
64 bytes from 4.2.2.2: icmp_seq=4 ttl=247 time=25.969 ms
64 bytes from 4.2.2.2: icmp_seq=5 ttl=247 time=26.756 ms
64 bytes from 4.2.2.2: icmp_seq=6 ttl=247 time=14.858 ms
64 bytes from 4.2.2.2: icmp_seq=7 ttl=247 time=23.865 ms
64 bytes from 4.2.2.2: icmp_seq=8 ttl=247 time=14.006 ms
64 bytes from 4.2.2.2: icmp_seq=9 ttl=247 time=14.264 ms

–- 4.2.2.2 ping statistics ---
10 packets transmitted, 10 packets received, 0% packet loss
round-trip min/avg/max/stddev = 14.006/18.680/26.756/4.708 ms
Checking ping time 4.2.2.2
Ping returned 0
[: 18.664: bad number
Checking wan ping time nan
[: nan: bad number

but yeah, that script is hella useful for OpenVPN tunnels.  Maybe it'll fix the tunnel dying problem we're having

@nexusone:

I did search but didnt see any clear answers on why this problem exists.

With that said, what is the simplest and most preferred alternative to PPTP that will support multiple users?

OpenVPN works good.

@talong99:

Where could I manually add such rules so that they would be loaded the same time as the rules specified in the UI?

There are no facilities for this.

Thanks. I got it to work when I rebooted pfSense.

Not sure why that needs to happen.

Hi, tnx for the quick answer, i've just tried to set openvpn
with the remote subnet as you say, but the problem remain.

Still no routing… probably i'm missing some settings on the openvpn server to route traffic of the openvpn tunnel through the ipsec tunnel.
I'll investigate a little more  (or could give a try to pptp  :-\ )

Yes, I know that with the actual config only local office (192.168.200.0/24) can access through every other subnet, but for now is what we want. Do you think this could be a problem for the mobile user?

tnx for your help

PS: does anyone know if it's possible do configure openvpn client with username/password?

I think OpenVPN can accomodate your needs.

pfSense provides a wonderful implementation of OpenVPN. There are still some kinks to be ironed out, namely the firewall rules for the OpenVPN interface, but they will get it working. Regardless, it works anyway with some manual steps.

I recommend that you go to www.openvpn.net and read-up on OpenVPN before jumping into it. It is a very powerful and versatile package and along with that comes a bit of a learning curve.

@fernandotcl:

@moffl:

Dec 23 05:38:27 openvpn[371]: WARNING: 'ifconfig' is used inconsistently, local='ifconfig 192.168.30.1 192.168.30.2', remote='ifconfig 10.190.115.1 10.190.115.2'

@jette:

Jan 19 09:49:40    openvpn[377]: WARNING: 'ifconfig' is used inconsistently, local='ifconfig 10.0.10.1 10.0.10.2', remote='ifconfig 10.0.200.1 10.0.200.2'

Your address pool must be the same in both client and server.

Thanks a lot for your reply.  The problem is fixed now. 
But I still have problem in accessing the remote network.  I can ping 10.0.200.253 in the firewall (10.0.100.254) but I can't ping 10.0.200.253 in my lan (10.0.100.0/24).  Is there anything I missed in the setting?  Thanks a lot.

Regards,
Jette

@sullrich:

@Helix26404:

There IS a way to directly configure OpenVPN firewall rules, but it's not widely known nor talked about. It's through the LAN interface.

Make a firewall rule on the LAN interface that is specific to this particular situation and put it on top. See if that helps.

Most likely because that only handles one side of the conversation.  We do not talk about it because its not a real fix.

Unless you control both ends of the tunnel you will feel secure but the oppisite is true.  Therefore we simply say there is no firewall rules possible on 1.0 across OpenVpn and IPSEC tunnels, but, we are working on this.

Gotcha. So this is why anyone in the remote network can access anything in the local network (pfSense-side if we're assuming it's the server) provided the routes are set up correctly on the client-side.

I was racking my brain trying to figure out why I could get traffic IN through the tun0 interface, but I couldn't get OUT unless I was using the pfSense box itself. At first I thought it was a route issue, but then realized that the firewall was locking it down. Setting up explicit rules permitting traffic from any source to destination OPVN interface and destination OPVN remote network did the trick.

Thanks for the elaboration from the "inside". :)

at the terminal, type:

which openvpn

Nice, I'll link it from the tutorials site later when I get time. Thanks!

Look in the package area.  There is a rc.d thread that is a sticky.

thanks

I read the stickys and searched but didn't come up with those answers. i have a openvpn connection running.

@dairaen:

cheers,

tpunder, could you please send me or upload a screenshot of
your working outbound NAT rules so i can add them to the
tutorial?

thanks.

kind regards
dairaen

No problem, I just sent a PM with a screenshot.

Follow this nice tutorial http://www.uplinksecurity.de/data/pfsense-ovpn.pdf

me to :) (ipsec is easy) but i want it with Openvpn