I added keepalive 120 240 but still no luck :-( If the connection goes down and a reconnect is done, an error "AUTH_failed" is thrown (Because the old connection still exists on the server of my VPN-Provider) from the Server, it stays down until you manually restart it :-( Is there a way to add (re)connect retries although of the "AUTH_failed" message?

Is there any tutorial to show hwo to setup OPEN vpn with PKI?  I have successfully created a VPN tunnel for a user but I need to have 4 users connected and I don't' want to open 4 ports up.  I would like them all communicating through the same port. Is there any advantages / disadvantages to setup this way?

I switched to a Firebox X700 and OpenVPN now works…weird...

Not sure really. It's something we'd like to see working (VPN Bonding) but lagg may not be the most efficient way to get that done in the long run. It's just been a topic lately since zeroshell is doing it that way. Reconfiguring the lagg as needed may not be difficult to add in the backend but it seems like there are quite a few issues with doing it that way that may end up making it not really feasible to use. Another way we'd mentioned is doing MLPPP over the tunnels to bond them but that could be even more of a challenge.

Good to know. Thanks Chris!  :)

Thank you for your response, I did changes as suggested : and now, on remote side routing : Kernel IP routing table Destination     Gateway         Genmask         Flags Metric Ref    Use Iface 10.10.10.1      10.10.10.5      255.255.255.255 UGH   0      0        0 tun11 10.10.10.5      *               255.255.255.255 UH    0      0        0 tun11 10.8.0.2        *               255.255.255.255 UH    0      0        0 tun21 192.168.141.254 *               255.255.255.255 UH    0      0        0 vlan1 192.168.20.0    10.10.10.5      255.255.255.0   UG    0      0        0 tun11 10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun21 192.168.10.0    *               255.255.255.0   U     0      0        0 br0 192.168.141.0   *               255.255.255.0   U     0      0        0 vlan1 127.0.0.0       *               255.0.0.0       U     0      0        0 lo default         192.168.141.254 0.0.0.0         UG    0      0        0 vlan1 On OpenVPN server side : Routing tables Internet: Destination        Gateway            Flags    Refs      Use  Netif Expire default            178.26.23.254      UGS         0  1071098    vr1 10.10.10.0/24      10.10.10.2         UGS         0        3 ovpns2 10.10.10.1         link#12            UHS         0        0    lo0 10.10.10.2         link#12            UH          0        0 ovpns2 127.0.0.1          link#6             UH          0    14102    lo0 192.168.10.0/24    10.10.10.2         UGS         0       54 ovpns2 192.168.20.0/24    link#10            U           0  1279213 bridge 192.168.20.254     link#10            UHS         0        0    lo0 And now I'm checking from host behind OpenVPN server (192.168.20.1) [~] # ping 192.168.10.130 PING 192.168.10.130 (192.168.10.130): 56 data bytes ^C --- 192.168.10.130 ping statistics --- 53 packets transmitted, 0 packets received, 100% packet loss [~] # ping 192.168.10.1 PING 192.168.10.1 (192.168.10.1): 56 data bytes ^C --- 192.168.10.1 ping statistics --- 1 packets transmitted, 0 packets received, 100% packet loss [~] # ping 10.10.10.6 PING 10.10.10.6 (10.10.10.6): 56 data bytes 64 bytes from 10.10.10.6: icmp_seq=0 ttl=63 time=62.1 ms 64 bytes from 10.10.10.6: icmp_seq=1 ttl=63 time=64.8 ms 64 bytes from 10.10.10.6: icmp_seq=2 ttl=63 time=46.9 ms ^C --- 10.10.10.6 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 46.9/57.9/64.8 ms [~] # ping 10.10.10.1 PING 10.10.10.1 (10.10.10.1): 56 data bytes 64 bytes from 10.10.10.1: icmp_seq=0 ttl=64 time=0.4 ms 64 bytes from 10.10.10.1: icmp_seq=1 ttl=64 time=0.2 ms ^C --- 10.10.10.1 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 0.2/0.3/0.4 ms [~] # ping 10.10.10.2 PING 10.10.10.2 (10.10.10.2): 56 data bytes ^C --- 10.10.10.2 ping statistics --- 2 packets transmitted, 0 packets received, 100% packet loss [~] # ping 10.10.10.5 PING 10.10.10.5 (10.10.10.5): 56 data bytes ^C --- 10.10.10.5 ping statistics --- 3 packets transmitted, 0 packets received, 100% packet loss [~] # traceroute 192.168.10.130 traceroute to 192.168.10.130 (192.168.10.130), 30 hops max, 40 byte packets 1  192.168.20.254 (192.168.20.254)  1.113 ms  0.377 ms  0.348 ms 2  *^C [~] # So I can ping 10.10.10.6 which is on tunnel end, but nothing on 192.168.10.0 network. Log from client : Feb  9 12:23:34 tomato daemon.notice openvpn[1121]: OpenVPN 2.1.1 mipsel-unknown-linux-gnu [SSL] [LZO2] [EPOLL] built on Dec  4 2011 Feb  9 12:23:34 tomato daemon.warn openvpn[1121]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info. Feb  9 12:23:34 tomato daemon.warn openvpn[1121]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Feb  9 12:23:34 tomato daemon.notice openvpn[1121]: LZO compression initialized Feb  9 12:23:34 tomato daemon.notice openvpn[1121]: Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ] Feb  9 12:23:34 tomato daemon.notice openvpn[1121]: Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ] Feb  9 12:23:35 tomato daemon.notice openvpn[1127]: Socket Buffers: R=[32767->65534] S=[32767->65534] Feb  9 12:23:35 tomato daemon.notice openvpn[1127]: UDPv4 link local: [undef] Feb  9 12:23:35 tomato daemon.notice openvpn[1127]: UDPv4 link remote: xx.xx.xx.xx:1195 Feb  9 12:23:35 tomato daemon.notice openvpn[1127]: TLS: Initial packet from xx.xx.xx.xx:1195, sid=76b8ea0b 54d5e74d Feb  9 12:23:35 tomato daemon.notice openvpn[1127]: VERIFY OK: depth=1, xxxxxxxxxxxxxxxxxxxx Feb  9 12:23:35 tomato daemon.notice openvpn[1127]: VERIFY OK: depth=0, xxxxxxxxxxxxxxxxxxxx Feb  9 12:23:37 tomato daemon.notice openvpn[1127]: Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key Feb  9 12:23:37 tomato daemon.notice openvpn[1127]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Feb  9 12:23:37 tomato daemon.notice openvpn[1127]: Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key Feb  9 12:23:37 tomato daemon.notice openvpn[1127]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Feb  9 12:23:37 tomato daemon.notice openvpn[1127]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Feb  9 12:23:37 tomato daemon.notice openvpn[1127]: [ag-net.eu] Peer Connection Initiated with 178.26.16.94:1195 Feb  9 12:23:40 tomato daemon.notice openvpn[1127]: SENT CONTROL [ag-net.eu]: 'PUSH_REQUEST' (status=1) Feb  9 12:23:40 tomato daemon.notice openvpn[1127]: PUSH: Received control message: 'PUSH_REPLY,route 192.168.20.0 255.255.255.0,route 10.10.10.1,topology net30,ping 10,ping-restart 60,ifconfig 10.10.10.6 10.10.10.5' Feb  9 12:23:40 tomato daemon.notice openvpn[1127]: OPTIONS IMPORT: timers and/or timeouts modified Feb  9 12:23:40 tomato daemon.notice openvpn[1127]: OPTIONS IMPORT: --ifconfig/up options modified Feb  9 12:23:40 tomato daemon.notice openvpn[1127]: OPTIONS IMPORT: route options modified Feb  9 12:23:40 tomato daemon.notice openvpn[1127]: TUN/TAP device tun11 opened Feb  9 12:23:40 tomato daemon.notice openvpn[1127]: TUN/TAP TX queue length set to 100 Feb  9 12:23:40 tomato daemon.notice openvpn[1127]: /sbin/ifconfig tun11 10.10.10.6 pointopoint 10.10.10.5 mtu 1500 Feb  9 12:23:40 tomato daemon.notice openvpn[1127]: updown.sh tun11 1500 1558 10.10.10.6 10.10.10.5 init Feb  9 12:23:41 tomato daemon.notice openvpn[1127]: /sbin/route add -net 192.168.20.0 netmask 255.255.255.0 gw 10.10.10.5 Feb  9 12:23:41 tomato daemon.notice openvpn[1127]: /sbin/route add -net 10.10.10.1 netmask 255.255.255.255 gw 10.10.10.5 Feb  9 12:23:41 tomato daemon.notice openvpn[1127]: Initialization Sequence Completed And another thing, on client router (Tomato) I have syslog pointing to 192.168.20.1 (internal NAS behind pfsense router), what I see in tcpdump : 12:59:40.108160 IP 10.10.10.6.2048 > 192.168.20.1.514: SYSLOG cron.info, length: 97 12:59:40.144467 IP 10.10.10.6.2048 > 192.168.20.1.514: SYSLOG syslog.info, length: 37 And I can see those entries in syslog, but it's coming from 10.10.10.6 not 192.168.10.1

Yes, I get that, you want broadcasts to traverse the VPN, but what's your end game?  What are you trying to set up that you think won't (or doesn't) work with a routed solution?

Good one! I needed this! Thanks Nachtfalke! Kostas

That option only adds an additional layer of protection on a .p12 certificate store file. I'm not sure that the Viscosity bundle even uses .p12 files, but the Windows Installer does. If you put in a password there, it requires a password to access the certificate inside the .p12 file. It would not include a username or password in plain text in there anywhere regardless of whether or not you chose that option.

You can do that either way. There is documentation for setting it up on the doc wiki (check my sig).

@jimp: or that the system you are trying to reach does not use the pfSense firewall as its default gateway Thank you so much. Sometimes things are so simple that it is almost impossible to spot them. I was trying to connect to the LAN over my OpenVPN connection for hours and couldn't figure out what I did wrong as all routing tables where correct. I am currently in the process of changing my firewalls to pfsense and also configure an new broadband connection. I completely forget that all my servers were still configured with the old gateway ip. Thanks again.

Thanks to cmb this is now working. The trick was to change the mode from Automatic to Custom in VPN Tunneling->Client->Firewall, and add the following iptables rules under Administration->Scripts->Firewall: # apply forwarding for OpenVPN Tunneling iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 10.8.5.0/24 -j ACCEPT iptables -A FORWARD -s 10.0.0.0/16 -j ACCEPT iptables -A FORWARD -j REJECT # enable forwarding echo 1 > /proc/sys/net/ipv4/ip_forward Thanks again. Now I just have to figure out how to mark this thread as solved.

@broncoBrad: There appears to be a 2048-bit OpenVPN static key in the server setup, which I assume is the shared key which leads me to believe this is pre-shared key authentication. So why is this static key here if this is PKI? Currently I create users for the VPN through the user manager. How is this different than using RADIUS? Which is more secure? http://openvpn.net/index.php/open-source/documentation/howto.html#security

YES! I've disabled gateway monitoring and the connection doesn't get cut anymore. I haven't taken care of setting up gateway monitoring because I thought it's simple monitoring (i.e. 'nice to know' information). Thank you for your help!

@broncoBrad: So just to double check. When I've established a VPN connection all initiations by my computer would be checked against rules on the VPN tab, yes? Yes, if you checked "redirect all traffic through VPN" on OpenVPN server. Now as far as communicating between my computer and other computers on the OPT network that the VPN is tunneled to do I have to create rules that allow for communication between the VPN interface and the OPT network Yes or does the pfSense treat the VPN'd computer as being on the OPT network? No Does that make sense? Thanks in advance!