Does your VPN provider limit bandwidth?

RESOLVED! Cryptography mis-configured Push route command is successful. Layer 3 communication now successful. Thank you everyone for helping.

Fixed by jimp in "trunk" version git within minutes after reporting it via pfsense's bugtracker redmine

Removing the management option in advanced config worked for me. I had it set up to a different port in my old config and that didn´t work with the GUI. So try and remove the option completely.

My mistake. add all the routes in advanced configuration in openVPN, and add Outbound NAT to the specific interface from openvpn address to all others.

Well if your saying your asking pfsense dns for fqdn of your servers, and it does not answer that has nothing to do with openvpn. If your not on the vpn, and you query your pfsense for your fqdn servers?  Example my pfsense box is 192.168.1.253 ; <<>> DiG 9.8.1 <<>> @192.168.1.253 ubuntu.local.lan ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46521 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;ubuntu.local.lan.              IN      A ;; ANSWER SECTION: ubuntu.local.lan.       3600    IN      A       192.168.1.7 ;; Query time: 3 msec ;; SERVER: 192.168.1.253#53(192.168.1.253) ;; WHEN: Thu Sep 22 08:05:11 2011 ;; MSG SIZE  rcvd: 50 If you can not query your dns for your fqdn, then its never going to work while over the vpn.  If works local, then you prob have a firewall rule blocking access from your vpn to the pfsense dns. For example I run unbound, and had to allow for my openvpn segment to be able to query it. In the unbound ACLs, I had to allow for my 10.0.200.0/24 (openvpn ips) to query it.

There is many ways, you can build a shell script that check if openvpn service is on, or just ping the vpnips, etc…

That was it!  WOOT!  You are the MAN or WOMAN! LOL  Thanks a lot!

It is working fine now. I had put the rules in the Firewall tab and completely forgotten about the OpenVPN one. Thanks for the help!

The solution to this problem is to have multiple site-to-site VPNs. You can have a site-to-site between two nodes, but adding clients will cause issues. For inter-connectivity 2 VPN servers and 3 clients are required. This makes a mesh network. Below is a diagram that outlines the solution. Adding a fourth client to the equation makes this even more complicated if inter-connectivity is required. If anyone would like to comment on this solution please do so! [image: VPN.png] [image: VPN.png_thumb]

@jimp: Yep, the classic Security vs. Convenience trade off. Indeed.  In my case I need some convenience, so I'll try to give the "stored credentials" a try. Thanks a lot for you help !

Hi, did you play around with the "keepalive x y" command on the client site ? http://openvpn.net/index.php/open-source/documentation/howto.html # The keepalive directive causes ping-like # messages to be sent back and forth over # the link so that each side knows when # the other side has gone down. # Ping every 10 seconds, assume that remote # peer is down if no ping received during # a 120 second time period. keepalive 10 120

@jimp: No, that would be very insecure. You'd want a page, on your firewall no less, open to the internet protected by only a username and password, that would let someone get a VPN client and full access to your network, using that very same username and password? You, as the admin, download their clients for them, and distribute them to users via network/usb/cd/etc. Because you are dealing with certificates and sensitive data, a physical means of transfer is preferred. I would not recommend e-mailing them. But then again I tend to be paranoid when it comes to those things. Yes that's exactly what I'm looking for.  That's how the OpenVPN AS appliance works.  That's how the Juniper Network Connect full tunnel vpn solution works.  That's how Fortinet SSL VPN connect works, etc. etc. This is standard practice.  In a corporate implementation, authentication is going to be two factor, ala domain credentials + rsa (which itself will use a static N-digit PIN + random token number). Regarding the security, I completely understand your position.  But I respectfully request that you do not hold back function because you're concerned about the security of my implementation.  When done right, more convenience does not always necessitate less security.  I can do it right, I don't need a big brother holding my hand.

Troubleshooting is done in console, not in gui. Take a time at console and you will find something. Tcpdump is your friend.

Just upload a firmware update. Nothing mysterious about it. It should all work. Being able to properly filter wasn't really possible until 2.0. You can do it in 1.2.3 but it's not ideal.

The NAT is not automatic in that way because most VPN traffic is supposed to pass untouched. In this case wanted need NAT, so the default automatic rules were not correct for your case. At one point we had (accidentally) added those networks to automatic outbound NAT and had a number of problems/complaints from people who didn't want their VPN traffic to have NAT applied.

Yes you can do that. However do this only if you want to allow clients from one server on the other server. A use case is to have the same server from the same CA on UDP 1194 and on TCP 443. UDP 1194 is for normal ussage-. If you're in a very restricted environment and you need to tunnel through an http-proxy you simply can switch to TCP443.

well it would make sense that you would not resolve netbios via broadcast methods over a vpn.  Your traffic is routed, not bridged so broadcast traffic would never get from your remote network to your segment on the other side of the vpn. Yes dns would be a way of resolving name, or a wins server or host/lmhost file on your clients, etc. so example, connected currently to my home network via openvpn from work.  my popcorn box, I can not view it by netbios name pch.  53 = can not find. If I use dns, then it works pch.local.lan and I get error 5 access denied.  So I auth and then I can view, etc.. D:\>net view \\pch System error 53 has occurred. The network path was not found. D:\>net view \\pch.local.lan System error 5 has occurred. Access is denied. D:\>net view \\192.168.1.99 System error 5 has occurred. Access is denied. D:\>net use \\pch.local.lan\ipc$ /u:pch\nmt 1234 The command completed successfully. D:\>net view \\pch.local.lan Shared resources at \\pch.local.lan SMP8634 Share Share name  Type  Used as  Comment ------------------------------------------------------ share      Disk The command completed successfully.

Is your hardware sufficient to have those speeds with vpn?