It should be safe to update.

From then you might have to do a console update by URL. I'm not sure if Auto Update was fixed yet then or not, and I think even the manual update in the GUI had a couple issues.

After you upgrade, edit/save your gateway entries, and it should be OK at that point.

Why are you making the keys by hand? Check the box to have the system make one for you, and then copy/paste from the GUI to the other side.

Even so, I've never had any problems copying and pasting keys made any which way into the GUI there. Are you sure you are copying whole shared key and only the shared key?

It should be like this:```

: openvpn --genkey --secret /dev/stdout

2048 bit OpenVPN static key

-----BEGIN OpenVPN Static key V1-----
6b5853bcafd3d4a87d8255c0fc14dbd1
35a8095c15e17e09c239c75f68095d85
0c2ec7794051de8c73daaffd00bbce12
d88720a8d137c02cd6d0370889ab9932
0f6bbf40efbe822cdcd2a601298023ec
ae2f39049142227a876e22bb2cf00830
7e9ea735748960fbb9a2b23c61894d69
49332cd7f680fea17f2c356f1211d457
b2e141027c2333bdf1a7c76ae405dd8b
e9a8e5569d922388a12d97484f5b9dfd
00a37ae3cdfe173c294a6b845521225a
dbb366077046b0ed5bec860f5db67707
d43d5a504de7db846bc524f045614771
0db1f091aa42b50ca5f42b7b971c8617
b85a21cb8ddbb399718c2c2dccba2b49
f71bd2f7f51535ce9e959055eeb90e6b
-----END OpenVPN Static key V1-----

When I paste that in, what I get in the server<x>.secret file is exactly what I pasted in.</x>

@geyser:

First, I don't know jack about OpenVPN but I've learned a fair bit in the past few hours.

Trying to setup pfSense with a connection to StrongVPN, found some nice guide here:

http://forum.pfsense.org/index.php?topic=29944.0

The guide works, I can get all traffic routing over the VPN.  But I don't want that :-(

Any time I connect to StrongVPN two new routes are put in pfSense that direct all traffic over the VPN leaving my default gateway unused.

The guide suggests to use this: redirect-gateway def1;

That redirects all traffic over the VPN, however even with that not in the configuration the new routing is stuck in there, I think the setting is still being pushed from the StronVPN server.

Anyone know how to do selective routing and/or not have the default gateway bypassed?

Can I ask, what openvpn setup are you using w/ StrongVPN - ie, what encryption levels etc.

Thanks,
Brian

Yes, there is a how to in the pfSense book that covers this.

This was the ticket I was thinking of:

http://redmine.pfsense.org/issues/1009

Though I don't recall the specific objections now. There were issues that caused it to be backed out.

Still not much further forward, I am guessing I need rules to send traffic to the WAN rather than the VPN but as to the specifics of such rules I am not quite sure.

How does it not work?
Config? Logs? Errors? Rules correct?

So do I, less problems and more secure, but can be harder to setup.

Got it. Makes sense. Thanks again jimp!

Try again with a new snapshot. If it still fails, odds are you had the Site-To-Site (SSL/TLS) connection configured improperly, it isn't addressed like a shared key setup, and there was a bug in the code earlier that wasn't correctly setting up the configuration.

Do the devices in the 164 range have a default gateway other than the pfSense?
Do you have the OpenVPN instance assigned as interface?
If yes, might you have a rule not allowing access?

The same on the remote side: Might you have a rule not allowing access?
Do you see anything in the firewall log?

Hi jimp,

thanks for feedback. Just wanted to be sure that I didn't miss anything in the pfsense config.

It might not be too hard to implement, but as with everything, it does take some time.

It would just require adding another checkbox to unhide a custom options box, something like the password box does now, and then some extra code to get the options into the client config.

Doesn't look like the traffic is even hitting the second pf box….but surely it wouldn't be hitting the firewall of pfB since it's LAN > LAN traffic?

EDIT: now solved so forget the above - (had to change the source on the default LANnet rule from LAN Subnet to 'any')  :-[

FYI- this should be working in current snapshots (and with a current/updated openvpn-client-export package)

server: pfsense 1.2.3
client openvpn gui 1.0.3
I used the 2.0 folder to create the keys, certs, etc

I'm willing to give it a go if you can point me in the right direction  :)