I believe that is a similar problem to what I've got over at the link below.  As far as I've seen there is no way to do it in 1.2.3 as a compile option for openvpn is missing.

http://forum.pfsense.org/index.php/topic,26531.0.html

Hello, thanks for replies, Im using udp, and tried with and without compression, and we did not improve the quality, our main problem appears to be latency, our system, alcatel OXO appear to need latency below 100ms, we need to mark whole tunnel as VoIP, and reserve bandwidth for it to lower the delay, any idea?

Thanks a lot for your reply, I have been doing some test, and test and…
You are right, 3G modems have big latency, we have between 200-300ms on all, even with great bandwidth, the latency is too much to have a clear voice call.

But we have now some lines working on ADSL routers, some of them have latency (ICMP) between 100-200ms, in this enviroment I think that priorize whole tunnel will improve enough the comunication, beacuse the tunnel have only One RDP connection(With minimun resources for 56Kb lines) and the VoIP.

So, now how can I priorize the whole tunnels? I have Pfsense 1.2.3 and the wizzard does not give much features to configure it.

Many thanks

i have one another thing to ask, is it possible if i change the configuration into something like this?

HQ office:
–-----------
WAN ip address: 102.XX.XXX.XX
Lan subnet: 10.0.0.0/16
Lan Gateway 10.0.0.1

OVPN config (server)
protocol: udp
dynamic ip: tick
local port: 1194
adress pool: 10.10.0.0/16
remote network: 10.0.0.0/16
authentication method: Shared Key

Site office:

wan address: dynamic
lan subnet: 10.0.0.0/16
lan gateway: 10.0.25.1

OVPN config (client)
protocol: udp
server address: 102.XX.XXX.XX
server port: 1194
interface ip: 10.10.0.0/16
remote network: 10.0.0.0/16
cryptography: shared key

or any suggestion from the expert?  ::)

Ok, so, I made an assumption that in pfsense:

Disable all auto-added VPN rules.
Note: This disables automatically added rules for IPsec, PPTP, and OpenVPN.

…meant that some "built in" pass rules were just disabled.  I didn't realize that NOT checking this option prevents the rules one creates for the new OPT interface to be used.

I checked this and everything works!

Sorry all !!!

Found the solution:

Due to the Dual WAN solution.  all my LAN traffic  wanted to go true the  MULTIWAN  Gateway.    this means also OpenVPN traffic.

Now that I made 1 rule on my LAN    that only traffic for port 80 needs to be balanced and go true the MULTIWAY Gateway 
then 1 rule  lower pri  that lets all other traffic  true the * default gateway.

NOW my OpenVPN works in both directions

@pisang98:

Site 1 (PFSense 1.2.3-RELEASE)
Dual WAN (Fixed IP's)
OpenVPN Server
LAN 192.168.1.1

Site 2 (PFSense 2.0-BETA1)
Dual WAN (Dyn IP's)
OpenVPN Client
LAN 192.168.0.250

When I had a PFSense 1.2.3 on site 2 my OpenVPN (Site2Site) worked without any problems.

Now that I have upgraded to PFSense 2.0 (2x Dyn PPPoE)  I'm having troubles with my OpenVPN

My 2XWAN on Site2 are balanced TIER1 and thats working.
OpenVPN connects and is working.  Ping on the PFsense interfaces work to all ip's (Site1 & Site2)

Connecting from site 1 -> site 2 is working.  (OpenVPN Server)
Connecting from site 2 -> site 1 is NOT working. (OpenVPN Client)

I need a OpenVPN Bridge <-> from all networks.

I have a Firewall rule   *  *  *  *  *  *  none     OpenVPN  for the OpenVPN Traffic on Site2

I have something wrong on my new PFSense 2.0 (Site2) config.  Or I don't understand the new OpenVPN in 2.0

Please help.

Thanks, I had mess up the certificates! Now it works.

Yep, I was able to test it after my office closed today. Just popping the static route in when I need it works for me.

What do your firewall rules look like on LAN?

What about the remote openvpn server? Does it have a route back to your LAN subnet? (either via route for shared key, or route/iroute for PKI)

With site-to-site PKI, the "remote network" doesn't really work like that. The Remote Network box is only for Shared Key.

You need to do two things to get site-to-site PKI to route back to the client network:

a) Add a "route 192.168.x.0 255.255.255.0;" line in custom options, one for each remote site.
b) Add a Client-Specific Config entry for each site, using the site's common name of their certificate. In the custom options for this site, add "iroute 192.168.x.0 255.255.255.0;"

Server:

local 192.168.10.18

port 1194

proto udp

dev tun

dev-node MyTap

ca ca.crt
cert key.crt
key key.key

dh dh1024.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push "route 192.168.10.0 255.255.255.0"
push "route 192.168.0.0 255.255.255.0"

client-config-dir ccd
route 192.168.0.0 255.255.255.0
#iroute 192.168.0.0 255.255.255.0

push "192.168.10.1"
push "dhcp-option DNS 10.8.0.1"
push "dhcp-option WINS 10.8.0.1"

tls-auth ta.key 0
comp-lzo

max-clients 100
persist-key
persist-tun

verb 3

mute 20

Client:

client

dev tun

dev-node MyTap

proto udp

remote 110.60.20.217 1194

resolv-retry infinite

nobind

persist-key

persist-tun

mute-replay-warnings

ca ca.crt
cert client1.crt
key client1.key

ns-cert-type server

tls-auth ta.key 1

comp-lzo

mute 20

Not sure about ubuntu clients, but on Win7 were you running the client as Administrator?

When connected, go to a CMD prompt, and type "route print" and see if you have a route to your home network that has an IP in the OpenVPN address pool as its gateway.

The client doesn't need dh parameters.

As for the other problem, on the road warrior server config, in the custom options, put:

push route 192.168.2.0 255.255.255.0;

And then on the site2 client for site-to-site, in the custom options, put:

route 10.0.0.0 255.255.255.0;

The first part should tell the clients that they can reach site2 via the OpenVPN connection. The second part will tell site2 how to route back to the OpenVPN road warrior subnet.

and the other part of my config

4.jpg
4.jpg_thumb
5.jpg
5.jpg_thumb
6.jpg
6.jpg_thumb
7.jpg
7.jpg_thumb

A few simple tests could confirm this behavior, but I'm not sure offhand.

I haven't tried this myself, but you could require having a CSC entry, and use the directive

ccd-exclusive;

In the custom options to enforce the requirement that a client exists on the CSC tab before they can connect.

The OpenVPN man page doesn't really clarify whether or not the ifconfig-push directives for the CSC entries are taken into account during general pool assignment.

Thx i think i got it now. I ve changed Address pool to 10.0.8.0/24 (on servers side) an on client side Interface IP: to 10.0.8.0/24 and now i can ping from hosts on A site to host on B site. Now I am going to play with DNS. Thx once again.